Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-23 Thread Alvaro Gomes Sobral Barcellos


Exibar wrote:

sheesh,

Linux in the wild viruses that come to mind:  Scalper, Ramen, Lion,
Simile.  I'm sure there are lots more as well.
 Linux is NOT immune to viruses or worms, plain and simple.

   but just because, no sane one use root`s account to trivial tasks so 
the core/live system are imune.

  and  for others the do it, linux is like windows.

[]s agsb

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day,help the cause

2004-01-20 Thread Ron DuFresne


Brenda,

Here's a strong clue;

If you do not allow other users on the system, do have services open for
public consumption, keep patched and block the nasites, your risk has been
trivialised.  perhaps as much as 75% of the risk on a linux or unix
systesm comes from insiders, users taking advantage of weaknesses in apps
and packages under the hood.  If you have a httpd running and open to
public consumption, or an ftpd or another public service then your risk
goes up again drmatically .

On Fri, 16 Jan 2004, brenda wrote:

> question on this?
> maybe i am more disillusioned than i thought but if i patch and update how can
> i be as vuknerable as on windows?
> i run a program called killerwall as my firewall
> it is a script that uses ipchains or iptables .i chose iptables because of my
> reading and thinking this was safer.
> i dont understand how rootkits work tho and my reading has not helped my
> understanding of this very much.
> i dont do downloads except with acceptable ftp sites .no music/movies stuff.in
> fact my only downloads have have been with urpmi?
> can rootkits be used this way?
> apologizing for my ignorance ahead of time but i am hoping to learn
> br3n
>
> > That's true. I just want to remember about the guy with the rootkit
> > which I asked about. Running SuSE Linux, patching regularly and thought
> > he was safe while running an unpatched PHPNuke installation. Ouch. :-)
>
>

This fellows problem was enabling php , and having a lack
of understanding of what php is and can do.  Dynamic content is not
something joe everyday user should be engaging in except on a trough away
system, even with iptable enabled.  And phpnuke has perhaps the worst
recond for all the php modules that folks are playing with like those in
the past played with matt's old cgi's.



Thanks,

Ron DuFresne
~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-20 Thread Ron DuFresne
On Sat, 17 Jan 2004, William Warren wrote:

>
>
> [EMAIL PROTECTED] wrote:
>
> 
>
> >Yeah, I agree, but that was also a pretty steep learning curve and a lesson
> >that e.g. Redhat had to learn the hard way. I believe in 2001 Redhat 6.2 had
> >more severe security alerts that w2k.
> >
> What many tend to forget because MS and others have blinded them to the
> fact is that RH may have had more security alerts but outside of the
> kernel RH is not linux..the linux operating system is the
> kernel..everything else is third party...MS by their own adminission has
> windows tied into everything in the instlalation(IE, WMP..etc etc) and a
> flaw in one of these programs is a flaw in the entire system.  BIG
> difference in architecture big difference in overall security...you
> cannot compare windows to a linux distro becuase the distro itself IS
> not linux..:)
>
> 


And yet, there's not much one ca do with a kernel alone.  Of course redhat
tends to be one of the "kitchen sink" distros of linux.  And if you are in
for a test of your skills, try replacing say apache with your own build on
a redhat system, and learn the issues of dependcany hell that is the
redhat RPM structure.

Thanks,

Ron DuFresne
~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-19 Thread Valdis . Kletnieks
On Mon, 19 Jan 2004 20:02:19 +0100, Michal Zalewski said:

> How is it an issue? I think it is a feature - it is noexec that is pretty
> badly broken by design, and nearly impossible to render secure... and what
> does Linux kernel have to do with addressing it?

Well, if you consider noexec to be a feature, the /lib/ld-linux trick was a bug in it.

In what way is it "badly broken"?

> Disclaimer: I don't have 2.6 sources at hand, maybe this is the case
> (although I somehow doubt there is a reasonable way to fix it kernel -
> how, by refusing PROT_EXEC mappings from files on noexec partitions? hope
> not).

Here's Ulrich Drepper's patch, as Linus took it:

struct rb_node ** rb_link, * rb_parent;
unsigned long charged = 0;
 
-   if (file && (!file->f_op || !file->f_op->mmap))
-   return -ENODEV;
+   if (file) { 
+   if (!file->f_op || !file->f_op->mmap)
+   return -ENODEV;
+   
+   if ((prot & PROT_EXEC) && (file->f_vfsmnt->mnt_flags & MNT_NOEXEC))
+   return -EPERM;
+   }
 
if (!len)
return addr;

So yes, they're stomping on PROT_EXEC.  The same code is also in 2.4.25-pre6.


pgp0.pgp
Description: PGP signature


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-19 Thread Michal Zalewski
On Mon, 19 Jan 2004 [EMAIL PROTECTED] wrote:

> Well, if you consider noexec to be a feature, the /lib/ld-linux trick
> was a bug in it.

No, ld-linux functionality is not a bug in noexec. It simply is a
userspace feature of the linker. The feature is deliberate and extremely
useful in a couple of legitimate tasks.

Noexec is also a feature, but one that, with the way unix is designed, is
generally quite easy to bypass, with interpreters and various loaders,
memory corruption bugs in unprivileged applications, etc. There is simply
no way to guarantee a piece of memory that is read from a source that is
ought to be non-executable will never be executed, and since the
environment is not monolithic and consists of thousands of programs
written using different styles and skillsets, it is very difficult to
control all attack vectors at once - that is, unless you spend a
considerable amount of time creating an environment that is a very limited
subset of standard components - but then, if you just want your users to
run lynx and pine, you should reconsider the need to give shell access
with arbitrary execve() capabilities in the first place.

I said that noexec is badly broken because, with the way it is most
commonly used, it does not make the task of executing an arbitrary program
any more difficult. Quite the opposite, gives many sysadms a false sense
of security, and makes them implement more relaxed user accounting
mechanisms.

Trying to render noexec environment truly non-executable is just as
practical as spending your time to create an environment where the
attacker has no way to create an executable file to start with - you
either remove almost everything from the environment (see above: you might
be better off not providing real shell at all), or must check so many
possibilities you are almost guaranteed to overlook something - and the
efforts to audit and analyze capabilities of unprivileged userspace
applications on Linux are still not even nearing the end.

> + if ((prot & PROT_EXEC) && (file->f_vfsmnt->mnt_flags & MNT_NOEXEC)) +
> return -EPERM; + }

I (personally, and quite subjectively) think it's a silly way to address
the issue. The glibc linker happens to be working this way at the moment
(mapping input file with PROT_EXEC), but not all linkers can be reasonably
expected to do it the same way all the time [1]. On the other hand, if
some silly program passes PROT_EXEC to mmap on the input file, even though
it does not really need it, it will suddenly break on noexec partition. I
recall seeing several (admittably, less popular) apps doing this.

So, I would imagine a patch that is supposed to be a kludge to solve a
very specific case in a single piece of software ought to be put in this
software, not in kernel, and not when things may break - especially
since, should a minor change in glibc or some replacement set of
libraries alter the linking procedure, people would be exposed with no
warning. I am not saying it has to be done in libc, but if we decide to
tweak kernel, it might be more reasonable to find a better way.

On the other hand, I am just whining for no good reason - I do not think
this change is going to make my life any more difficult, nor do I have the
inclination to suggest a better solution, implement it and have it merged
with the sources, so take all this with a grain of salt ;-)

[1] One might map the file with PROT_READ to validate the executable, and
remap it with PROT_EXEC later on (sounds a more secure, actually); or read
the file into an anonymous map instead, if some environment flag is set;
and so on. I would not be shocked if some linker decides to do it at some
point.

-- 
- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--- 2004-01-20 01:13 --

   http://lcamtuf.coredump.cx/photo/current/

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-19 Thread Michal Zalewski
On Mon, 19 Jan 2004 [EMAIL PROTECTED] wrote:

>> Easy one. Execute "/lib/ld-linux.so.2 /tmp/code".
> This long-standing issue is fixed in the Linux 2.6.0 kernel.

How is it an issue? I think it is a feature - it is noexec that is pretty
badly broken by design, and nearly impossible to render secure... and what
does Linux kernel have to do with addressing it?

Disclaimer: I don't have 2.6 sources at hand, maybe this is the case
(although I somehow doubt there is a reasonable way to fix it kernel -
how, by refusing PROT_EXEC mappings from files on noexec partitions? hope
not).

-- 
- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--- 2004-01-19 19:58 --

   http://lcamtuf.coredump.cx/photo/current/

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-19 Thread Valdis . Kletnieks
On Mon, 19 Jan 2004 00:41:36 +0100, Martin =?iso-8859-2?Q?Ma=E8ok?= <[EMAIL 
PROTECTED]>  said:

> Easy one. Execute "/lib/ld-linux.so.2 /tmp/code".

This long-standing issue is fixed in the Linux 2.6.0 kernel.


pgp0.pgp
Description: PGP signature


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-19 Thread Martin Mačok
On Sun, Jan 18, 2004 at 10:14:48AM -0500, David F. Skoll wrote:

> Mounting /tmp noexec also protects against future threats, not just
> ones that happen to be in the AV database.
> 
> (I know that someone recently released code to do a "user-space"
> exec, so mounting /tmp noexec is not 100% foolproof, but it's pretty
> good protection.)

Easy one. Execute "/lib/ld-linux.so.2 /tmp/code".

-- 
 Martin Mačok http://underground.cz/
   [EMAIL PROTECTED]http://Xtrmntr.org/ORBman/

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


RE: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-18 Thread Mike Marshall
Can we please just stop OS-based arguments?  And can we agree that all OSs
earn their places, rightfully?  Windows has earned very few security points
to date (and maybe none), but we can move toward securing this OS despite
its programming shortcomings.  Windows, and thankfully, linux isn't going
away any time soon.  Linux installs mostly secure by default, windows
installs insecure by default, but that doesn't mean people can't harden
either OS and make it more secure.

Personaly, I've run a large data center using both OSs (various versions)
securely for over 5 years.  I've developend and implemented windows and
linux hardening templates.  There are many ways to secure and harden both.
As many have pointed out, layers matter.

Mike

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David F. Skoll
Sent: Sunday, January 18, 2004 7:12 PM
To: Wes Noonan
Cc: [EMAIL PROTECTED]
Subject: RE: Religion... was RE: [Full-Disclosure] Re: January 15 is
Personal Firewall Day, help the cause

On Sun, 18 Jan 2004, Wes Noonan wrote:

> > On Sun, 18 Jan 2004, Wes Noonan wrote:
> > Why?  Name one virus for Linux that AV software would have protected 
> > against, that a noexec /tmp wouldn't have.

> Security isn't about protecting against old threats; it's about 
> protecting against new threats.

Exactly.  A/V software can only protect against *old* threats, because a
virus has to be in the signature database.  Mounting /tmp noexec can protect
against a wide class of threats (those threats that rely on writing a file
to the file system and then executing it.)

> If running virus protection has the potential to protect against new 
> threats,

But it doesn't.

> than it is worth running.

Therefore it isn't.

> If an IDS/IPS has the
> potential to protect against new threats, than it is worth running.

IDS itself cannot protect against anything; it can only detect unusual
activity.  (That doesn't make it worthless, of course.)  IPS systems may be
worthwhile depending on how many false-positives they issue.

> Security is about a total process, not a specific product or 
> application.

I agree.  But a particular product or application *can* lead to insecurity.

> > We're a 7-person shop with a budget of $0 for software.  I'd love to 
> > see a Microsoft shop with a similar software budget.

> I'd love you to show me a 700, 7000 or 7 person shop that can say
that.

Wait a few years and get back to Roaring Penguin. :-)

Obviously, right now, I can't.  But there are plenty of large organizations
using free software; HP claims to have made $2.5 billion in Linux-related
sales.

It will happen.  The economics dictate it.  Companies that save money
because of lower licensing costs, lower license enforcement costs, and
(especially) lower costs to maintain secure networks, will succeed where
companies that have higher costs fail.

> You have to think about things like "what if David, who is the only 
> person who really knows our systems, leaves. Where does that leave us"?

That might have been true a couple of years ago, but there are plenty of
Linux experts now, as you noted.

> Microsoft is only un-securable for those who don't know how to secure 
> it

No.  The fundamental problem with Windows is the problem that lead to the
creation of the anti-virus industry: Encoding of metadata in filenames.
The fact that ".exe" on Windows means the same thing as turning on the
execute bit in UNIX has cost the world economy billions.  And it's
impossible to change this without fundamentally changing Windows.  (Even
this flaw isn't a Microsoft innovation; it was first revealed in 1987 in the
infamous CHRISTMA EXEC worm at IBM on the VM/370 system.)

This flaw, the readiness of a Windows system to enable execute permission
depending on the filename, makes every single Windows box a ticking time
bomb.  Someone just has to be clever enough to deposit an .exe on a system
and trick someone into running it.

The social engineering required to do the same on Linux is an insurmountable
hurdle; not only do you have to deposit the file, but you have to convince
someone to turn on the execute bit, which no Linux mail clients currently
do, and which the average office worker is unlikely to even know how to do.
(That's why I have a warm feeling when our sales people use Linux; they
don't know enough to be dangerous. :-))

> You claim, repeatedly, that Linux is so much easier to secure. I 
> believe that this is directly related to your level of expertise on 
> Linux. Similarly you claim, repeatedly, that Microsoft is impossible 
> to secure. I believe, similarly, that this claim is directly related 
> to your level of expertise on Microsoft.

No; it is related to the fundamental design flaw I mentioned abov

RE: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-18 Thread Wes Noonan
> Uh, no.  Where do you get that from?

>From a good chunk of the Linux admins I know.
 
> If you think editing configuration files and changing settings is
> "modifying
> Linux", then I can equally claim you have to "modify Windows" to harden
> it.

Sure. I've never said or implied otherwise. 
 
> Recompiling is not modifying.

What is it then? If I need to recompile the kernel to support something new,
lets say a new version of ipTables, am I not modifying things?
 
> So you're proving my point. ;-)  What possible incentive could Microsoft
> have to improve its security, if you (and others) answer my question
> the way you do?  (I'd actually appreciate a "Yes" or "No" answer rather
> than a paragraph.)

Because unlike you seem to portray it, there isn't some mutual exclusion.
One doesn't need to ignore security to choose other things. Likewise one
doesn't need to ignore other things when choosing security.

As for the incentive though, customer satisfaction is certainly a healthy
one. Do you not do things because it satisfies your customers?

As for a yes or a no, it unfortunately isn't that simple a question or
response. The best I can offer is a firm "it depends".
 
> Except we give out source code and permission to modify it and have it
> audited for security (even for our commercial software.)

Sure, but this is just another "commercial software bad, open source good"
point. As previously mentioned, I don't want to waste time arguing those.
It's pointless IMO for reasons I previously cited.

Also, I don't want to argue *your* product. I merely used it as an example.
  
> Of course I think you're wrong.  They essentially dumped IE on the market
> in order to kill Netscape.
> 
> But that's OK.  Linux is doing to MS what MS did to Netscape, except
> through
> ethical means rather than dumping.

Bah. There is little to no difference. The claims of "ethical" go back to
another religious war. As others have requested, and as I have mentioned,
I'm not going to continue with a religious debate over operating systems. My
point, as Mike Marshall also mentioned, has been made.
 
> I'll rephrase it:  Today, insecurity is one of the most important threats
> to a business's profit.

Sure, which is why Microsoft and pretty much everyone else is working on
insecurity issues.

Thanks for the lively discussion. I'm going to end it from my end at least
though. Take it easy.

Wes Noonan
[EMAIL PROTECTED]
http://www.wjnconsulting.com 


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


RE: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-18 Thread David F. Skoll
On Sun, 18 Jan 2004, Wes Noonan wrote:

> > rp-pppoe is an old, stable product that hasn't changed in 2+ years and
> > is shipped by all major Linux distributions.  People wanting support can
> > obtain it from their Linux distro vendor.  (Unlike Microsoft:  When
> > Microsoft end-of-lifes a product, you're out of luck.)

> I always get a kick out of this. MS (and everyone else) EOL's stuff because
> better and in many cases more secure solutions are out there. Rather than
> moving to them though, people complain first about how wrong it is to expect
> them to move then second about how insecure the product is (though the order
> sometimes changes).

rp-pppoe is EOL'd as far as support from me goes.  It's not EOL'd
for people to use.  It implements a dead-simple protocol using dead-simple
code; there's not really anything more that can (or should) be done with it.

> > Yeah, I know.  Funny who the sponsor of those studies is, really...

> Sure, no real difference from the ones pushing Linux as lower cost though
> now, is it?

I suppose.

> > I can assure you that "Joe the admin" won't hack the Linux kernel. :-)
> > I've
> > met lots of sysadmins, and they have enough to do without modifying Linux.

> And yet to effectively harden Linux in many cases that is exactly what Joe
> the admin has to do (modify Linux).

Uh, no.  Where do you get that from?

If you think editing configuration files and changing settings is "modifying
Linux", then I can equally claim you have to "modify Windows" to harden
it.

> > The point is badly-taken, because administrators don't modify the
> > source to production systems (any more than a Windows admin would
> > patch the Windows kernel with binary patches of his own.)

> Really? I know plenty of Linux admins that do that (recompile) to customize
> the product. In fact, many of them point to this as a reason for choosing
> Linux over Windows.

Recompiling is not modifying.

> > Let's suppose that Microsoft didn't make Windows any more secure.
> > Would you recommend to your clients to look at alternative
> > systems?  Would you think seriously about switching yourself?  If
> > yes: Congratulations!  If no: you're like most of the other
> > respondents on this list, and (sadly) like most people I
> > encounter.

> Once again, you are looking at it solely from the security perspective.
> While that is fine and dandy, there are other perspectives that factor into
> the decision. That is probably why most of the other respondents on this
> list and most people you encounter think that way. That is why everyone I
> have run across does.

So you're proving my point. ;-)  What possible incentive could Microsoft
have to improve its security, if you (and others) answer my question
the way you do?  (I'd actually appreciate a "Yes" or "No" answer rather
than a paragraph.)

> > Furthermore, the free software we give away is a terrific marketing
> > tool for our commercial software.  Our software is installed on the
> > e-mail gateways of huge multinationals; there's no way we could have
> > penetrated those markets with traditional commercial software.
> > However, once our free software is in, people start taking our
> > commercial software (which is based on the free software) a lot more
> > seriously.

> Oddly, this sounds an awful lot like Microsoft's Internet Explorer policy
> and Office policy before that. Of course, that couldn't be because Microsoft
> is an evil monopoly ;-)

Except we give out source code and permission to modify it and have it
audited for security (even for our commercial software.)

We also don't have the means to bundle software on PC's to kickstart our
market share.  We can only do that through high quality software.

> > The methods they used to take it are what raise such passion and ire in
> > some quarters.  For example, do you think that Microsoft used legitimate
> > business tactics to take the browser market from Netscape?

> Yes, I happen to think they did. I'm sure at this point you will tell me how
> wrong I am though.

Of course I think you're wrong.  They essentially dumped IE on the market
in order to kill Netscape.

But that's OK.  Linux is doing to MS what MS did to Netscape, except through
ethical means rather than dumping.

> Really? I would wager that profit should be the first priority, but that's
> just me... and most of the business community. The goal isn't to be secure.
> The goal is to make money. Everything else is a secondary effect. Slowly,
> technology professionals are starting to learn that business acumen though.

I'll rephrase it:  Today, insecurity is one of the most important threats
to a business's profit.

Regards,

David.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


RE: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-18 Thread Wes Noonan
I agree completely. I thought I had been abundantly clear that this was my
position in all of this.

I also think this thread has likely run its course short of new information.

Wes Noonan
[EMAIL PROTECTED]
http://www.wjnconsulting.com 

> -Original Message-
> From: Mike Marshall [mailto:[EMAIL PROTECTED]
> Sent: Sunday, January 18, 2004 21:38
> To: 'David F. Skoll'; 'Wes Noonan'
> Cc: [EMAIL PROTECTED]
> Subject: RE: Religion... was RE: [Full-Disclosure] Re: January 15 is
> Personal Firewall Day, help the cause
> 
> Can we please just stop OS-based arguments?  And can we agree that all OSs
> earn their places, rightfully?  Windows has earned very few security
> points
> to date (and maybe none), but we can move toward securing this OS despite
> its programming shortcomings.  Windows, and thankfully, linux isn't going
> away any time soon.  Linux installs mostly secure by default, windows
> installs insecure by default, but that doesn't mean people can't harden
> either OS and make it more secure.
> 
> Personaly, I've run a large data center using both OSs (various versions)
> securely for over 5 years.  I've developend and implemented windows and
> linux hardening templates.  There are many ways to secure and harden both.
> As many have pointed out, layers matter.
> 
> Mike
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


RE: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-18 Thread David F. Skoll
On Sun, 18 Jan 2004, Wes Noonan wrote:

[...]
> It seems that you have shifted focus to email filtering only. There's
> nothing wrong with this of course, but I think it shifts the discussion
> some.

That was my original topic.

[...]
> So is running any operating system. If you don't believe that, then you are
> believing in the myth that solely by running something other than Windows
> you are secure.

I never said that.  I said if you're running on Windows, you are insecure. :-)
If you are running something else, you may or may not be insecure.

[...]
> Sorry. I read "rp-pppoe is free software; it comes without warranty or
> support. We regret that we cannot offer e-mail or telephone support for
> rp-pppoe." and it seemed to me to illustrate my point quite well.

rp-pppoe is an old, stable product that hasn't changed in 2+ years and
is shipped by all major Linux distributions.  People wanting support can
obtain it from their Linux distro vendor.  (Unlike Microsoft:  When
Microsoft end-of-lifes a product, you're out of luck.)

> > Absolutely.  And those additional factors (better security, generally
> > better support, and no worries about BSA enforcement) only add to
> > Linux's cost advantage over Windows.

> Well, there are plenty of TCO studies that don't quite come to that some
> conclusion.

Yeah, I know.  Funny who the sponsor of those studies is, really...

> > I run bog-standard distros; I'm not a kernel hacker.  Just because I could
> > fool with the source code to Linux doesn't mean I want to.

> Sure, you don't. But that doesn't mean that Joe the admin didn't.

I can assure you that "Joe the admin" won't hack the Linux kernel. :-)  I've
met lots of sysadmins, and they have enough to do without modifying Linux.

> And now you have to figure it out. I'm not trying to just argue
> specific examples though. I'm trying to illustrate the point with
> the examples.

The point is badly-taken, because administrators don't modify the source
to production systems (any more than a Windows admin would patch the Windows
kernel with binary patches of his own.)

> And I would challenge you to prove that Microsoft has been complacent. Not
> that they have made mistakes, but that they have been and continue to be
> complacent. I'm not seeing that.

Microsoft is less complacent in about the last 6-9 months, because
they are finally seeing a threat to their monopoly.  When governments
can negotiate large discounts by threatening to use Linux, it means MS
sees it as a serious threat.  It could be that the governments were
bluffing (they probably were, in many cases), but MS evidently didn't
want to take the chance.

> > Assumption 4: If Microsoft does *not* make Windows more secure, it
> > will not lose revenue.  This assumption is based on personal
> > experience, recent court decisions stating that Microsoft has a
> > monopoly, plus postings on this list.

> This assumption can not be supported. Microsoft is making windows more
> secure. This is a fact, not an opinion.

Read the assumption again:  If Microsoft does *not* make Windows more secure,
would it lose market share?

Let's suppose that Microsoft didn't make Windows any more secure.  Would
you recommend to your clients to look at alternative systems?  Would you
think seriously about switching yourself?  If yes: Congratulations!  If
no: you're like most of the other respondents on this list, and (sadly) like
most people I encounter.

> Producers will always pass the cost of development to the end users, or in
> the case of open source will pass the cost of support or maintenance. Heck,
> look at your own software. You sell software to support not only that
> development, but the development of software that you give away. Must have
> one hell of a margin to be successful doing that. ;-)

Yes, indeed.  Our commercial software is based largely on open-source software
(though not GPL'd software.)  By leveraging that base, we can undercut
out competitors.

Furthermore, the free software we give away is a terrific marketing
tool for our commercial software.  Our software is installed on the
e-mail gateways of huge multinationals; there's no way we could have
penetrated those markets with traditional commercial software.
However, once our free software is in, people start taking our
commercial software (which is based on the free software) a lot more
seriously.

> Um, this already happens. There are and have always been alternatives to
> Microsoft. Microsoft wasn't born with 90+% market share, they took it.

The methods they used to take it are what raise such passion and ire in
some quarters.  For example, do you think that Microsoft used legitimate
business tactics to take the browser market from Netscape?

> Then I submit that you are looking at it entirely too cynical.

I'm very cynical, I admit.  But I believe history will show me to be
right.  There will absolutely be huge, costly Windows virus outbreaks
in 2004.  And 2005.  And 2006.  And 2007.  And 200

RE: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-18 Thread Wes Noonan
> I never said that.  I said if you're running on Windows, you are insecure.
> :-)
> If you are running something else, you may or may not be insecure.

This, while you are entitled to your opinion, has no basis in fact. You can
most certainly be secure running Windows. Security isn't a uniquely Linux
scenario.
 
> rp-pppoe is an old, stable product that hasn't changed in 2+ years and
> is shipped by all major Linux distributions.  People wanting support can
> obtain it from their Linux distro vendor.  (Unlike Microsoft:  When
> Microsoft end-of-lifes a product, you're out of luck.)

I always get a kick out of this. MS (and everyone else) EOL's stuff because
better and in many cases more secure solutions are out there. Rather than
moving to them though, people complain first about how wrong it is to expect
them to move then second about how insecure the product is (though the order
sometimes changes).
 
> Yeah, I know.  Funny who the sponsor of those studies is, really...

Sure, no real difference from the ones pushing Linux as lower cost though
now, is it?
 
> I can assure you that "Joe the admin" won't hack the Linux kernel. :-)
> I've
> met lots of sysadmins, and they have enough to do without modifying Linux.

And yet to effectively harden Linux in many cases that is exactly what Joe
the admin has to do (modify Linux). 
 
> The point is badly-taken, because administrators don't modify the source
> to production systems (any more than a Windows admin would patch the
> Windows
> kernel with binary patches of his own.)

Really? I know plenty of Linux admins that do that (recompile) to customize
the product. In fact, many of them point to this as a reason for choosing
Linux over Windows. 
 
> Microsoft is less complacent in about the last 6-9 months, because
> they are finally seeing a threat to their monopoly.  When governments
> can negotiate large discounts by threatening to use Linux, it means MS
> sees it as a serious threat.  It could be that the governments were
> bluffing (they probably were, in many cases), but MS evidently didn't
> want to take the chance.

Sorry, they have been less complacent about it for at least the past 4
years, not 6-9 months... unless of course you honestly believe that W2K3 was
developed in 6-9 months. This all started long before Linux was any kind of
real threat.
 
> > > Assumption 4: If Microsoft does *not* make Windows more secure, it
> > > will not lose revenue.  This assumption is based on personal
> > > experience, recent court decisions stating that Microsoft has a
> > > monopoly, plus postings on this list.
> 
> > This assumption can not be supported. Microsoft is making windows more
> > secure. This is a fact, not an opinion.
> 
> Read the assumption again:  If Microsoft does *not* make Windows more
> secure,
> would it lose market share?

That isn't the assumption. The assumption is " If Microsoft does *not* make
Windows more secure, it will not lose revenue". The answer is "yes, they
very well might".
 
> Let's suppose that Microsoft didn't make Windows any more secure.  Would
> you recommend to your clients to look at alternative systems?  Would you
> think seriously about switching yourself?  If yes: Congratulations!  If
> no: you're like most of the other respondents on this list, and (sadly)
> like
> most people I encounter.

Once again, you are looking at it solely from the security perspective.
While that is fine and dandy, there are other perspectives that factor into
the decision. That is probably why most of the other respondents on this
list and most people you encounter think that way. That is why everyone I
have run across does.
 
> Furthermore, the free software we give away is a terrific marketing
> tool for our commercial software.  Our software is installed on the
> e-mail gateways of huge multinationals; there's no way we could have
> penetrated those markets with traditional commercial software.
> However, once our free software is in, people start taking our
> commercial software (which is based on the free software) a lot more
> seriously.

Oddly, this sounds an awful lot like Microsoft's Internet Explorer policy
and Office policy before that. Of course, that couldn't be because Microsoft
is an evil monopoly ;-)

 
> > Um, this already happens. There are and have always been alternatives to
> > Microsoft. Microsoft wasn't born with 90+% market share, they took it.
> 
> The methods they used to take it are what raise such passion and ire in
> some quarters.  For example, do you think that Microsoft used legitimate
> business tactics to take the browser market from Netscape?

Yes, I happen to think they did. I'm sure at this point you will tell me how
wrong I am though.
 
> > Then I submit that you are looking at it entirely too cynical.
> 
> I'm very cynical, I admit.  But I believe history will show me to be
> right.  There will absolutely be huge, costly Windows virus outbreaks
> in 2004.  And 2005.  And 2006.  And 2007.  And 2008.

And li

RE: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-18 Thread Bill Royds
Actually the file type tag (.exe) has very little to do with whether a files
is executable or not. Executable files have a header  that describes whether
it is executable or not. The first two characters of the file must be "MZ"
(the initials of an early MS developer).
That is one reason that it is a futile quest to only block attachments by
the .exe extension and many viruses use other extensions such as .scr .pif
.com ... 
  On Windows NT and later systems, there is metadata attached to each file
which includes whether it has execute permission or not.  If you run a
hardened windows NT, 2000 or XP system with  executables in a readonly
directory with execute set and all other directories blocking execute, you
have the same ability as on Unix to prevent executable file drop.
  The problem is that Windows NT+ sets the group everyone to have write and
execute access to all directories by default (to avoid support calls by
people not able to install those games). This is a configuration problem,
not an inherent problem.
  Windows inherent problem is that its Access Control features are so
convoluted and flexible that it is hard for an administrator to know the
result of any changes so most use the most flexible (and insecure) default.
As well the Windows file sharing paradigm (SMB/CIFS) is even more arcane
than NFS, if that is possible, and is not at all well documented with the
Samba group documenting it much better than Microsoft. SMB has no easy way
to restrict access by interface or by hardware/networking addresses but only
uses Windows users and groups so any enterprise that needs to share files
makes them reachable by any machine that can spoof the users with
permissions.

One can actually harden a Windows system fairly easily by running the Orange
book C2 security level tools that can be run on OS install. Of course this
blocks the machine from using a network and being much use. But it can be
done.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David F. Skoll
Sent: January 18, 2004 7:12 PM
To: Wes Noonan
Cc: [EMAIL PROTECTED]
Subject: RE: Religion... was RE: [Full-Disclosure] Re: January 15 is
Personal Firewall Day, help the cause


> Microsoft is only un-securable for those who don't know how to secure it

No.  The fundamental problem with Windows is the problem that lead to
the creation of the anti-virus industry: Encoding of metadata in filenames.
The fact that ".exe" on Windows means the same thing as turning on the
execute bit in UNIX has cost the world economy billions.  And it's
impossible
to change this without fundamentally changing Windows.  (Even this flaw
isn't a Microsoft innovation; it was first revealed in 1987 in the infamous
CHRISTMA EXEC worm at IBM on the VM/370 system.)

This flaw, the readiness of a Windows system to enable execute permission
depending on the filename, makes every single Windows box a ticking
time bomb.  Someone just has to be clever enough to deposit an .exe on
a system and trick someone into running it.

The social engineering required to do the same on Linux is an insurmountable
hurdle; not only do you have to deposit the file, but you have to convince
someone to turn on the execute bit, which no Linux mail clients currently
do, and which the average office worker is unlikely to even know how
to do.  (That's why I have a warm feeling when our sales people use Linux;
they don't know enough to be dangerous. :-))

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-18 Thread David F. Skoll
On Sun, 18 Jan 2004, Jim Race wrote:

> David F. Skoll wrote:
> > I have a very powerful heuristic on my mail server:  I discard anything
> > with an .exe attachment.

> That ain't near enough.

I know, I know.  I was just making a point.  I nuke all the possible
"dangerous" extensions on the MS knowledge base.  (Not that any of them
pose a danger to me; as I wrote earlier, I just don't want to waste disk
space.)

--
David.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-18 Thread Jim Race
David F. Skoll wrote:


I have a very powerful heuristic on my mail server:  I discard anything
with an .exe attachment.
That ain't near enough. If you *really* want to get rid of Win32 stuff, try:

.386.bat.bin.cmd.com.cpl
.exe.lnk.pif.scr.shb.vbs
and if you want to be even more aggressive, add:

.ade.adp.bas.chm.crt.dll.dot
.eml.hlp.hta.inf.ins.isp.js
.jse.mdb.mde.msc.msi.msp.mst
.ocx.pcd.pif.reg.sct.shs.shs
.url.vb .vbe.wsc.wsf.wsh
Of course, that will nuke a lot of stuff you don't want to lose, 
especially for someone interested in security.

But it is one hell of a housecleaner. :)

-jim

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


RE: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-18 Thread Wes Noonan
> A/V software that does any less is simply dangerous.  There is no need for
> signatures or complex heuristics, when *any* executable arriving by e-mail
> should be treated as dynamite and disposed of safely.

It seems that you have shifted focus to email filtering only. There's
nothing wrong with this of course, but I think it shifts the discussion
some.
 
> As I've written before, there is no A/V software for Linux that protects
> against Linux viruses.  I know dozens, and know of hundreds, of people who
> run Linux, and I don't know a single one who runs such A/V software.
> Of course, many of them do run A/V software, but it's to protect Windows
> machines that are attached to the Linux ones.

Well, then it seems to me that the time is ripe for folks to start thinking
of ways to exploit all of these systems. Like most things, I suspect that it
is just a matter of time.
 
> Dropping anything that could possibly be an executable takes care of that
> on the Windows side (plus not running software susceptible to macro
> viruses,
> though those are all but extinct.)

Again, I think you have shifted to email only now, which changes the
discussion some. Sure, for email you can drop all .exes. There is more to
A/V than simply running on email servers though.

> I never said that.  What I mean is that running Windows is likely to lead
> to insecurity.  The A/V industry is simply a lucrative business built to
> wrap band-aids around Windows' deficiencies.

So is running any operating system. If you don't believe that, then you are
believing in the myth that solely by running something other than Windows
you are secure.
 
> That is untrue.  I offer fanatical support for my products; just check
> the MIMEDefang mailing list archives to see what people think of our level
> of support. (http://lists.roaringpenguin.com/pipermail/mimedefang/)
> 
> Not all of our products are free (I'm not a free software zealot), and we
> offer excellent commercial support for our commercial products.

Sorry. I read "rp-pppoe is free software; it comes without warranty or
support. We regret that we cannot offer e-mail or telephone support for
rp-pppoe." and it seemed to me to illustrate my point quite well.
 
> Absolutely.  And those additional factors (better security, generally
> better support, and no worries about BSA enforcement) only add to
> Linux's cost advantage over Windows.

Well, there are plenty of TCO studies that don't quite come to that some
conclusion.

> I run bog-standard distros; I'm not a kernel hacker.  Just because I could
> fool with the source code to Linux doesn't mean I want to.

Sure, you don't. But that doesn't mean that Joe the admin didn't. And now
you have to figure it out. I'm not trying to just argue specific examples
though. I'm trying to illustrate the point with the examples.
 
> No-one else wants to discuss it with me; they all seem to change the
> subject
> when I bring it up. :-)

There might be a reason for that ;-)

> Unfortunately, you may be right.  However, I think Linux developers are
> lucky
> in that the system hasn't become popular until recently, when the dangers
> of the Internet were readily apparent.  I'm optimistic, therefore, that
> they won't repeat the same mistakes of Microsoft (which to be charitable,
> was operating in a very different environment when it made its design
> decisions.)

Hopefully not. As I mentioned, this is the race that I personally see in the
market. Does Microsoft fix the security issues that plagued it faster than
Linux fixes the usability issues that plagued it. Both are making pretty
significant leaps in their respective situations. For example, it is my
understanding that XP SP2 is supposed to enable the built in firewall by
default. Windows 2003 made great leaps towards securing the out of the box
installation (to the expense of usability IMO, but what the hell). On the
other side, Linux is infinitely more easy to install. It is also much easier
to install applications through the use of the various installer packages
that are being created.

> 
> That is a tautology that is unhelpful in deciding which OS to choose.

No, I disagree. It is fundamental in deciding which OS to choose. It means
you should consider whether you have the means to harden the OS as required
by your environment.

> In today's environment, software *must* be secure first, with usability
> added
> on top of a secure base.  Microsoft systems take the opposite approach,
> with dismal security consequences.

That is because Microsoft's systems originally weren't designed in today's
environment. The ones that have been however have slowly been making that
turn.

> Unfortunately for Microsoft, it's cheaper and easier to make secure
> software
> usable than insecure software secure.

That remains to be seen. So far the market doesn't seem to bear that one
out.

> Not at all.  It's a simple statement that monopolies can afford to be
> complacent, because they are monopolies.  The most 

RE: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-18 Thread David F. Skoll
On Sun, 18 Jan 2004, Wes Noonan wrote:

[...]

> Actually, A/V software protects against both. The most obvious example is
> heuristics.

I have a very powerful heuristic on my mail server:  I discard anything
with an .exe attachment.

A/V software that does any less is simply dangerous.  There is no need for
signatures or complex heuristics, when *any* executable arriving by e-mail
should be treated as dynamite and disposed of safely.

> Another example is through the extensibility of the virus
> signatures. While mounting /tmp noexec may protect against a wide class of
> threats, if a new threat comes out that it doesn't address, but that A/V
> software does, you are effectively screwed. Personally, I wouldn't bet my
> enterprise on that. Personally, I would do both.

As I've written before, there is no A/V software for Linux that protects
against Linux viruses.  I know dozens, and know of hundreds, of people who
run Linux, and I don't know a single one who runs such A/V software.
Of course, many of them do run A/V software, but it's to protect Windows
machines that are attached to the Linux ones.

> Actually, it does. New threats come out, new signatures come out.

Dropping anything that could possibly be an executable takes care of that
on the Windows side (plus not running software susceptible to macro viruses,
though those are all but extinct.)

[...]

> > I agree.  But a particular product or application *can* lead to
> > insecurity.

> Sure, but I think that your apparent belief that running A/V software leads
> to insecurity is false.

I never said that.  What I mean is that running Windows is likely to lead
to insecurity.  The A/V industry is simply a lucrative business built to
wrap band-aids around Windows' deficiencies.

> > Obviously, right now, I can't.  But there are plenty of large
> > organizations
> > using free software; HP claims to have made $2.5 billion in Linux-related
> > sales.

> Well then, it sounds like Linux isn't free anymore doesn't it?

I suspect that most of that is from hardware.

> No it won't, not necessarily at least. Not trying to get personal here, but
> let's look at your company and some of its products. You release them free
> with no support what so ever.

That is untrue.  I offer fanatical support for my products; just check
the MIMEDefang mailing list archives to see what people think of our level
of support. (http://lists.roaringpenguin.com/pipermail/mimedefang/)

Not all of our products are free (I'm not a free software zealot), and we
offer excellent commercial support for our commercial products.

> Simply put, open source is not a simple lower cost solution. There are more
> factors than just the price on the shrinkwrap.

Absolutely.  And those additional factors (better security, generally
better support, and no worries about BSA enforcement) only add to
Linux's cost advantage over Windows.

[...]

> Ah, but it is more than just being a Linux expert. It is being an expert in
> what this company is doing with Linux. Someone can know Linux quite well,
> but if they don't know how David modified it, what he did with it, what he
> didn't do with it - to the code level in many cases, then they are SOL.

I run bog-standard distros; I'm not a kernel hacker.  Just because I could
fool with the source code to Linux doesn't mean I want to.

> > No.  The fundamental problem with Windows is the problem that lead to
> > the creation of the anti-virus industry: Encoding of metadata in
> > filenames.
> > The fact that ".exe" on Windows means the same thing as turning on the
> > execute bit in UNIX has cost the world economy billions.  And it's
> > impossible
> > to change this without fundamentally changing Windows.  (Even this flaw
> > isn't a Microsoft innovation; it was first revealed in 1987 in the
> > infamous
> > CHRISTMA EXEC worm at IBM on the VM/370 system.)

> Well, I'm no developer so frankly I will leave this particular discussion to
> others.

No-one else wants to discuss it with me; they all seem to change the subject
when I bring it up. :-)

[...]

> I would disagree. Send them an RPM on redhat and have them run it. With
> increased user requests for functionality and usability (i.e. why can't I
> run this attachment), Linux and the relevant email clients will continue to
> be tugged in directions other than security.

Unfortunately, you may be right.  However, I think Linux developers are lucky
in that the system hasn't become popular until recently, when the dangers
of the Internet were readily apparent.  I'm optimistic, therefore, that
they won't repeat the same mistakes of Microsoft (which to be charitable,
was operating in a very different environment when it made its design
decisions.)

[...]

> No, I am claiming that all OS's can be hardened.

That is a tautology that is unhelpful in deciding which OS to choose.

> Each system requires
> different hardening steps. I would also contend, and have contended, that
> there is more to software than merel

RE: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-18 Thread Wes Noonan
> > Security isn't about protecting against old threats; it's about
> protecting
> > against new threats.
> 
> Exactly.  A/V software can only protect against *old* threats, because a
> virus has to be in the signature database.  Mounting /tmp noexec can
> protect against a wide class of threats (those threats that rely on
> writing
> a file to the file system and then executing it.)

Actually, A/V software protects against both. The most obvious example is
heuristics. Another example is through the extensibility of the virus
signatures. While mounting /tmp noexec may protect against a wide class of
threats, if a new threat comes out that it doesn't address, but that A/V
software does, you are effectively screwed. Personally, I wouldn't bet my
enterprise on that. Personally, I would do both.
 
> > If running virus protection has the potential to
> > protect against new threats,
> 
> But it doesn't.

Actually, it does. New threats come out, new signatures come out. Now if you
want to take the position of "yeah, but at that point they are old" fine,
I'll give you that. I've addressed it in more detail above however.
 
> > than it is worth running.
> 
> Therefore it isn't.

Again, I disagree. Especially on Windows systems. 
 
> > If an IDS/IPS has the
> > potential to protect against new threats, than it is worth running.
> 
> IDS itself cannot protect against anything; it can only detect unusual
> activity.  (That doesn't make it worthless, of course.)  IPS systems
> may be worthwhile depending on how many false-positives they issue.

Anything that tells me what is going on with my network is protecting
against things, even if it is simply notifying me so that I can take action.
 
> I agree.  But a particular product or application *can* lead to
> insecurity.

Sure, but I think that your apparent belief that running A/V software leads
to insecurity is false.

> Obviously, right now, I can't.  But there are plenty of large
> organizations
> using free software; HP claims to have made $2.5 billion in Linux-related
> sales.

Well then, it sounds like Linux isn't free anymore doesn't it?
 
> It will happen.  The economics dictate it.  Companies that save money
> because of lower licensing costs, lower license enforcement costs,
> and (especially) lower costs to maintain secure networks, will succeed
> where companies that have higher costs fail.

No it won't, not necessarily at least. Not trying to get personal here, but
let's look at your company and some of its products. You release them free
with no support what so ever. So does that mean that a company saves money
by using them? Not necessarily. That lack of support means that the company
must be able to support the software themselves. This is generally going to
result in a cost in manpower and/or expertise to support the product. This
could also result in downtime costs while the "experts" try to figure out
what is going on while they attempt to check various open source communities
hoping to find relevant information. An alternative of course is to go to
your company and pay for support, something that many open source models use
as a revenue model.

Simply put, open source is not a simple lower cost solution. There are more
factors than just the price on the shrinkwrap.
 
> > You have to think about things like "what if David, who is the
> > only person who really knows our systems, leaves. Where does that leave
> us"?
> 
> That might have been true a couple of years ago, but there are plenty of
> Linux experts now, as you noted.

Ah, but it is more than just being a Linux expert. It is being an expert in
what this company is doing with Linux. Someone can know Linux quite well,
but if they don't know how David modified it, what he did with it, what he
didn't do with it - to the code level in many cases, then they are SOL. 
 
> > Microsoft is only un-securable for those who don't know how to secure it
> 
> No.  The fundamental problem with Windows is the problem that lead to
> the creation of the anti-virus industry: Encoding of metadata in
> filenames.
> The fact that ".exe" on Windows means the same thing as turning on the
> execute bit in UNIX has cost the world economy billions.  And it's
> impossible
> to change this without fundamentally changing Windows.  (Even this flaw
> isn't a Microsoft innovation; it was first revealed in 1987 in the
> infamous
> CHRISTMA EXEC worm at IBM on the VM/370 system.)

Well, I'm no developer so frankly I will leave this particular discussion to
others. I do know that Microsoft products can be easily and effectively
secured (easily IMO of course), even with this "design flaw".
 
> This flaw, the readiness of a Windows system to enable execute permission
> depending on the filename, makes every single Windows box a ticking
> time bomb.  Someone just has to be clever enough to deposit an .exe on
> a system and trick someone into running it.

But this can be prevented. You have group policy as one option. You have
third 

RE: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-18 Thread David F. Skoll
On Sun, 18 Jan 2004, Wes Noonan wrote:

> > On Sun, 18 Jan 2004, Wes Noonan wrote:
> > Why?  Name one virus for Linux that AV software would have protected
> > against, that a noexec /tmp wouldn't have.

> Security isn't about protecting against old threats; it's about protecting
> against new threats.

Exactly.  A/V software can only protect against *old* threats, because a
virus has to be in the signature database.  Mounting /tmp noexec can
protect against a wide class of threats (those threats that rely on writing
a file to the file system and then executing it.)

> If running virus protection has the potential to
> protect against new threats,

But it doesn't.

> than it is worth running.

Therefore it isn't.

> If an IDS/IPS has the
> potential to protect against new threats, than it is worth running.

IDS itself cannot protect against anything; it can only detect unusual
activity.  (That doesn't make it worthless, of course.)  IPS systems
may be worthwhile depending on how many false-positives they issue.

> Security is about a total process, not a specific product
> or application.

I agree.  But a particular product or application *can* lead to insecurity.

> > We're a 7-person shop with a budget of $0 for software.  I'd love to
> > see a Microsoft shop with a similar software budget.

> I'd love you to show me a 700, 7000 or 7 person shop that can say that.

Wait a few years and get back to Roaring Penguin. :-)

Obviously, right now, I can't.  But there are plenty of large organizations
using free software; HP claims to have made $2.5 billion in Linux-related
sales.

It will happen.  The economics dictate it.  Companies that save money
because of lower licensing costs, lower license enforcement costs,
and (especially) lower costs to maintain secure networks, will succeed
where companies that have higher costs fail.

> You have to think about things like "what if David, who is the
> only person who really knows our systems, leaves. Where does that leave us"?

That might have been true a couple of years ago, but there are plenty of
Linux experts now, as you noted.

> Microsoft is only un-securable for those who don't know how to secure it

No.  The fundamental problem with Windows is the problem that lead to
the creation of the anti-virus industry: Encoding of metadata in filenames.
The fact that ".exe" on Windows means the same thing as turning on the
execute bit in UNIX has cost the world economy billions.  And it's impossible
to change this without fundamentally changing Windows.  (Even this flaw
isn't a Microsoft innovation; it was first revealed in 1987 in the infamous
CHRISTMA EXEC worm at IBM on the VM/370 system.)

This flaw, the readiness of a Windows system to enable execute permission
depending on the filename, makes every single Windows box a ticking
time bomb.  Someone just has to be clever enough to deposit an .exe on
a system and trick someone into running it.

The social engineering required to do the same on Linux is an insurmountable
hurdle; not only do you have to deposit the file, but you have to convince
someone to turn on the execute bit, which no Linux mail clients currently
do, and which the average office worker is unlikely to even know how
to do.  (That's why I have a warm feeling when our sales people use Linux;
they don't know enough to be dangerous. :-))

> You claim, repeatedly, that Linux is so much easier to secure. I believe
> that this is directly related to your level of expertise on Linux. Similarly
> you claim, repeatedly, that Microsoft is impossible to secure. I believe,
> similarly, that this claim is directly related to your level of expertise on
> Microsoft.

No; it is related to the fundamental design flaw I mentioned above.

[...]

> Someone else pointed out that no OS is bug free, which is a truism. The
> ability to harden a system, if one knows what they are doing, is also a
> truism.

Are you claiming that all OS's have the same inherent security, and
that all can be hardened to the same extent?  If yes, then you're out
of touch with reality.  If no, then some OS's must be better than
others, and I claim that Linux, out of the box, is more secure than
Windows, out of the box, and furthermore, I claim that Linux is
possible to secure to a greater extent than Windows (especially with
the NSA work now merged into Kernel 2.6.)

> The more and more you post, the more things like this you write, the more
> clear it becomes that your position has little more than a religious passion
> for Linux and a religious dislike of Microsoft backing it with little other
> real substance.

It's easy to glibly dismiss my argument, but you don't address the facts.
Unless Microsoft has an economic incentive to improve security, it won't.
And the only economic incentive it could have is the potential loss of
market share.  And that can't happen without competition.  And competition,
in the consumer OS market place, cannot happen unless people are willing
to look at altern

RE: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-18 Thread Wes Noonan
My bad. I thought it would have been clear that I was trying to make the
point that it is about more than just protecting against old threats, rather
it is primarily about protecting against the new and unknown threats.
Protecting against the known is easy. Protecting against the unknown is the
tricky part. 

I should have clarified it better for the pedantic by inserting "isn't just"
in there.

Thanks.

Wes Noonan
[EMAIL PROTECTED]
http://www.wjnconsulting.com 

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:full-disclosure-
> [EMAIL PROTECTED] On Behalf Of Jeremiah Cornelius
> Sent: Sunday, January 18, 2004 13:20
> To: [EMAIL PROTECTED]
> Subject: Re: Religion... was RE: [Full-Disclosure] Re: January 15 is
> Personal Firewall Day, help the cause
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On Sunday 18 January 2004 08:51, Wes Noonan wrote:
> > Security isn't about protecting against old threats; it's about
> protecting
> > against new threats.
> 
> Oh. O.K.
> 
> I think that statement is unsupportable.
> 
> > Security is about a total process, not a specific product
> > or application.
> 
> Yes. That makes sense, and reflects awareness of the field.  Both
> statements
> in the same paragraph is dissonant.  It makes whatever point your tring to
> make seem like a string of /non-sequiturs/...
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.2.4 (GNU/Linux)
> 
> iD8DBQFACtx8Ji2cv3XsiSARAvkQAJ93u+2mooEUKXhq0GDEm2arAERZRQCePLQq
> s4zW2Ey3WW7O6A2HpKtP4R0=
> =f+LS
> -END PGP SIGNATURE-
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-18 Thread Jeremiah Cornelius
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sunday 18 January 2004 08:51, Wes Noonan wrote:
> Security isn't about protecting against old threats; it's about protecting
> against new threats.

Oh. O.K.

I think that statement is unsupportable.

> Security is about a total process, not a specific product
> or application.

Yes. That makes sense, and reflects awareness of the field.  Both statements 
in the same paragraph is dissonant.  It makes whatever point your tring to 
make seem like a string of /non-sequiturs/...
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFACtx8Ji2cv3XsiSARAvkQAJ93u+2mooEUKXhq0GDEm2arAERZRQCePLQq
s4zW2Ey3WW7O6A2HpKtP4R0=
=f+LS
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-18 Thread David F. Skoll
On Sun, 18 Jan 2004, Wes Noonan wrote:

> > (I know that someone recently released code to do a "user-space" exec,
> > so mounting /tmp noexec is not 100% foolproof, but it's pretty good
> > protection.)

> Well then, IMO you might want to invest in virus protection.

Why?  Name one virus for Linux that AV software would have protected
against, that a noexec /tmp wouldn't have.

(It's hard enough to name a Linux virus; it's impossible to name a virus
that meets the latter conditions.)

> I'm curious, why is your solution which is not 100% foolproof "pretty good
> protection", but installing virus protection which is not 100% foolproof is
> a sham?

Because mounting /tmp noexec costs me nothing, whereas buying AV software
costs money.

> Really, it seems to me that a number of the "anti-virus scan" positions (and
> indeed most of the anti-microsoft, ant-personal firewall, etc positions)
> seem to have little substance beyond "I don't want to spend money".

That's a good enough reason for me. :-) I'm a tried-and-true
capitalist, and anything legal that decreases the cost of production
is something that will help my business, and something I'll embrace.
We're a 7-person shop with a budget of $0 for software.  I'd love to
see a Microsoft shop with a similar software budget.

Why should I spend money, time and energy trying to secure a basically
un-securable system, when I can not spend money, spend a whole lot
less time and energy, and have a more secure system?

One of the reasons Microsoft has such a terrible security record is
that it's a monopoly.  All the people who have posted "ah, yes, but
it's impractical to switch" are perpetuating insecure software.
Securing software costs a lot of money; if Microsoft knows it won't
lose market share even if it doesn't bother securing its software,
what possible motivation would it have to secure the software?  (As a
tried-and-true capitalist, *I* certainly wouldn't spend money securing
software in that situation.)

So unless you investigate alternative systems seriously, you're just
ensuring a monopoly situation, which guarantees bad software.
Complacency and defeatism have no place in the fight to secure our
computers.

--
David.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


RE: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-18 Thread Wes Noonan
> On Sun, 18 Jan 2004, Wes Noonan wrote:
> Why?  Name one virus for Linux that AV software would have protected
> against, that a noexec /tmp wouldn't have.

Security isn't about protecting against old threats; it's about protecting
against new threats. If running virus protection has the potential to
protect against new threats, than it is worth running. If an IDS/IPS has the
potential to protect against new threats, than it is worth running. If a
personal firewall has the potential to protect against new threats, than it
is worth running. Security is about a total process, not a specific product
or application.
 
> We're a 7-person shop with a budget of $0 for software.  I'd love to
> see a Microsoft shop with a similar software budget.

I'd love you to show me a 700, 7000 or 7 person shop that can say that.
Frankly, you just illustrated a point here, whether you intended to or not.
When you are a small shop that has the expertise, you can do anything you
want. When you are a large shop, you no longer have that ability. You have
to think big. You have to think about things like "what if David, who is the
only person who really knows our systems, leaves. Where does that leave us"?
This is especially true in cases where you have free software being offered
with no support. Microsoft, whether you want to admit it or not, learned
that long ago. They learned that the need was there for OSes and
applications that are tremendously portable between people. They learned
that not everyone in IT is a developer or has the skills or capabilities to
write and compile custom code to suit there every need, and frankly not
everyone needs to. They learned that companies want support and they don't
want to have to rely on "Joe the admin" who is the only one who can recode
and recompile the application if there is a problem. Some Linux companies
are learning these lessons as well. You can see that in the tremendous leaps
and bounds of usability and functionality that they have made.
 
> Why should I spend money, time and energy trying to secure a basically
> un-securable system, when I can not spend money, spend a whole lot
> less time and energy, and have a more secure system?

Microsoft is only un-securable for those who don't know how to secure it
(the same can be said of Linux of course). Clearly, you seem to know Linux.
Equally clearly, to me at least, you don't seem to know Microsoft very well.
You claim, repeatedly, that Linux is so much easier to secure. I believe
that this is directly related to your level of expertise on Linux. Similarly
you claim, repeatedly, that Microsoft is impossible to secure. I believe,
similarly, that this claim is directly related to your level of expertise on
Microsoft. While to you it may take less time and energy to harden a Linux
system compared to Microsoft, I would point out that there are a lot of
other folks who would probably be able to argue and prove the opposite -
that it is much easier and takes less time and energy to harden Microsoft
than Linux. Heck, I can guarantee you that I can harden a Microsoft system
infinitely better than I could a similar Linux system.

Someone else pointed out that no OS is bug free, which is a truism. The
ability to harden a system, if one knows what they are doing, is also a
truism.
 
> So unless you investigate alternative systems seriously, you're just
> ensuring a monopoly situation, which guarantees bad software.
> Complacency and defeatism have no place in the fight to secure our
> computers.

The more and more you post, the more things like this you write, the more
clear it becomes that your position has little more than a religious passion
for Linux and a religious dislike of Microsoft backing it with little other
real substance. Protestants, Catholics. Muslims, Jews. Penguinistas and
Microsofties. It isn't about securing our computers, it's about not using
Microsoft. It's an old, tired, pointless argument. :shrug:

Wes Noonan
[EMAIL PROTECTED]
http://www.wjnconsulting.com 


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-18 Thread David F. Skoll
On Fri, 16 Jan 2004, Wes Noonan wrote:

> This is not quite correct. Nachia and Blaster, as well as Code Red and its
> variants are all detectable and preventable with virus protection.

All of those are Windows viruses, no?

> While
> they may not stop the worm on the network, they can and do stop systems from
> becoming infected and propagating the worm.

So does mounting /tmp noexec, and it doesn't involve shelling out money
to AV vendors.  Mounting /tmp noexec also protects against future threats,
not just ones that happen to be in the AV database.

(I know that someone recently released code to do a "user-space" exec,
so mounting /tmp noexec is not 100% foolproof, but it's pretty good
protection.)

--
David.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-18 Thread Wes Noonan
> On Fri, 16 Jan 2004, Wes Noonan wrote:
> 
> > This is not quite correct. Nachia and Blaster, as well as Code Red and
> its
> > variants are all detectable and preventable with virus protection.
> 
> All of those are Windows viruses, no?

Sure, but the statement, mistakenly made, was that virus protection does
nothing to protect against worms. I felt that it was worth pointing out that
your apparent anti-MS religion caused you to make an incorrect statement
(actually, it caused you to make a lot of incorrect statements, but folks
have already pointed that out). Perhaps you should spend a little bit of
time learning how to harden a windows system before you go advising folks
what they should be doing.
 
> > While
> > they may not stop the worm on the network, they can and do stop systems
> from
> > becoming infected and propagating the worm.
> 
> So does mounting /tmp noexec, and it doesn't involve shelling out money
> to AV vendors.  Mounting /tmp noexec also protects against future threats,
> not just ones that happen to be in the AV database.
> 
> (I know that someone recently released code to do a "user-space" exec,
> so mounting /tmp noexec is not 100% foolproof, but it's pretty good
> protection.)

Well then, IMO you might want to invest in virus protection. 

I'm curious, why is your solution which is not 100% foolproof "pretty good
protection", but installing virus protection which is not 100% foolproof is
a sham?

Really, it seems to me that a number of the "anti-virus scan" positions (and
indeed most of the anti-microsoft, ant-personal firewall, etc positions)
seem to have little substance beyond "I don't want to spend money".

Wes Noonan
[EMAIL PROTECTED]
http://www.wjnconsulting.com 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-17 Thread Jim Race
As an aside, I'd like to thank all of my new semi-anonymous (yet 
traceable) friends for checking this setup in the last hour or two.

Feel free to let me know if you need a hand. Email is fine. You've also 
given me a couple of extra things to check, based on your attempts. 
Marvelous!

kisses...

-jim

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day,help the cause

2004-01-17 Thread Jim Race
Tobias Weisserth wrote:

There is no such thing as a WinXP box with all current patches :-) Since
installing all patches that Microsoft makes available still doesn't mean
every critical bug is fixed you should find out as much as possible
about the unfixed bugs. For example there is still a URL spoofing bug in
the Internet Explorer 6 which hasn't been fixed for more than 2 months.
I am pretty sure there are lots more. The dilemma is that MS doesn't
seem to think full-disclosure is the way to go...
All that aside, using existing patches and NOT using software with known 
vulns such as IE. There are unfortunately a select few sites where IE is 
required. Those are dwindling, and more importantly can usually be 
avoided altogether.

The sad part is, I *have* to keep a functional current version of IE on 
the system, if only for testing reasons. It would be nice if there was a 
very simple way to disable its integrated functions easily when not in use.

Consider using alternative software in the meantime, thus replace IE6
with Mozilla and so on.
Of course. Many of the stock Windows components are removed or replaced. 
Notepad is a classic example, replaced by Textpad. Cygwin (with a lower 
case "w", ahem) is used for its toys and cross training. Putty for 
Telnet, stuff like that.

You have to find out if there are any known vulnerabilities to the
services you use and if yes, how to fix them. It's a pity pivX took
their list offline. Instead they are promoting personal firewalls now in
association with MS...
PivX's original list (or its content) lives on, just in a different 
location.

Be sure to keep it patched. Static pages are good (no possibility of
injecting parameters). Check whether the cgi-bin directory is accessible
from the outside! (shouldn't be by default)
Again, of course. It has a properly tweaked httpd.conf, and while I do 
keep a cgi-bin directory accessible and readable it has nothing of 
consequence in it. More of a nose-tweak if anything.

Mozilla with Java and JS disabled in email


If you want to protect your privacy then disable HTML displaying in your
mail client and forbid the loading of external content from within a
displayed mail.
HTML rendering is disabled, as well as remote images. Pop-ups are toast, 
 and images only loaded from orig server in browsing. Bayesian Junk 
filters enabled and well trained.

A personal firewall is not bad. It's an addition. But it's not the cure.
If you are sure the intended users of the machine know what to do with
all the interactions that are required to run a personal firewall then
install one. It will be hard to configure your hardware router so that
it stops specific processes from connecting _to_ the Internet (in
contrast to _from_). A personal firewall can be of much use here, taken
the users know to use it.
Perhaps, but they're annoying as hell. It's a risk I'll accept. As a 
single user machine it has outbound connections manually monitored, and 
no (known) rogue software.

Some AV software should be running at all times. 
Why? SA runs on the (remote) mail server, stripping all executables and 
classic MS hangers on (scr, com, bat, etc) as well as tagging Virus 
and filtering those in Moz.

There are usable
products available for free, personal use only of course. Have a look at
antivir.de.
F-Prot, and others tried.

Be sure to get rid of adware too. Use Adaware or Spybot regularly.
Ad-aware run *very* occasionally. Executable binaries almost always go 
through MD5 checksum vetting before install. No browser plug-ins allowed.

Additional measures: Have some sort of bootable live CD available. There
are a lot of Linux based live CD available on the Internet which contain
f-prot and lots of recovery and diagnostic tools. It's very handy to
have one of those lying around.
I keep a copy of Knoppix handy and updated. I may try out something else 
soon.

Thanks... gives me something more to chew on.

Obviously, this is FAR from your average Windows users box. I'm quite 
aware of threats and have even discovered a few myself.

Our resident Grandma posting made *me* realize that not having to 
reformat often (because of this same awareness, never) is a good thing.

-jim

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-17 Thread Jim Race
James Patterson Wicks wrote:

> When you say properly configured firewall, does that include IDS?  Does
> that mean that the firewall blocks all connection attempts from the
> outside but allows established traffic originating on the network
> interior?  So if a system receives a Trojan from a web site, it can
> communicate with the outside world unmonitored?  The problem with
> opening port 80 is that not only HTTP traffic can come in (i.e. Telnet).
> If you do not have a device or application looking at traffic about
> Layer 4, you could still have problems.  Also, having AV look only at
> executables is a mistake.  Just my two cents.
Its IDS is me. :) Logs are examined several times a day, and dealt with 
through DShield and other avenues. Outbound connections are not 
seriously monitored, and that is an avenue for problems IF I let 
something get on the system.

A trojan is going to have to either:

a) Get past SA on the mail server, stripping all known executables and 
variants.
b) Get past Virus scanning and tagging on same.
c) Get past Mozilla with all active email controls and Junk filters enabled.
d) Get past Mozilla "outside of the box" using most browsing controls.

and

e) Get past me, not a dumb user.

If someone *really* wants to mess with the box they could likely do 
damage. Nothing important here though. Please move on. Intelligent 
switching based on traffic/content profile is currently beyond my 
expertise and equipment.

-jim

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day,help the cause

2004-01-17 Thread Jim Race
[EMAIL PROTECTED] wrote:

What's your threat model?  Does it have to be "safe" against just the random
crap that is background noise on today's networks, or are there other considerations?
The box happily rejects all the noise. The HW FW logs are skimmed daily, 
but no real alerts are installed. Fully aware a persistent *smart* 
attacker could likely easily DoS it, or perhaps worse. Latest (known 
good) firmware on the FW as well.

What's your trade-off model?  If it *does* get whacked, what are the
consequences? Remember to *NOT* spend more time/money/effort on securing it
than you would lose if it was in fact compromised.
The "time" is something "free" at this point. To be honest my "friend" 
(ahem) is one of those who has installed various flavours of Linux 
several times. Truth be told he (I) would prefer to move the web server 
to a more hardened Linux box but it's "easier" at this point to just 
deal with everything in one place.

If it's a personal machine, you're just using Apache to serve up photos of the
barbeque to your friends, and the worst that happens is you have to reload your
'My Documents' folder off a CD-ROM backup, you're probably *very* safe. Just
remember to not piss off a script kiddie on IRC. ;)
I don't use the windows FS like MS might like me to. All the server docs 
 are on a separate drive, backed up weekly or more often as needed. "My 
Documents" contains a few things unintentionally misfiled long ago when 
I was using IE for some random site. Indeed, it's 95% personal stuff. 
"Work stuff" is simple consulting gigs or mirroring for friends.

If you're using the machine to access a corporate database, you probably want
to do some more policy-level and ACL hardening on the inside - the biggest
threat to your HR database is still an underpaid secretary in Accounts
Receivable.
Nope. No corporate remote access from this box (although a VPN'ed laptop 
with a different OS is occasionally used from the same subnet).

If you're using the machine in a true life-or-death environment (medical
monitoring, processing classified data, launch codes, etc), you're nowhere near
hardened enough.
Only life or death would be loss of connectivity. :) Nowhere near that 
important...

-jim

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-17 Thread Tobias Weisserth
Hi Valdis,

Am Sam, den 17.01.2004 schrieb [EMAIL PROTECTED] um 19:43:
...

This has been the most intelligent mail in this thread yet. Thank you
very much.

cheers,
Tobias

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day,help the cause

2004-01-17 Thread Valdis . Kletnieks
On Sat, 17 Jan 2004 21:02:16 +0100, [EMAIL PROTECTED] said:
> I'd love to see liability laws applied. 

I can't think of anything that would stop Open Source in its tracks faster.

What would have been the last Apache release before they gave up, if they
had been open to lawsuits for each security hole?

When would Linus have thrown in the towel? Probably LONG before OSDL
stepped in.  It sucks to be a college student with a lawsuit.

How many other open source projects would just pack up and leave if they
had to worry about lawsuits?  Remember - it's not just security, it's reliability.

Would the mySQL guys have done it if they had to worry about a lawsuit every
time mySQL crashed and corrupted a database?

Would Larry Wall have done Perl if he had to worry about a lawsuit when some
Perl bug hosed up a CGI and took out a web server?

For that matter, is there *anybody* out there who'd release software if they knew
they could be sued if their software crashed?

Comparing liability for software to (for instance) liability for car
manufacturers is a total red herring.  Car design is well understood, but even
more importantly, the class of hazards to design against is fairly restricted.
You build a prototype, and if you beat the hell out of it for a few days at the
test track, you almost certainly have almost all the oddball cases covered.
Tight turn, wet pavement, something jumps in front of you, and cars will behave
pretty much the same. The outcome depends only on your speed, your tires, your
car's mass, and the general mass of the animal.

The difference with software is that if it's an SUV, it doesn't catch fire if
it's a green bear, but the back hatch pops open if it's a purple bear.  But then,
maybe it does - SUVs never run into green or purple bears.  But software does.
All the time.




pgp0.pgp
Description: PGP signature


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day,help the cause

2004-01-17 Thread Tobias Weisserth
Hi Jim,

Am Sam, den 17.01.2004 schrieb Jim Race um 19:20:
> Since the ping-pong game is far past 21 points...

:-)

> How safe would you consider:
> 
> A WinXP box with all current patches

There is no such thing as a WinXP box with all current patches :-) Since
installing all patches that Microsoft makes available still doesn't mean
every critical bug is fixed you should find out as much as possible
about the unfixed bugs. For example there is still a URL spoofing bug in
the Internet Explorer 6 which hasn't been fixed for more than 2 months.
I am pretty sure there are lots more. The dilemma is that MS doesn't
seem to think full-disclosure is the way to go...

Knowing about the unfixed bugs is as important as installing all the
patches that are available.

Consider using alternative software in the meantime, thus replace IE6
with Mozilla and so on.

> A properly configured HW firewall

This is pretty good. I don't like hardware firewalls since those are
less flexible than say a barebone Unix/Linux firewall, but this is
probably the most effective end user protection in front of Windows XP
boxes. Be careful though. Inside a hardware router some kind of software
is running (most often based on Linux :-)) and it can contain bugs too.
>From time to time there are firmware updates available from your
firewall vendor. Inform yourself about this by checking the vendors
website.

> ICF enabled, web services ONLY enabled and all ICMP requests disabled

You have to find out if there are any known vulnerabilities to the
services you use and if yes, how to fix them. It's a pity pivX took
their list offline. Instead they are promoting personal firewalls now in
association with MS...

> Apache (latest) installed with no add'l modules (static pages only)

Be sure to keep it patched. Static pages are good (no possibility of
injecting parameters). Check whether the cgi-bin directory is accessible
from the outside! (shouldn't be by default)

> NOT running Outlook or OE

Very good ;-) This is probably the most important measure :-)

> Mozilla with Java and JS disabled in email

If you want to protect your privacy then disable HTML displaying in your
mail client and forbid the loading of external content from within a
displayed mail.

> An "admin" who knows not to run attachments

:-)

> No add'l (hated) SW firewalls

A personal firewall is not bad. It's an addition. But it's not the cure.
If you are sure the intended users of the machine know what to do with
all the interactions that are required to run a personal firewall then
install one. It will be hard to configure your hardware router so that
it stops specific processes from connecting _to_ the Internet (in
contrast to _from_). A personal firewall can be of much use here, taken
the users know to use it.

> No AV stuff running, except when scanning known executables

Some AV software should be running at all times. There are usable
products available for free, personal use only of course. Have a look at
antivir.de.

Be sure to get rid of adware too. Use Adaware or Spybot regularly.

> I am of course, asking for a "friend".

Probably the most important thing when running Windows XP: none of the
users should work as administrator or any other account with those
rights. Windows XP Home creates only users with administrative rights by
default. Be sure to tweak this behaviour. Users should always work with
minimal rights, just as much as they need to perform their tasks. It's
not that you don't trust the users, but any malware initiated inside
their user session will run with their rights!

And last but certainly not least: make regular backups.

Additional measures: Have some sort of bootable live CD available. There
are a lot of Linux based live CD available on the Internet which contain
f-prot and lots of recovery and diagnostic tools. It's very handy to
have one of those lying around.

cheers,
Tobias

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-17 Thread James Patterson Wicks
When you say properly configured firewall, does that include IDS?  Does
that mean that the firewall blocks all connection attempts from the
outside but allows established traffic originating on the network
interior?  So if a system receives a Trojan from a web site, it can
communicate with the outside world unmonitored?  The problem with
opening port 80 is that not only HTTP traffic can come in (i.e. Telnet).
If you do not have a device or application looking at traffic about
Layer 4, you could still have problems.  Also, having AV look only at
executables is a mistake.  Just my two cents.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jim Race
Sent: Saturday, January 17, 2004 1:21 PM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Re: January 15 is Personal Firewall Day,help
the cause

Since the ping-pong game is far past 21 points...

How safe would you consider:

A WinXP box with all current patches
A properly configured HW firewall
ICF enabled, web services ONLY enabled and all ICMP requests disabled
Apache (latest) installed with no add'l modules (static pages only)
NOT running Outlook or OE
Mozilla with Java and JS disabled in email
An "admin" who knows not to run attachments
No add'l (hated) SW firewalls
No AV stuff running, except when scanning known executables

I am of course, asking for a "friend".

-jim

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


This e-mail is the property of Oxygen Media, LLC.  It is intended only for the person 
or entity to which it is addressed and may contain information that is privileged, 
confidential, or otherwise protected from disclosure. Distribution or copying of this 
e-mail or the information contained herein by anyone other than the intended recipient 
is prohibited. If you have received this e-mail in error, please immediately notify us 
by sending an e-mail to [EMAIL PROTECTED] and destroy all electronic and paper copies 
of this e-mail.


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day,help the cause

2004-01-17 Thread Jim Race
[EMAIL PROTECTED] wrote:

> What's your threat model?  Does it have to be "safe" against just the 
random
> crap that is background noise on today's networks, or are there other 
considerations?

The box happily rejects all the noise. The HW FW logs are skimmed daily, 
but no real alerts are installed. Fully aware a persistent *smart* 
attacker could likely easily DoS it, or perhaps worse. Latest (known 
good) firmware on the FW as well.

>
> What's your trade-off model?  If it *does* get whacked, what are the
> consequences? Remember to *NOT* spend more time/money/effort on 
securing it
> than you would lose if it was in fact compromised.

The "time" is something "free" at this point. To be honest my "friend" 
(ahem) is one of those who has installed various flavours of Linux 
several times. Truth be told he (I) would prefer to move the web server 
to a more hardened Linux box but it's "easier" at this point to just 
deal with everything in one place.

> If it's a personal machine, you're just using Apache to serve up 
photos of the
> barbeque to your friends, and the worst that happens is you have to 
reload your
> 'My Documents' folder off a CD-ROM backup, you're probably *very* 
safe. Just
> remember to not piss off a script kiddie on IRC. ;)

I don't use the windows FS like MS might like me to. All the server docs 
 are on a separate drive, backed up weekly or more often as needed. "My 
Documents" contains a few things unintentionally misfiled long ago when 
I was using IE for some random site. Indeed, it's 95% personal stuff. 
"Work stuff" is simple consulting gigs or mirroring for friends.

>
> If you're using the machine to access a corporate database, you 
probably want
> to do some more policy-level and ACL hardening on the inside - the 
biggest
> threat to your HR database is still an underpaid secretary in Accounts
> Receivable.

Nope. No corporate remote access from this box (although a VPN'ed laptop 
with a different OS is occasionally used from the same subnet).

>
> If you're using the machine in a true life-or-death environment (medical
> monitoring, processing classified data, launch codes, etc), you're 
nowhere near
> hardened enough.

Only life or death would be loss of connectivity. :) Nowhere near that 
important...

-jim

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day,help the cause

2004-01-17 Thread jan . muenther
> > at the risk of sounding like a Win32 advocate...
> 
> No, you don't. :-)

Phew. :)
> > 0), but hey, it sure is a step forward. They've been lambasted badly and
> > earned it, but they're making progress for sure.
> 
> Anything else would be pretty pathetic if you take into consideration
> their financial potential that would enable them to throw in a hundred
> full-time developers to audit ANYTHING they have ever written and sold
> during the last two years.

The problem MS have is that their codebase is *gigantic* and that large
parts of the code have been written by outsourced companies who are long
gone. So, partly, even MS themselves have very little idea of what their
code actually *does*. Bad point to start from. 

> The reason Microsoft is not auditing more software is that their
> priority is still on profits and not on security. This is the difference
> with projects like OpneBSD. They don't work to make profits. They work
> to publish the most secure Unix system there is.

This, however, is *totally* not restricted to MS. In fact, a lot of systems
only become vulnerable due to incredibly badly written and largely untested
application software. This is something people like to forget about, you can
have a fully patched killer system, if your application is vulnerable, you
might be toast anyway. I see that every day in my job. 
> 
> basically this shouldn't be too much of a hassle since ActivePerl isn't
> too bad.

 ;)

> I can't remember ever heaving read something about a firewall built in
> Windows when browsing the Windows manuals. It doesn't spring into your
> face to say the least.

Well, I was surprised to see that in XP it actually clearly tells you about
the Internet Connection Firewall and what it is when you create e.g. a
dialup or PPPoE connection. 

> Well, I simply don't understand why MS is shipping Windows with an AOL
> link on the desktop instead of a "Enable Firewall" link.

I know, it's sick. But I have to remind you of the fact that the
"point'n'click" firewalls in recent Linux distros are a relatively recent
thing as well. MS is just moving very, very slowly. It's a Leviathan.

> Security doesn't seem to be a priority as long as MS products sell
> without it.

That doesn't only apply to MS. To my mind come names like Oracle, SAP,
IBM... you name it. It's a general problem. 

> Of course. But the point I am aiming at here is the fact that VERY often
> patches for well known security related bugs in MS software are not
> available for weeks or even months.

Again, true. And again, that's not a genuine MS problem, it's a problem with
people who don't understand their own software, or try to ignore it until
the first worm appears or public pressure becomes unbearable due to other
facts. 
> who used to offer a list about unpatched bugs in MS software on his
> company's site. The list contained more than 30 unpatched bugs that
> could be exploited at the time he took the list offline. He is doing
> business now with Microsoft, so full disclosure isn't an option anymore,
> I guess.

Thor did great work there, and if he now works with MS and helps them fix
their stuff, I have no moral problem with it.  
> 
> Comparing this to Linux and open sourced Unix systems you'll agree that
> bugs are available VERY fast and critical bugs don't go without patches
> or workarounds for weeks to come until they are revealed.

True. On the other hand (I *know* people will kick me for this), OSS is more
likely to be perused for vulnerabilities, since you can simply read the
sources. It sure helps to enhance the overall code quality in the long run,
but it also makes 0days somewhat more frequent. 

I have some simple proof for that: While exploitation on open source
platforms like Linux has really gone to some pretty esoteric levels, you can
still find vulnerabilities like classical buffer overflows and format string
bugs in commercial Unixes (I think Georgi Guninski had already pointed that
out ages ago). 

Of course closed software isn't more secure. It's just harder to search for
vulnerabilities, since not everybody who can read C can also handle IDA and
a debugger of choice. 

> would have to compete with a mighty host of free and high quality open
> source programs that come without commercials and offer the same or
> better usability. Guess what the consumer is going to chose.

Hm. Are you saying Mozilla is better than Opera?

> Concerning your /etc/passwd file. It's shadowed, isn't it? So even if it
> got sent to someone he'd have to crack it with john or something and
> count on weak passwords. If you chose your passwords with more than 9 or
> 10 letters/signs randomly than he'd be busy 60.000 years for just one
> password if he can do 10.000.000 operations in a second.

Dude, it was only /etc/passwd, which in FreeBSD is hardly more than
decoration - I guess the point was collecting usernames. Of course it's
shadowed, and the shadow file is not world readable. This isn't HP-UX 10.20
:)
> > H

Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-17 Thread Valdis . Kletnieks
On Thu, 15 Jan 2004 13:55:18 EST, Mary Landesman said:

> ubiquitous. Cisco is running a poll right now to see which of the 17
> critical patches are most important to users, because they only have the
> manpower to fix 10 of them. Should we all stop using Cisco products?

Correction 1: Cisco isn't running the poll, SANS is.

Correction 2: Patches and proper configuration guidelines *are* *available* for all 17.

Correction 3: Cisco has the manpower.  The lack of manpower is at THE END USER SITE.

This is a continuation of the SANS Top 10/Top 20 lists, where we recognize that
the average site is *NOT* going to devote the manpower to actually secure their
networks, so we create a list of "At least put in just a few hours and patch
these worst problems so you're not a TOTAL sitting duck".  The question is
basically:  We've found 17 common misconfigs that can be security problems.
If a site isn't willing to do all 17, which 10 have the best bang/buck return if
we can only get them to fix SOME of them?

(And yes, if you have more time, http://www.cisecurity.org/bench_cisco.html
has more info on hardening Cisco routers - this is for the sites that aren't going
to be that gung-ho about it.  And there's other docs at SANS and Cisco on how
to harden the routers even further if you're REALLY ambitious/concerned).

The original SANS posting:
---
Top Ten Cisco Security Vulnerabilities Project Update.  The project team
has identified seventeen vulnerabilities that appear to be critical.
You can help with the next step of prioritizing the 17 to help the team
select the Top 10. Then the team will develop a guide organizations can
use to protect themselves against exploits of the Top Ten. If you are
willing to help by rating the 17 candidates, send email to [EMAIL PROTECTED]
with the subject Cisco Top 10.
---

See http://www.sans.org/top20/ for an example of what we're trying to do...


pgp0.pgp
Description: PGP signature


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day,help the cause

2004-01-17 Thread Valdis . Kletnieks
On Sat, 17 Jan 2004 10:20:56 PST, Jim Race <[EMAIL PROTECTED]>  said:
> Since the ping-pong game is far past 21 points...
> 
> How safe would you consider:
> 
> A WinXP box with all current patches
> A properly configured HW firewall
> ICF enabled, web services ONLY enabled and all ICMP requests disabled
> Apache (latest) installed with no add'l modules (static pages only)
> NOT running Outlook or OE
> Mozilla with Java and JS disabled in email
> An "admin" who knows not to run attachments
> No add'l (hated) SW firewalls
> No AV stuff running, except when scanning known executables

What's your threat model?  Does it have to be "safe" against just the random
crap that is background noise on today's networks, or are there other considerations?

What's your trade-off model?  If it *does* get whacked, what are the
consequences? Remember to *NOT* spend more time/money/effort on securing it
than you would lose if it was in fact compromised.

There's two main classes of attacks to worry about:  the "random noise" of all
the worms and viruses, and targeted attacks by opponents of varying skill and
resources.  The hardening you describe is probably quite sufficient to repel
most of the "random noise", so it's the second category you need to worry
about.

If it's a personal machine, you're just using Apache to serve up photos of the
barbeque to your friends, and the worst that happens is you have to reload your
'My Documents' folder off a CD-ROM backup, you're probably *very* safe. Just
remember to not piss off a script kiddie on IRC. ;)

If you're using the machine to access a corporate database, you probably want
to do some more policy-level and ACL hardening on the inside - the biggest
threat to your HR database is still an underpaid secretary in Accounts
Receivable.

If you're using the machine in a true life-or-death environment (medical
monitoring, processing classified data, launch codes, etc), you're nowhere near
hardened enough.



pgp0.pgp
Description: PGP signature


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-17 Thread Valdis . Kletnieks
On Sat, 17 Jan 2004 08:43:52 MST, Bruce Ediger <[EMAIL PROTECTED]>  said:

> The commercial anti-virus people have never really addressed the
> lack of in-the-wild viruses for the unixes in general, and linux
> in particular.  Or, back in the day, why didn't VMS suffer from
> a plague like DOS did and Windows does?

Google for '+VMS +WANK'.  So it was certainly *possible* to create a VMS-based
worm.  However, that was back in the Elder Days, when VMS and other dinosaurs
still walked the earth in great numbers. And all the various systems in those
days had minor outbreaks of things - there was the CHRISTMA EXEC and variants
that plagued VM systems on Bitnet and VNET, the Morris worm that beat up on VAX
and Sun-3 boxes, and a host of other things on other systems.

But that was in the Elder Days. And that's an important point - VMS didn't have
a major worm problem mostly because in the days when it had market share, the
number of black hats who had access was limited.  Whoever released WANK had to
get access to HEPNet first, which for 98% of the users out there was
non-trivial.  But once you got onto HEPNet, there were enough VMS systems to
sustain a virus.  On the other hand, even then DOS and Windows had a significant
market share and information exchange (on floppys and BBS back then).

And that's the crucial point - the rate of information exchange with similar
systems.  Can your worm/virus contact another vulnerable system before it is
eradicated on its current host?  This is something that public health workers
have understood for a long time - for many diseases it is *not* necessary to
vaccinate 100% of the people, because a 95% or so rate is sufficient to keep it
from getting an epidemic going.  You're simply not likely enough to meet
another vulnerable person while you're contagious.

Now, it's safe to assume that every black hat has Internet access, and can
release a worm.  However, due to monoculture effects, there are only a very
limited number of operating systems and services that a worm can realistically
exploit.

Windows? A worm won't starve.  It will die of indigestion, and take out the net
if it burps.

Linux?  I strongly suspect that Lion was fairly close to as big as a Linux worm
can possibly get - and it was nowhere the size of most Windows worms.

Solaris?  We've seen automated scans for rpc.ttdbserver exploits, and had
clusters of machines all get whacked at once.  There's ecological space for
a slow-moving patient worm here...

HP/UX, AIX, Tru64?  A worm *might* be able to survive on these platforms,
but it would have to be very stealthy to survive on a given host long enough to
actually find another host to jump to.

Other boxes like MVS, VM, VMS, HPE, and the like?  The worm is almost
certain to die of starvation and/or boredom.




pgp0.pgp
Description: PGP signature


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-17 Thread Bruce Ediger
On Fri, 16 Jan 2004, David F. Skoll wrote:

> Not running A/V software on a Linux box is no risk at all.  Even the
> McAffee A/V software wouldn't detect a worm in time to do any good.
> You can take the following simple precautions (which I do):  Mount /tmp
> noexec, and if you're really paranoid, mount /home noexec also.  That
> pretty much kills any propagation vector for viruses.

The commercial anti-virus people have never really addressed the
lack of in-the-wild viruses for the unixes in general, and linux
in particular.  Or, back in the day, why didn't VMS suffer from
a plague like DOS did and Windows does?

Not to beat a dead horse too hard, but maybe the small amount of
discretionary access controls (user, group, other, rwx) that typical
unix/linux installations have is enough to prevent viral epidemics?

Perhaps the greater "ecodiversity" of email clients, filesystem layouts,
mail transfer agents, HTTP severs and version variation of the above
provides enough resistance to avoid epidemics and pandemics.

Perhaps acknowledging that the big DOS and Windows virus problems were
boot sector, Word macro and Outlook viruses would help clarify the
situation.

Instead, we've got the "Linux isn't 100% immune so Linux users should
run anti-virus software, too" scaremongering that flies in the face
of observed reality.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day,help the cause

2004-01-17 Thread brenda
question on this?
maybe i am more disillusioned than i thought but if i patch and update how can 
i be as vuknerable as on windows?
i run a program called killerwall as my firewall
it is a script that uses ipchains or iptables .i chose iptables because of my 
reading and thinking this was safer.
i dont understand how rootkits work tho and my reading has not helped my 
understanding of this very much.
i dont do downloads except with acceptable ftp sites .no music/movies stuff.in 
fact my only downloads have have been with urpmi?
can rootkits be used this way?
apologizing for my ignorance ahead of time but i am hoping to learn 
br3n

> That's true. I just want to remember about the guy with the rootkit
> which I asked about. Running SuSE Linux, patching regularly and thought
> he was safe while running an unpatched PHPNuke installation. Ouch. :-)





___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day,help the cause

2004-01-17 Thread Tobias Weisserth
Hi Jan,

Let the ping-pong game begin ;-)

Am Sam, den 17.01.2004 schrieb [EMAIL PROTECTED] um 04:21:
> at the risk of sounding like a Win32 advocate...

No, you don't. :-)

> > I agree. But Windows isn't delivered in such a minimum state by default.
> > Instead all doors are open. When MS ships Windows shouldn't it deliver
> > it with all doors closed instead of all doors open? I'd rather have an
> > "opt-in" for security risks than an "opt-out". 
> 
> I agree. MS are slowly grokking this. An example would be IIS6, which they
> got fully source code audited and which comes fairly reduced by default. I
> still don't agree to some design decisions (like running part of it in ring
> 0), but hey, it sure is a step forward. They've been lambasted badly and
> earned it, but they're making progress for sure.

Anything else would be pretty pathetic if you take into consideration
their financial potential that would enable them to throw in a hundred
full-time developers to audit ANYTHING they have ever written and sold
during the last two years.

The reason Microsoft is not auditing more software is that their
priority is still on profits and not on security. This is the difference
with projects like OpneBSD. They don't work to make profits. They work
to publish the most secure Unix system there is.

> > available tools at affordable prices. Maybe you can correct me here. I'd
> > love to see something as Claymore, Tripwire or AIDE freely available on
> > Windows.
> 
> Hm, I doubt that it doesn't exist. As a dirty workaround, one could create
> md5 hashes oneself and store them in an offline database.

I guess with a little bit of work a devoted Perl junkie could modify
Claymore to work with Windows. Since claymore is just a Perl script
basically this shouldn't be too much of a hassle since ActivePerl isn't
too bad.

> > Again, this is not what I am criticising. I am criticising that Windows
> > ships with some sort of packet filtering (though I doubt it can compete
> > with iptables) but it is not enabled by default.
> 
> Neither is it in a lot of Unixes.

That's usually "page 3" in Red Hat/Fedora, Mandrake or SuSE manuals ;-)

"Click Yast", choose "Security and users" and enable the SuSEfirewall2.

I can't remember ever heaving read something about a firewall built in
Windows when browsing the Windows manuals. It doesn't spring into your
face to say the least.

> And yeah, first of all it's crudely positioned (ipsec policies? c'mon...),
> and second it's a stateless packet filter which can be circumvented fairly
> trivially...

I agree. But quality isn't the point, yet. We're still speaking about a
quantity > 0 here ;-)

> Still, it's possible to take a simple workstation out of the line of fire
> pretty much. The "Internet Connection Firewall" that XP has is at least a
> lot better than having nothing, and it's trivial to enable even for Joe or
> Jane User. 

Well, I simply don't understand why MS is shipping Windows with an AOL
link on the desktop instead of a "Enable Firewall" link.

Security doesn't seem to be a priority as long as MS products sell
without it.

> > ZoneAlarm and all these other products actually may have their positive
> > sides but you can't cure an unpatched Windows XP Home or older unpatched
> > Windows 98 boxes by just installing such a Personal Firewall.
> 
> Dude... neither is a firewall a cure for an unpatched Unix box!

Of course. But the point I am aiming at here is the fact that VERY often
patches for well known security related bugs in MS software are not
available for weeks or even months.

I did it and I'll do it again: I'll remind you about

Thor Larholm 
Senior Security Researcher 
PivX Solutions 

who used to offer a list about unpatched bugs in MS software on his
company's site. The list contained more than 30 unpatched bugs that
could be exploited at the time he took the list offline. He is doing
business now with Microsoft, so full disclosure isn't an option anymore,
I guess.

Comparing this to Linux and open sourced Unix systems you'll agree that
bugs are available VERY fast and critical bugs don't go without patches
or workarounds for weeks to come until they are revealed. THIS is why
I'm criticising the philosophy of promoting Personal Firewall Day for
Windows end users because it seems to release MS from their obligation
to fix flaws in end user software such as Outlook and Internet Explorer
and end users get the impression they are safe because they have this
perimeter defence.

> I see it so often that people rely on their perimeter defense. Once you're through 
> that
> it's mayhem.

This is a platform independent problem. Unavailable patches is not a
platform independent problem, yet not to this extend. 

I'd rather see a fully patched MS Windows than a thousand additional
virus scanners and firewall programs. I guess this day will never come.

> > new program is really annoying. If you think this can be avoided by
> > telling the end user not to use these programs 

Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day,help the cause

2004-01-17 Thread jan . muenther
Hallo Tobias,

at the risk of sounding like a Win32 advocate...

> I agree. But Windows isn't delivered in such a minimum state by default.
> Instead all doors are open. When MS ships Windows shouldn't it deliver
> it with all doors closed instead of all doors open? I'd rather have an
> "opt-in" for security risks than an "opt-out". 

I agree. MS are slowly grokking this. An example would be IIS6, which they
got fully source code audited and which comes fairly reduced by default. I
still don't agree to some design decisions (like running part of it in ring
0), but hey, it sure is a step forward. They've been lambasted badly and
earned it, but they're making progress for sure.

> available tools at affordable prices. Maybe you can correct me here. I'd
> love to see something as Claymore, Tripwire or AIDE freely available on
> Windows.

Hm, I doubt that it doesn't exist. As a dirty workaround, one could create
md5 hashes oneself and store them in an offline database. 

> Again, this is not what I am criticising. I am criticising that Windows
> ships with some sort of packet filtering (though I doubt it can compete
> with iptables) but it is not enabled by default.

Neither is it in a lot of Unixes. 
And yeah, first of all it's crudely positioned (ipsec policies? c'mon...),
and second it's a stateless packet filter which can be circumvented fairly
trivially...
Still, it's possible to take a simple workstation out of the line of fire
pretty much. The "Internet Connection Firewall" that XP has is at least a
lot better than having nothing, and it's trivial to enable even for Joe or
Jane User. 

> ZoneAlarm and all these other products actually may have their positive
> sides but you can't cure an unpatched Windows XP Home or older unpatched
> Windows 98 boxes by just installing such a Personal Firewall.

Dude... neither is a firewall a cure for an unpatched Unix box! I see it so
often that people rely on their perimeter defense. Once you're through that
it's mayhem. 

> new program is really annoying. If you think this can be avoided by
> telling the end user not to use these programs then you are utterly
> mistaken. End users are addicted to those ad driven trash like Kazaa,
> various download managers and other stuff. They'd rather cut off their
> left hand then not to use such programs.

Do you think that would be any different if Linux replaced Windows as the
most frequent end user platform? I strongly doubt it.
> 
> The advantage in Open Source software is that it doesn't run ad driven
> and doesn't spy on the end user while offering the same functionality
> and most of the times even more.

While I generally agree, the way most people handle OSS these days, it's
trivial to sneak in spyware functionality as well. I can't remember what it
was, but I've seen attempts to mail my /etc/passwd to some hushmail account
from a Makefile (very sneaky, haha). 
> 
> This is where I have to disagree with might. File permissions with user,
> group and world levels, processes locked in chroot environments, the
> possibility of starting single tasks with root access via sudo from
> within a normal user session are all examples of things lacking in
> Windows.

Hm, no. NTFS actually supports ACLs straight out of the box. With runas, you
can switch the security context of the current user to run a process with
different credentials. As of chroot'ed environments, I can't think of
anything practical at the moment, indeed. 
> 
> Every user logging in to Windows XP Home is working with full system
> rights. This is the state the system is delivered by Microsoft. How
> should a Windows XP end user know that this is dangerous and how should
> he know to change this?!

XP Home Ed. is a big scam - they basically deprived it of any useful
functionality of their "professional" operating systems. 
> 
> Rigid rights management in Windows is a modern myth. This simply can't
> be compared to Unix/Linux.
I really beg to differ. You *can* do a very fine grained rights management
with NT+ systems, only very few people actually do. Ever read the NSA paper
on NT hardening?
> 
> What user does the IIS webserver run as when you install the IIS the
> default way? The same goes for other services on Windows servers.

It actually runs as the IUSR_MACHINENAME anonymous account, not as Local
Authority / SYSTEM - the IIS5, I mean, IIS4 did run as system. Then again,
come on, a lot of Unix services run as root as well, at least on classical
Unix systems. 
> 
> How to implement a chroot environment in Windows?

I actually don't know off the top of my head, but I'm sure MS came up with
something to match the DoD's compartmentalization requirements. And yes, I
have my doubts too whether it's any good. 
> 
> Does it safe user passwords one way encrypted like the shadow password
> file in Linux? :-)

Hm? Yes, sure it does. It's not even so easy to get to the hashes, you have
to have LA/SYSTEM for it. Of course, one of Wintendo's biggest flaws is the
fall-bac

Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-17 Thread William Warren


[EMAIL PROTECTED] wrote:



Yeah, I agree, but that was also a pretty steep learning curve and a lesson
that e.g. Redhat had to learn the hard way. I believe in 2001 Redhat 6.2 had
more severe security alerts that w2k.
What many tend to forget because MS and others have blinded them to the 
fact is that RH may have had more security alerts but outside of the 
kernel RH is not linux..the linux operating system is the 
kernel..everything else is third party...MS by their own adminission has 
windows tied into everything in the instlalation(IE, WMP..etc etc) and a 
flaw in one of these programs is a flaw in the entire system.  BIG 
difference in architecture big difference in overall security...you 
cannot compare windows to a linux distro becuase the distro itself IS 
not linux..:)



--
May God Bless you and everything you touch.
My "foundation" verse: 
Isaiah 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-17 Thread Erik van Straten
Bill,

On Fri, 16 Jan 2004 23:29:12 -0500 Bill Royds wrote, among other thing:

> So we have to live with the Microsoft problem.

My situation is similar to yours, and I agree mostly with what you
wrote, except the sentence above.

We are users of their sofware, we are *paying* customers and we demand
improvement. Most on this list know what the problems are, and do come
up with ideas for such improvement. It's good to discuss them because
not all ideas are practical (I have been proven wrong in the past and
will be in the future).

I'm on this list to learn and to discuss. Some may call me a troll; my
attention is with those who supply valid arguments in their response.

Regards,
Erik
Sysadmin (Microsoft and Linux)

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day,help the cause

2004-01-17 Thread Tobias Weisserth
Hi "Exibar",

Am Fre, den 16.01.2004 schrieb Exibar um 22:40:

> I agree, it looked like I was melding the two together into "threats" and
> not keeping Viruses/worms separate.  Phishing's a new term that's cropped up
> for these types of e-mail's.

I learnt something new here. I didn't know these emails are referred to
as "phishing" in English. Thanks for mentioning.

...
> > Minimum usage (only deploy services you use)
>---can be done on a windows box

I agree. But Windows isn't delivered in such a minimum state by default.
Instead all doors are open. When MS ships Windows shouldn't it deliver
it with all doors closed instead of all doors open? I'd rather have an
"opt-in" for security risks than an "opt-out". The upcoming XP service
pack shows that MS has taken the hint because the service pack will
activate the packet filter by default. The Windows Messaging Service had
to be blocked by AOL to prevent unwanted ad messages popping up on AOL
member screens. Why didn't MS issue a patch, closing the darn thing in a
matter of seconds? This is what I'm criticising here. 

> > File Integrity Checking
>Would have to run Trip-wire or similliar.

As far as I know there is no open sourced, GPL version of Tripwire
available for Windows. Deploying a file integrity test tool on an end
user Windows machine is non-trivial because of the lack of freely
available tools at affordable prices. Maybe you can correct me here. I'd
love to see something as Claymore, Tripwire or AIDE freely available on
Windows.

> > Rootkit Detectors (this comes closest to virus scanning)
> A/V scanner will do the job

See? We actually agree ;-) 

> > Firewalling
> Windows XP's builti in ICF, or zonelabs, etc

Again, this is not what I am criticising. I am criticising that Windows
ships with some sort of packet filtering (though I doubt it can compete
with iptables) but it is not enabled by default.

ZoneAlarm and all these other products actually may have their positive
sides but you can't cure an unpatched Windows XP Home or older unpatched
Windows 98 boxes by just installing such a Personal Firewall.

The additional downside of Personal Firewalls is that they require tons
of user interaction. Every stupid process is interrupting the work-flow
of Windows users when it tries to access the Internet and a user is
confronted with the name of an executable binary which the average user
can't trace back to service or program he knows. Users tend to think in
terms like "Internet Explorer" or even shorter "Explorer". When
confronted with "iexplore.exe" they simply don't know what that is and
forbid access to the Internet for that thing and wonder why their
browser doesn't work anymore. Believe me. That's why Personal Firewalls
are ineffective to say the least. They are too troublesome for the
average end user.

The main setback in Windows are all those ad driven freeware programs
that the end user tends to love if not even adore. Three or four
dialers, the same amount of ad background processes running, countless
cookies and ad windows popping up at every occasion when a user opens a
new program is really annoying. If you think this can be avoided by
telling the end user not to use these programs then you are utterly
mistaken. End users are addicted to those ad driven trash like Kazaa,
various download managers and other stuff. They'd rather cut off their
left hand then not to use such programs.

You can certainly imagine that the existence of that many different and
unknown processes wanting access to the Internet isn't making the usage
of Personal Firewalls any easier.

The advantage in Open Source software is that it doesn't run ad driven
and doesn't spy on the end user while offering the same functionality
and most of the times even more.

> > Rigid Management Of User Rights
> windows can get pretty granular with user rights and permissions.

This is where I have to disagree with might. File permissions with user,
group and world levels, processes locked in chroot environments, the
possibility of starting single tasks with root access via sudo from
within a normal user session are all examples of things lacking in
Windows.

It is even worse. Prize question. You'll get a hundred points if you
answer this correctly.

Windows XP Home lets users login by default with what rights?

Administrator. Right. Well done. You deserve those 100 points.

Every user logging in to Windows XP Home is working with full system
rights. This is the state the system is delivered by Microsoft. How
should a Windows XP end user know that this is dangerous and how should
he know to change this?!

Many end user applications are requiring administrator rights to run
properly, especially some games. The consequence of this flawed design
is that end user tend to work as administrator all the time.

Rigid rights management in Windows is a modern myth. This simply can't
be compared to Unix/Linux.

What user does the IIS webserver run as wh

Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-17 Thread jan . muenther
Howdy,

> > It can actually drive me mad to see how many Linux users entirely trust in
> > their assumption that they're more secure by default simply because they
> > don't run a Windows system.
> 
> A Linux user running a default installation of a modern Linux distribution
> *IS* more secure by default than someone running a default installation
> of Windows XP.

Read again - I didn't actually say it wasn't. My point is rather the blind
trust in that, assuming a certain invincibility due to the fact they're
running something else. 
> 
> Modern Linux distros don't run many (or even any) services by default,
> and they usually implement packet-filtering firewall rules.  WinXP does not.

Yeah, I agree, but that was also a pretty steep learning curve and a lesson
that e.g. Redhat had to learn the hard way. I believe in 2001 Redhat 6.2 had
more severe security alerts that w2k. 
Microsoft seem to learn this lesson too, only it takes a lot longer and they
appear not to see why things like DCERPC are generally bad. However, when
you look at w2k3, you see things like a (yeah, canary based) stack execution
protection and in terms of services, they've sort of turned away from their
"just switch it all on by default" policy. 
> 
> With Windows, you have no choice but to do that, because there's very
> little open-source software available for Windows.

You're right. But again, I wasn't claiming anything else, I was just
shrugging at the fact that a lot of Linux folks do the exact same thing
without even the faintest second thought, *despite* having the ability to do
better, technically. 

> > ELF infectors do exist, and just because it's not quite so common, doesn't
> > mean it doesn't happen.
> 
> But unless you run as root, it's not possible to infect system binaries
> (without also exploiting a local root hole.)  The barrier to entry is
> simply higher in *NIX than Windows.
> 
Erm, have to disagree here. Of course you can't manipulate system binaries
without root privileges, but there's a lot of things you can do as a normal
unprivileged user already. Plus - now I'm just throwing in my biased opinion
derived from pen test practice - once you're a local user on a Linux system,
you very often somehow manage to escalate privileges.  

> > Also - wild theory - I'd say that people are less
> > likely to notice a malware infected Linux box than a Win32 one, simply
> > because of blind trust.
> 
> I strongly disagree.  People expect Windows boxes to be slow, cantankerous
> and crash-prone. 

Haha, I knew this would provoke somebody :) Oh, and yes, they are slow,
cantankerous and crash-prone. 

> When a Linux box starts acting wonky, people notice
> immediately.  One of my servers started going nuts the other day,
> and I noticed very quickly.  (It was a bad hard drive, not an attack,
> but still...)

The point is, if you start fiddling around with Win32 in Ring 0, you're very
likely to fuck the system up for good, since it's really flakey. With Linux
(or a lot of other given Unices), kernel interfaces are better documented
and easier accessible, ironically leading to more stable rootkits and
backdoors, so your box won't behave flakey (unless you're the dumb kid that
ran suckit on the Debian boxen). 
> 
> I didn't say that.  I said that if our colocation server got compromised,
> it wouldn't compromise our work machines (which are on another network.)

Well yeah, but that's a question of reasonable network design, not OS
choice. 
> 
> > It's what you do with it, how you handle it, and how much you assume.
> 
> Look, I'm sorry, there are fundamental flaws with Windows that make
> it practically un-securable.

Can we get a bit more specific here? Off the top of my head, I can think of
two things:
 - Shatter attacks
 - named pipe impersonation

The other usual attack vectors (which I agree are plenty) can be fixed if
you have a clue about Windows, which unfortunately a lot of Windows people
*don't*. That, to me, is the biggest problem: People run it without even
having the slightest clue about the risks and attack vectors they're exposed
to, not even mentioning the lack of knowledge of how to fix them. 

This problem is definitely more present in the Windows world, since people
tend not to know their systems as well as the usually more enthusiastic and
in-depth technical Unix folks. 

> Linux has its bugs, but they are *bugs*, not
> *design flaws*.  So-called "security experts" who don't admit that are
> doing a disservice to everyone.

Oh well. Actually neither Linux nor Windows were built to be secure
operating systems. One could even go so far and name the concept of SUID
binaries and root's omnipotency a design flaw. You can implement RBAC
through SELinux or whatever, but still, I wouldn't qualify Linux as such as
a highly secure OS. Neither Windows, naturally. 

Let me sum up quickly what I originally trying to state:

Linux/Unix people often seem to have a false sense of security simply due to
the fact that they're ru

Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-17 Thread David Luyer
On Fri, Jan 16, 2004 at 01:57:15PM -0500, David F. Skoll wrote:
> On Fri, 16 Jan 2004, Exibar wrote:
> 
> >  Will any of these do?  Will you still think you don't need AV on Linux now?
> > here's a partial list. don't choke too hard now!
> 
> Those are all proof-of-concept.  I'm unaware of a single production
> Linux machine anywhere in the world succumbing to one of them.  Perhaps
> you can provide evidence to the contrary?
> 
> Furthermore, most of them are not self-propagating, but require active
> cooperation from the recipient.
> 
> I do not need nor use AV on Linux.

But what about ye evil polymorphic .sig virus?  To my knowledge it's the most
prolific virus to infect Linux users to date, see below for evidence of three
infections!

+== Begin quote: Gregory Maxwell on linux-kernel, 20 May 1999 ===
+
+  On Wed, 19 May 1999, Thomas Wouters wrote:
+  > > Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!
+  >
+  > Excellent signature :-)
+  >
+  > --
+  > Thomas Wouters <[EMAIL PROTECTED]>
+  >
+  > Hi! I'm a .signature virus! copy me into your .signature file to help me spread!
+
+  Wow! It's polymorphic!
+  --
+  Gregory Maxwell <[EMAIL PROTECTED]>
+
+  Hi! I'm a .signature virus! cp me into your .signature file to help me spread!
+
=== End quote ===

Seriously - while there are no prolific Linux "viruses", there is still a place
for "scanners" - eg. chkrootkit; it's also potentially useful to use something
to check your system hasn't accidentally ended up with eggdrops and other things
installed.  The chance of a Linux "virus" propogating and remaining valid for
an extended period of time against updated systems may be extremely low, but
the chance of an uneducated user's Linux system with full net access getting
compromised is non-zero.

David.
--
Hi!  I'm a .sig virus.  Copy me into your .signature file to help me spread!

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-17 Thread Ron DuFresne
On Fri, 16 Jan 2004, Ron DuFresne wrote:

> On Fri, 16 Jan 2004, Wes Noonan wrote:
>
> > > Are you aware of any A/V desktop software for Linux?  I'm not.  So even
> > > if I wanted to run A/V on our desktops, I couldn't.
> >
> > Network Associates makes one. VirusScan for Unix. Been out for a while now,
> > at least a couple of years. There are others as well. Google "virus
> > protection software for linux".
> >
> > > A/V software will do exactly nothing to protect against worms that
> > > exploit buffer overflows in running services.
> >
> > This is not quite correct. Nachia and Blaster, as well as Code Red and its
> > variants are all detectable and preventable with virus protection. While
> > they may not stop the worm on the network, they can and do stop systems from
> > becoming infected and propagating the worm.
>
> And there's a nice little perl action that Jay Dyson has coded up, called
> "code Green" for those running apache!


My appolgies to Jay Dyson and all, I meant to say Early bird, not code
green.

thanks to those that pointed out my error.

Thanks,

Ron DuFresne
~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread Bill Royds
Actually you are quite correct that Windows has fundamental design flaws
that make it unsafe to go unprotected on the Internet. Which is why Windows
machines need to be behind a firewall to connect and a Personal Firewall
running at the TCP/IP stack level is better than letting the windows OS face
the Net. That is why I like the idea of a Personal Firewall Day. I am
running a Windows OS because I administer Windows machines at work and I
need to have the same versions running at home, but I know that it isn't
really safe so I have IFC running, plus a firewall and IDS. It would be
wonderful to have every Windows box switched to Linux in the next 3 days. I
would be able to have Linux to administer etc. But that is NOT GOING TO
HAPPEN. Microsoft was convicted under anti-trust legislation and had no real
penalty. They did better than AT&T which was forced to divest into the baby
Bells. So we have to live with the Microsoft problem. Personal Firewalls are
one way to make the Internet safer for Linux users as much as Windows users.
Those Code Red and Nimda machines beating at my firewall and yours spread
because people are connecting Windows machines to the Internet without a
condom. Yes, abstinence from windows is safer that hex with it, but we need
to stop the diseases it carries from spreading for the betterment of all
Internet users, not just Windows users. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David F. Skoll
Sent: January 16, 2004 9:34 PM


Look, I'm sorry, there are fundamental flaws with Windows that make
it practically un-securable.  Linux has its bugs, but they are *bugs*, not
*design flaws*.  So-called "security experts" who don't admit that are
doing a disservice to everyone.

Regards,

David.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread Ron DuFresne
On Fri, 16 Jan 2004, Wes Noonan wrote:

> > Are you aware of any A/V desktop software for Linux?  I'm not.  So even
> > if I wanted to run A/V on our desktops, I couldn't.
>
> Network Associates makes one. VirusScan for Unix. Been out for a while now,
> at least a couple of years. There are others as well. Google "virus
> protection software for linux".
>
> > A/V software will do exactly nothing to protect against worms that
> > exploit buffer overflows in running services.
>
> This is not quite correct. Nachia and Blaster, as well as Code Red and its
> variants are all detectable and preventable with virus protection. While
> they may not stop the worm on the network, they can and do stop systems from
> becoming infected and propagating the worm.

And there's a nice little perl action that Jay Dyson has coded up, called
"code Green" for those running apache!

Thanks,

Ron DuFresne
~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread David F. Skoll
On Fri, 16 Jan 2004 [EMAIL PROTECTED] wrote:

> It can actually drive me mad to see how many Linux users entirely trust in
> their assumption that they're more secure by default simply because they
> don't run a Windows system.

A Linux user running a default installation of a modern Linux distribution
*IS* more secure by default than someone running a default installation
of Windows XP.

Modern Linux distros don't run many (or even any) services by default,
and they usually implement packet-filtering firewall rules.  WinXP does not.

> However, there are *plenty* incredibly vulnerable Linux boxes exposed to the
> Internet and I know for a fact that quite a few people simply download and
> install binary packages from any given source without a second thought.

With Windows, you have no choice but to do that, because there's very
little open-source software available for Windows.

> Even more ironically, a lot of people just compile and install
> anything with the usual ./configure / make /make install stupor.

This is a problem, I agree.

> ELF infectors do exist, and just because it's not quite so common, doesn't
> mean it doesn't happen.

But unless you run as root, it's not possible to infect system binaries
(without also exploiting a local root hole.)  The barrier to entry is
simply higher in *NIX than Windows.

> Also - wild theory - I'd say that people are less
> likely to notice a malware infected Linux box than a Win32 one, simply
> because of blind trust.

I strongly disagree.  People expect Windows boxes to be slow, cantankerous
and crash-prone.  When a Linux box starts acting wonky, people notice
immediately.  One of my servers started going nuts the other day,
and I noticed very quickly.  (It was a bad hard drive, not an attack,
but still...)

> I also disagree on the note that a single system exposed to the Internet
> doesn't form any type of threat at all. You can always beautifully serve as
> a hop or become a friendly member of a botnet or whatever.

I didn't say that.  I said that if our colocation server got compromised,
it wouldn't compromise our work machines (which are on another network.)

> I'm not saying Linux sucks security-wise,

OK.

> I'm not saying Win32 sucks security-wise.

But it does.

> It's what you do with it, how you handle it, and how much you assume.

Look, I'm sorry, there are fundamental flaws with Windows that make
it practically un-securable.  Linux has its bugs, but they are *bugs*, not
*design flaws*.  So-called "security experts" who don't admit that are
doing a disservice to everyone.

Regards,

David.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread David F. Skoll
On Fri, 16 Jan 2004, Mary Landesman wrote:

> There are several firms offering desktop antivirus for Linux. Here are a few
> that come to mind:

Thanks.

But unless I'm mistaken, the database of virus signatures included with those
products is either entirely or overwhelmingly for Windows viruses.  These
products are designed to protect Windows systems that may be accessing files
on Linux or UNIX systems.

The McAfee blurb, for instance:

"There are now in excess of 85,000 threats and more than 275 new
threats appear each month"

That describes Windows viruses, not Linux.

The Authenium blurb, for instance:

"Provides virus scanning of embedded (OLE) documents. When documents
are scanned, if an infected document is embedded in an Excel
spreadsheet or a PowerPoint document,..."

The BitDefender blurb is rather funny:

"Available for most UNIX platforms, the product has the role to keep
you away from worms like Morris or Scalper..."

Let's see, the Morris worm spread in 1988, over 15 years ago. :-)  I don't
think anyone's even running any of the vulnerable architectures any more
(VAX and Sun-3 boxes running ancient versions of Sendmail.)

FreeBSD scalper worm was from June, 2002, over 1.5 years ago.
According to Symantec:

"So far, we have not received any customer reports of this worm."

(http://securityresponse.symantec.com/avcenter/venc/data/freebsd.scalper.worm.html)

I guess a couple of worms in 15 years is a little better than, quote,
"275 new threats... each month"

> Thus, if you are running Linux workstations and you do want antivirus
> software, there are options available.

If you want to send me $99.95 in return for nothing, I'll gladly accept
it.  It'll be about as effective as buying AV software for Linux.

Regards,

David.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread Mary Landesman
I don't want to jump into this fray, so no flames please. However, to
prevent anyone from getting the wrong impression based on David's comment:

> Are you aware of any A/V desktop software for Linux?  I'm not.
> So even if I wanted to run A/V on our desktops, I couldn't.

There are several firms offering desktop antivirus for Linux. Here are a few
that come to mind:

Kaspersky Anti-Virus Business Optimal for Linux Workstations
http://www.kaspersky.com/buyonline.html?info=50

Command Antivirus for Linux
http://www.authentium.com/solutions/products/csavlinux.cfm

McAfee VirusScan for Unix (supports Linux)
http://www.networkassociates.com/us/products/mcafee/antivirus/desktop/vs_unix.htm

BitDefender Linux Edition
http://www.bitdefender.com/bd/site/products.php?p_id=16

Sophos Anti-Virus (Linux)
http://www.sophos.com/products/sav/

F-Prot Antivirus for Linux / BSD
http://www.f-prot.com/products/corporate_users/unix/

Thus, if you are running Linux workstations and you do want antivirus
software, there are options available.

Regards,
Mary Landesman
Antivirus About.com Guide
http://antivirus.about.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread jan . muenther

I couldn't help but comment on this (quickly, because these discussions tend
to turn into a point- and endless ping-pong match). 

It can actually drive me mad to see how many Linux users entirely trust in
their assumption that they're more secure by default simply because they
don't run a Windows system. Sure, the average Linux user might be more tech
savvy and common with the internals of his/her system than your typical
Win32 home user. 

However, there are *plenty* incredibly vulnerable Linux boxes exposed to the
Internet and I know for a fact that quite a few people simply download and
install binary packages from any given source without a second thought. Even
more ironically, a lot of people just compile and install anything with the
usual ./configure / make /make install stupor. 

ELF infectors do exist, and just because it's not quite so common, doesn't
mean it doesn't happen. Also - wild theory - I'd say that people are less
likely to notice a malware infected Linux box than a Win32 one, simply
because of blind trust. 

I also disagree on the note that a single system exposed to the Internet
doesn't form any type of threat at all. You can always beautifully serve as
a hop or become a friendly member of a botnet or whatever. 

I'm not saying Linux sucks security-wise, I'm not saying Win32 sucks
security-wise. It's what you do with it, how you handle it, and how much you
assume. 

Cheers, J.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread Wes Noonan
> Are you aware of any A/V desktop software for Linux?  I'm not.  So even
> if I wanted to run A/V on our desktops, I couldn't.

Network Associates makes one. VirusScan for Unix. Been out for a while now,
at least a couple of years. There are others as well. Google "virus
protection software for linux".
 
> A/V software will do exactly nothing to protect against worms that
> exploit buffer overflows in running services.

This is not quite correct. Nachia and Blaster, as well as Code Red and its
variants are all detectable and preventable with virus protection. While
they may not stop the worm on the network, they can and do stop systems from
becoming infected and propagating the worm.

Wes Noonan
[EMAIL PROTECTED]
http://www.wjnconsulting.com 


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread Tobias Weisserth
Hi "Exibar",

Am Fre, den 16.01.2004 schrieb Exibar um 21:23:

> > > Linux in the wild viruses that come to mind:  Scalper, Ramen, Lion,
> > > Simile.  I'm sure there are lots more as well.
> >
> > None of those was an e-mail virus.  They were worms.  An e-mail virus
> > scanner wouldn't have done any good.

chkrootkit. You may not be running a virus scanner, but certainly you
are not stupid enough to ignore the need for chkrootkit and some file
integrity checker like AIDE or tripwire?!

> correct, but I'm not talking about ONLY catching e-mail viruses, that's
> not the only reason you install A/V software on your desktop.

It is the only reason actually. A virus scanner doesn't catch a well
written rootkit. Other tools are used to protect against this. Since
rootkits don't reproduce themselves like viruses (definition of virus!)
chkrootkit is not called a virus scanner yet it actually works the same.

> Worms are more dangerous than e-mail viruses in my eyes, especially if you're 
> blocking
> all executables from coming in through your mail gateway.

What is the logical and semantic link between the first half of this
statement and the latter?

If a user of Linux only networks blocks or filters Windows binaries OF
ANY SORT (thus viruses, dialers, malware...), then this doesn't raise
the risk of getting infected with a worm.

ANY program that has been compiled to run on Windows platforms WILL NOT
RUN on any Linux system. There simply is no way such a virus could
INFECT a Linux system yet we saw how the latest Blaster varients
AFFECTED Linux systems running the RPC service. Blaster managed to DoS
that specific service and kill the daemon running behind that port.
Nothing more happened and nothing more can happen unless the worm
manages to inject Linux binary code that can run on the Linux box and
exploit a bug (buffer overflow...) in the service exposed.

What happens then? Rights management kicks in. Linux daemons run as
users with minimal rights. If binary code gets injected into a linux box
via such a daemon it can only execute as this user with minimal rights.
If there isn't a local exploit to gain root then the worm is trapped
inside this user and probably a chroot environment and can do no more.
End of story.

>   Without A/V
> software you're susseptable to these worms running rampant on your machine
> and network.

Only Linux binary worms under certain conditions. I don't know of any
"in the wild" right now.

The measures

a) Rights Management
b) File Integrity Checking
c) chkrootkit
d) Firewalling
e) Regular Patching

won't allow the worm to

a) run as user with root privileges or even browse the system any
further than the associated user can do
b) modify ANY part of the system without letting the administrator know
c) be undetected for long
d) even get onto the machine as long as the exposed services don't have
known exploits
e) exploit on known bugs because there are patches to fix problems

THIS is how things work in Linux/Unix.

Now, how about Windows? :-)

> Without A/V you'll also have the problem of people clicking on links and
> inadvertantly downloading a backdoor or a rootkit.

That's true on a system where you use the Internet Explorer with its
flawed activeX and rotten "Zone" model.

Even if a user downloads a backdoor, rootkit or anything else, then the
above methods will stop it cold.

The user is not root. Thus the system is only exploitable if the
malicious program can exploit a local exploit.

Besides, Open Source Browsers take security serious. It is the Internet
Explorer that is known to allow such blatant security risks. The
buzzword is activeX which simply IS MISSING in open source web clients.

>   A firewall will help,
> but not prevent this from happening.

A firewall will keep unused services behind unused ports from being
attacked. A firewall doesn't help if a service to the outside world is
exploitable.

Assuming from what you wrote I may say that it seems you are not very
familiar with security concepts on non-Windows systems as I frequently
got the impression that you think a win32 virus is able to run in a
Linux environment. Please correct me here, but I advise you to check
before you write such nonsense, because it cannot be the underlying base
of this discussion.

kind regards,
Tobias W.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread David F. Skoll
On Fri, 16 Jan 2004, Exibar wrote:

> yes, Mcafee has one, I'm sure there are others as well.

Really??  I'm amazed.  Do you have a URL?  I don't know anyone who
runs A/V software on Linux unless it's to scan for Windows viruses.

> Always a smart thing to do, but it's basically the same as not allowing
> users to be local admin of their windows box.

Except that running as non-root on Linux isn't quite as constraining as
not having admin privileges on a Windows box.

> Joe users off the street
> isn't going to run the Linux install like that though, they'll want to run
> as root because it's their box and they want to be God on it.

Well, I hope Joe User won't run as root more than necessary, but
you're right; education is required.  The modern Linux distros are
pretty good about forcing you to create a non-root account and
recommending that you use it.

[...]
>In stiving for 100% you'll reach a point around 98% secure that you can
> no longer use the computer because the restrictions are too tight.

A 98%-secure Linux box is a lot less restrictive than a 98%-secure Windows
box, because Linux has fewer design flaws that need working around.

> You just
> have to accept that risk, such as you are accepting that risk when you don't
> run A/V software.

Not running A/V software on a Linux box is no risk at all.  Even the
McAffee A/V software wouldn't detect a worm in time to do any good.
You can take the following simple precautions (which I do):  Mount /tmp
noexec, and if you're really paranoid, mount /home noexec also.  That
pretty much kills any propagation vector for viruses.

Regards,

David.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread Tobias Weisserth
Hi "Exibar" (no realname?!),

Am Fre, den 16.01.2004 schrieb Exibar um 20:57:
...
> Ahhh, now there we go.  That might just be the case.  Off the top of my head
> I can't think of a Linux specific e-mail spreading virus.  Unless you count
> "phishing" type e-mails that are completely OS independant and basically
> want the user to head out to a web site and enter all their personal info
> (ss#, CC#'s etc).

I fail to see how "phishing" (not fishing?) type emails relate to
viruses. Those are two totally different types of attack methods. A
virus aims for the weakness in a technical system. Sometimes, it may be
needing a little social engineering though.
Asking somebody to cut his own throat and smile while doing so is
genuine social engineering and has nothing to do with the need for a
virus scanner or technical defencive measures.

While you are right that there is the principal threat of "viruses" to
Linux too, a virus scanner is not the way to protect against such
attacks using Linux.

Minimum usage (only deploy services you use)
File Integrity Checking
Rootkit Detectors (this comes closest to virus scanning)
Firewalling
Rigid Management Of User Rights
Encryption

These are the concepts for protecting a Linux machine.

Most of them are missing in Windows. Just adding a personal firewall
won't improve matters if the rest of these principles is absent.

cheers,
Tobias W.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day,help the cause

2004-01-16 Thread Exibar

>
> I fail to see how "phishing" (not fishing?) type emails relate to
> viruses. Those are two totally different types of attack methods. A
> virus aims for the weakness in a technical system. Sometimes, it may be
> needing a little social engineering though.
> Asking somebody to cut his own throat and smile while doing so is
> genuine social engineering and has nothing to do with the need for a
> virus scanner or technical defencive measures.
>
I agree, it looked like I was melding the two together into "threats" and
not keeping Viruses/worms separate.  Phishing's a new term that's cropped up
for these types of e-mail's.

> While you are right that there is the principal threat of "viruses" to
> Linux too, a virus scanner is not the way to protect against such
> attacks using Linux.
>
> Minimum usage (only deploy services you use)
   ---can be done on a windows box
> File Integrity Checking
   Would have to run Trip-wire or similliar.
> Rootkit Detectors (this comes closest to virus scanning)
A/V scanner will do the job
> Firewalling
Windows XP's builti in ICF, or zonelabs, etc
> Rigid Management Of User Rights
windows can get pretty granular with user rights and permissions.
> Encryption
Windows has built in file Encryption.

> These are the concepts for protecting a Linux machine.
>
> Most of them are missing in Windows. Just adding a personal firewall
> won't improve matters if the rest of these principles is absent.
>
Not really missing from Windows, just a bit more cumbersome to do.  I agree
that just adding a firewall is not the sole answer, neither is just adding
A/V software.

 Exibar

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread Tobias Weisserth
Hi David,

Am Fre, den 16.01.2004 schrieb David F. Skoll um 19:58:
...
> There are no self-propagating Linux e-mail viruses.  The only Linux
> e-mail viruses are proof-of-concept programs that have never actually
> infected machines other than lab machines designed to test the
> proof-of-concept.

Sorry, David. But Ramen did score quite well when it was active and
there were many infected Unix/Linux machines with Ramen.

Though I have to agree with you that there probably aren't any viruses
in the wild at the moment that could infect and compromise a patched
Linux system if it's properly setup.

It's different with Linux machines running lousy software such as
PHPNuke or PostNuke or something like that, which frequently is subject
to PHP/SQL injection exploits. When the system features an unpatched or
even uncharted local exploit such as the do_brk() bug which has been in
the kernel since the 2.2 series(! That's a damn long time !!) in
addition to such lousy software then the first system compromise with
some rootkit is unavoidable.

But of course I am comparing squares to circles here since no sane MS
Windows end user would run a webserver on his home machine.

When running Linux you seriously should consider to run chkrootkir from
a safe location (like a CD) and use file integrity checking of some
sort. Anything else is just asking for trouble the hard way. I only have
to remind you of the Debian hack. Hadn't Debian used AIDE to detect the
modifications in their systems, we'd never had known about that do_brk()
vulnerability until major damage occurred.

kind regards,
Tobias W.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread Exibar
>
> >   correct, but I'm not talking about ONLY catching e-mail viruses,
that's
> > not the only reason you install A/V software on your desktop.
>
> Are you aware of any A/V desktop software for Linux?  I'm not.  So even
> if I wanted to run A/V on our desktops, I couldn't.

yes, Mcafee has one, I'm sure there are others as well.


>
> >Without A/V you'll also have the problem of people clicking on links
and
> > inadvertantly downloading a backdoor or a rootkit.
>
> I don't let my employees run as root, so the danger is quite small, as
long
> as we keep our boxes up-to-date.
>
Always a smart thing to do, but it's basically the same as not allowing
users to be local admin of their windows box.  Joe users off the street
isn't going to run the Linux install like that though, they'll want to run
as root because it's their box and they want to be God on it.

  If you always perform due diligence, apply all patches as soon as they are
available, run behind a firewall, educate your users, run "non-mainstream"
OS and apps, you'll limit your exposure to worms and viruses.  But your
never 100% protected, even with A/V software loaded you run some risk,
although very minimal.
   In stiving for 100% you'll reach a point around 98% secure that you can
no longer use the computer because the restrictions are too tight.  You just
have to accept that risk, such as you are accepting that risk when you don't
run A/V software.  If that risk is acceptable to you, then there you have
it.

 Exibar

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread David F. Skoll
On Fri, 16 Jan 2004, Exibar wrote:

>   correct, but I'm not talking about ONLY catching e-mail viruses, that's
> not the only reason you install A/V software on your desktop.

Are you aware of any A/V desktop software for Linux?  I'm not.  So even
if I wanted to run A/V on our desktops, I couldn't.

> Worms are more dangerous than e-mail viruses in my eyes, especially
> if you're blocking all executables from coming in through your mail
> gateway.  Without A/V software you're susseptable to these worms
> running rampant on your machine and network.

A/V software will do exactly nothing to protect against worms that
exploit buffer overflows in running services.

We run our Web site, mail server, etc. on a colocated server that's
completely isolated (in fact, connected to a different ISP) from our
internal LAN, and our internal machines do not run any services
accessible to others.  If our colocated server is compromised, it will
be very upsetting, but not fatal.

>Without A/V you'll also have the problem of people clicking on links and
> inadvertantly downloading a backdoor or a rootkit.

I don't let my employees run as root, so the danger is quite small, as long
as we keep our boxes up-to-date.

Regards,

David.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread Exibar

> On Fri, 16 Jan 2004, Exibar wrote:
>
> > But why did you feel that there aren't any Linux viruses?
>
> All right. :-)  Let me reword it!
>
> There are no self-propagating Linux e-mail viruses.  The only Linux
> e-mail viruses are proof-of-concept programs that have never actually
> infected machines other than lab machines designed to test the
> proof-of-concept.
>

Ahhh, now there we go.  That might just be the case.  Off the top of my head
I can't think of a Linux specific e-mail spreading virus.  Unless you count
"phishing" type e-mails that are completely OS independant and basically
want the user to head out to a web site and enter all their personal info
(ss#, CC#'s etc).

  Exibar

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread Tobias Weisserth
Hi Valdis,

Am Fre, den 16.01.2004 schrieb [EMAIL PROTECTED] um 21:20:
...
> 1) Staying up to date on patches
> 2) iptables
> 3) Hardening the system as per Center for Internet Security and/or other 
> recommendations
> 4) tripwire (yes, I know this one is after-the-fact)
> 5) SElinux and/or similar systems.

Exactly what I wrote just a minute ago :-)

cheers,
Tobias

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread Wes Noonan
> Am Fre, den 16.01.2004 schrieb Wes Noonan um 18:32:
> > Did you really just propose that a viable solution is to remove network
> > access?
> 
> For some systems: plain and simple yes. If the supplier of a software
> fails to deliver it in a "secure by default" state and even cuts the
> supply of patches (Windows NT4/95/98) these systems should go offline
> immediately. There is no compromise.

In a world that only security mattered, maybe. In the real world however
there is always compromise. Too many folks in the computer security business
seem to over look this point, or confuse compromise with concession. They
hear compromise and think concession, which isn't the same.
 
> This "Personal Firewall Day", aimed at the end consumer, may actually
> plant the idea in people's head that their unpatched and non-supported
> Windows 98 might be safe for the future as soon as they install a
> personal firewall. Well, this is just plain BS.

I haven't seen anyone saying that personal firewalls are the end solution.
As Ron (and others) pointed out and to paraphrase that bastion of good
security Shrek, security is like onions, there are lots of layers. Personal
firewalls are just another component in addition to those other layers, and
personal firewalls do mitigate potential exploits that haven't been patched.
In fact, that last point is a major reason for running any firewall.

> This is how people with exactly those "popular" systems perceive the
> message that they should switch to a more _secure_ system.

Yes, because in many cases the message is not what the user is wanting from
their software. Don't blame the users in that case; blame the people who
continue to fail to grasp the needs of the users. Users don't want to switch
to an operating system that is less functional (by perception or by fact)
solely for security. As you said, security is a trade off.

> This is not the same. Novell has been a propriety system and Windows NT
> has been a propriety system. They both suffered from the closed
> development and security assessment process. This is how Linux and other
> open OS differ.

Perhaps the biggest disservice being done to security and to Linux in
general is the mistaken belief that somehow being an open development system
insulates the product from the same kinds of mistakes that happens to every
other piece of software out there. Take DNS for example. How many exploits
exist and continue to be discovered for it? Belief that merely by being open
source there is some kind of protection from exploits is a myth. Sure, you
might find more bugs before you hit the street, but it is hardly a panacea. 

> Linux isn't safer than Windows because it is less popular. It is safer
> because it doesn't have all doors open by default and vendors can define
> the level of security they want for their distribution. 

Actually, these two points go hand in hand. Linux can afford to restrict or
not open doors because it doesn't have the broad customer bases that Windows
does that have to be catered to. Does this mean that Microsoft doesn't need
to do anything? No, of course not, but it merely illustrates the difficulty.
If Linux had to cater to the same needs it would, and frankly it is, find
that it isn't always a simple undertaking.

> Linux is far from being perfect. Being near perfect I'd raise my vote
> for OpenBSD yet something even slips past them. But MS Windows is just
> the plain opposite of OpenBSD yet Microsoft has the potential to do
> better!

I agree that Microsoft has the potential to do better. Again though, near
perfect is in the eye of the beholder. If OpenBSD was so perfect, it would
be more than just a specialized OS, but it isn't. Again, we come back to the
security compromise bit. Being totally secure, but non-functional in the
user's eyes is not perfection.
 
> The sin is that Microsoft's solution to this problem isn't closing
> unnecessary services BY DEFAULT but promoting additional third party
> software to put in between Windows and the Internet which the end user
> has to pay, deploy and operate. This is pathetic.

Again, you fail to grasp the difficulties in maintaining a broad customer
base. MS RPC isn't unnecessary in many, many cases. You want proof? Go block
port 135 on all of your internal network routers and let me know the result.
Furthermore, just because someone is promoting a 3rd party solution is
hardly pathetic. If you don't want to pay for something you can always turn
the services off or implement the port filtering/firewalling functions that
have existed in every NT flavor since NT 4.0, and maybe even 3.51 though I
am too lazy to verify that one.
 
> > This security through obscurity mantra is laughable.
> 
> Changing topics... not so fast! What happened to the old one ;-)

Actually, I see them both as the same. The constant pushing of the false
belief that by merely changing the operating system to something other than
Microsoft (obscurity) instantly buys you protection (sec

Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread Valdis . Kletnieks
On Fri, 16 Jan 2004 13:31:36 EST, Exibar said:

>  Will any of these do?  Will you still think you don't need AV on Linux now?
> 
> here's a partial list. don't choke too hard now!
> 
> Linux.Bliss.a Worm.Linux.Hijack Backdoor.Linux.Kbd



OK.. Sure.  They exist. Now, think about the following questions, while chanting
Schneier's "Security is a process":

1) How many of these achieved wide enough distribution so that you have a
*serious* worry of actually seeing one?  'Lion' had a good run, and had a
creditable threat to infect all vulnerable machines.  Most of these don't
qualify as a serious threat (although to be fair, the vast majority of the
100,000+ Windows viruses don't qualify either).

2) Are there enough samples to actually make sane templates for?  Or are you
looking at the same old "fight the next war with the last war's tactics" again?

3) Is an AV *really* the right solution, or is your time better spent deploying
a *real* security solution? For instance, "only blessed developer toolkit
programs such as /bin/ld are allowed to write to executable binaries" goes a
long way to closing the door to viruses that scribble into binaries.
Sandboxing it further with "and programs that talk to the net can't invoke the
toolchain as well" does even more.  If you disagree with that model, feel free
to brainstorm your own policy that doesn't care if the attacker is a virus or
some other attack vector (possibly even an actual live black hat)...

So let's see - I can "secure" myself against viruses by running AV software, or
I can *really* secure myself against viruses *AND* most other known attacks as
well by doing things like:

1) Staying up to date on patches
2) iptables
3) Hardening the system as per Center for Internet Security and/or other 
recommendations
4) tripwire (yes, I know this one is after-the-fact)
5) SElinux and/or similar systems.

Which of the above have worse stats for price/performance and TCO (on a
*continuing* basis) than your proposed AV solution?

And what's the incremental price/performance for your AV solution after
deploying each of the above (singly or in combination)?

In other words, is an AV solution for Linux *really* worth it, or are there
half a dozen things that provide more bang-for-buck, and once you deploy those
half-dozen, you're not doing very much additional good with an AV solution?



pgp0.pgp
Description: PGP signature


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread Exibar


>
> > Linux in the wild viruses that come to mind:  Scalper, Ramen, Lion,
> > Simile.  I'm sure there are lots more as well.
>
> None of those was an e-mail virus.  They were worms.  An e-mail virus
> scanner wouldn't have done any good.

  correct, but I'm not talking about ONLY catching e-mail viruses, that's
not the only reason you install A/V software on your desktop.  Worms are
more dangerous than e-mail viruses in my eyes, especially if you're blocking
all executables from coming in through your mail gateway.  Without A/V
software you're susseptable to these worms running rampant on your machine
and network.
   Without A/V you'll also have the problem of people clicking on links and
inadvertantly downloading a backdoor or a rootkit.  A firewall will help,
but not prevent this from happening.

 Exibar

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread David F. Skoll
On Fri, 16 Jan 2004, Exibar wrote:

> Linux in the wild viruses that come to mind:  Scalper, Ramen, Lion,
> Simile.  I'm sure there are lots more as well.

None of those was an e-mail virus.  They were worms.  An e-mail virus
scanner wouldn't have done any good.

--
David.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread David F. Skoll
On Fri, 16 Jan 2004, Exibar wrote:

>  Will any of these do?  Will you still think you don't need AV on Linux now?
> here's a partial list. don't choke too hard now!

Those are all proof-of-concept.  I'm unaware of a single production
Linux machine anywhere in the world succumbing to one of them.  Perhaps
you can provide evidence to the contrary?

Furthermore, most of them are not self-propagating, but require active
cooperation from the recipient.

I do not need nor use AV on Linux.

Regards,

David.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread Exibar
sheesh,

Linux in the wild viruses that come to mind:  Scalper, Ramen, Lion,
Simile.  I'm sure there are lots more as well.

  Linux is NOT immune to viruses or worms, plain and simple.

  Just because the number of Linux viruses/worms are much smaller than W32
viruses/worms doesn't mean that they don't exist.  The number of Linux
installs are much smaller than W32 installs as well.  If I was a Vx'r would
I write a Linux virus that would max out at 500,000 computers to infect, or
would I write a W32 virus that would max out at 50,000,000 + computers to
infect worldwide.  W32 has, what, 92% of the computer desktops someone
mentioned?  That's a heck of a lot of bang for the Vx'r buck!

 Exibar


- Original Message - 
From: "David F. Skoll" <[EMAIL PROTECTED]>
To: "Exibar" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Friday, January 16, 2004 1:57 PM
Subject: Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help
the cause


> On Fri, 16 Jan 2004, Exibar wrote:
>
> >  Will any of these do?  Will you still think you don't need AV on Linux
now?
> > here's a partial list. don't choke too hard now!
>
> Those are all proof-of-concept.  I'm unaware of a single production
> Linux machine anywhere in the world succumbing to one of them.  Perhaps
> you can provide evidence to the contrary?
>
> Furthermore, most of them are not self-propagating, but require active
> cooperation from the recipient.
>
> I do not need nor use AV on Linux.
>
> Regards,
>
> David.
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread Exibar
I'm very glad to see that it appears the majority on this list agree.

 Ex

- Original Message - 
From: "Bill Royds" <[EMAIL PROTECTED]>
To: "'cdowns'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, January 15, 2004 5:33 PM
Subject: RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help
the cause


> National Smokeout Day has been very successful in getting people to quit
> smoking for those wanting to quit smoking. It is not perfect because
smoking
> is an addiction and only stupid people smoke anyway these days so it is
hard
> to persuade them to stop.
>
> Personal Firewall Day is only one of many possible approaches to improving
> security on home machines. Too many people on this list have binary minds.
> Either it works perfectly or it doesn't work at all. This may be OK for
> logic circuits,but it is not valid for humans and computer users are human
> not mechanical.
>Microsoft sells lots of software for two main reasons:
> 1/ It is installed on machines when delivered (which is why they were
> convicted of being a monopoly in desktops).
> 2/ Because most desktops run Windows, most software aimed at desktops runs
> only on Windows.
>
>   So you are not going to get MS off the desktop. How else are you going
to
> protect the Internet and other computers from these users. A personal
> firewall is much better than closing your eyes and saying "run Linux, run
> Linux". A separate firewall between the modem and the box is probably
better
> and they don't cost that much (about $50-$100) and they can act as a
switch
> for a home network as well.
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of cdowns
> Sent: January 15, 2004 11:57 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> Subject: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help
the
> cause
>
> Out of curiousity, you cant get people to stop smoking with the
> "National Smokeout Day" what makes anyone think that this would do
> anything ?
>
> Most people consider thier computer the equivelent of a hammer ( a tool
> ), in the toolbox at 4:00 pm sharp until they start thier next workday.
>
> maybe im wrong, I wish the best on this.
>
> ~!>D
>
> [EMAIL PROTECTED] wrote:
>
> >I just wanted to remind everybody that tomorrow is Personal Firewall Day.
> >
> >http://www.personalfirewallday.org/
> >
> >The Personal Firewall Day is a campaign designed to raise awareness about
> the dangers we face without a personal firewall. Security experts such as
> yourself are encouraged to use the occasion of Personal Firewall Day to
> share your expertise and advice with your lesser technologically skilled
> friends and family, and help get them secured by installing a personal
> firewall - this could be as simple as helping them turn on the XP
firewall.
> Direct them to the website where they can learn more about personal
> firewalls and other layers of protection.
> >
> >Compromised end-user machines affect us all and the Internet as a whole
> when they are used as zombies for DDoS networks or proxies by criminal
> spammers, and your personal effort can help remedy this.
> >
> >PFD is a direct result of the discussions that originated from the
> NTBugtraq Retreat '03, and would not have been possible without the
> dedication and hard work put into the project by Paul Robertson, director
of
> risk assessment with TruSecure and the original proponent of the idea.
> >
> >
> >
> >Regards
> >Thor Larholm
> >Senior Security Researcher
> >PivX Solutions
> >24 Corporate Plaza #180
> >Newport Beach, CA 92660
> >http://www.pivx.com
> >[EMAIL PROTECTED]
> >949-231-8496
> >PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
> Qwik-Fix
> ><http://www.qwik-fix.net>
> >
> >
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread Exibar
>
> I don't care what you buy or don't buy, but it's the truth.  We don't
> run Windows, so we aren't susceptible to the viruses in the wild.

Because you don't run windows doesn't mean that your 100% protected from
all the viruses in the wild.  Please see the partial list of Linux viruses I
sent on earlier.

>
> > > We have since 1999, and haven't had any problem.  If you don't use
> > Windows, > you don't need anti-virus software.
>
> >  Ignorance is bliss they say...  If you honestly and truely believe
> > what you say, more power to you.  I honestly hope that nothing bad
> > happens to your systems due to a virus outbreak that A/V software
> > would have taken care of
>
> There is no A/V virus designed to protect Linux systems.  There is
> A/V software that runs on Linux, but it's designed to catch Windows
> viruses.
>
> I've been in the computer security business for a while now; I think
> I know what I'm doing.

  I happy for you that you feel that way.
But why did you feel that there aren't any Linux viruses?
  I've been in the computer security field longer than I care to admit, and
I'm
still learning something new every day.  No matter how long you you've been
in the field,
the more you know, the more you realize that there is much more to learn.

Exibar

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread David F. Skoll
On Fri, 16 Jan 2004, Exibar wrote:

> But why did you feel that there aren't any Linux viruses?

All right. :-)  Let me reword it!

There are no self-propagating Linux e-mail viruses.  The only Linux
e-mail viruses are proof-of-concept programs that have never actually
infected machines other than lab machines designed to test the
proof-of-concept.

Regards,

David.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread Exibar

- Original Message - 
From: "David F. Skoll" <[EMAIL PROTECTED]>
To: "Exibar" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, January 15, 2004 3:37 PM
Subject: Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help
the cause


> On Thu, 15 Jan 2004, Exibar wrote:
>
> >  But not 100% safe though...  there are Linux viruses,
>
> Such as ... ?
>


 Will any of these do?  Will you still think you don't need AV on Linux now?

here's a partial list. don't choke too hard now!

Linux.Bliss.a Worm.Linux.Hijack Backdoor.Linux.Kbd

Flooder.Linux.Raped

Linux.Bliss.b Worm.Linux.Kork Backdoor.Linux.Keitan

Flooder.Linux.Slice

Linux.Clifax Worm.Linux.Lion Backdoor.Linux.Kokain

Flooder.Linux.Stream

Linux.Dido.478 Worm.Linux.Lion.dam Backdoor.Linux.Kot

Flooder.Linux.Synk.a

Linux.Diesel.969 Worm.Linux.Mighty Backdoor.Linux.Muench

Flooder.Linux.Synk.b

Linux.Eriz.401 Worm.Linux.Millen Backdoor.Linux.NetBus.04

DoS.Linux.Blitz

Linux.Gildo Worm.Linux.Mworm Backdoor.Linux.Ovason DoS.Linux.Front

Linux.Godog.a Worm.Linux.Ramen Backdoor.Linux.Pass

DoS.Linux.IISuxor

Linux.Godog.b Worm.Linux.Ramen.b Backdoor.Linux.Popdoor

DoS.Linux.Octopus

Linux.Godog.c Worm.Linux.Ramen.c Backdoor.Linux.Rootin.a

DoS.Linux.SinkSlice

Linux.Henky.482 Worm.Linux.Scalper Backdoor.Linux.Rootin.b

DoS.Linux.SSPing.10

Linux.Kagob.a Worm.Linux.Scalper.a Backdoor.Linux.Rootin.c

DDoS.Linux.BlowFish

Linux.Kagob.b Worm.Linux.Scalper.b Backdoor.Linux.Shadoor

DDoS.Linux.Fork

Linux.Mandragore.666 Worm.Linux.Scalper.c Backdoor.Linux.Smack

DDoS.Linux.Glock

Linux.Manpages Worm.Linux.Slapper Backdoor.Linux.Small.a

DDoS.Linux.Knight

Linux.Mixter Worm.Linux.Slapper.unlock

Backdoor.Linux.Streamdoor DDoS.Linux.Mstream

Linux.Nuxbee.1403 Trojan.Linux.Attack Backdoor.Linux.Subsevux

DDoS.Linux.PaulCyber.10

Linux.Nuxbee.1411 Trojan.Linux.Beasted Backdoor.Linux.Trinity

DDoS.Linux.PaulCyber.20

Linux.Orig Trojan.Linux.Hacktop Backdoor.Linux.Tsunami

DDoS.Linux.Stach

Linux.Osf.8759 Trojan.Linux.IRCKiller Backdoor.Linux.UDP

DDoS.Linux.TFN

Linux.Quasi Trojan.Linux.Mircforce.a Backdoor.Linux.Excedoor

DDoS.Linux.Trin

Linux.Radix Trojan.Linux.Mircforce.b Trojan.Linux.JBellz

DDoS.Linux.XChatSouls

Linux.RST.a Trojan.Linux.Rootkit.30.Chfn Worm.Linux.Slapper.b

PolyEngine.Linux.LIME.poly

Linux.RST.b Trojan.Linux.Rootkit.30.Chsh

Backdoor.Linux.Backserv PolyEngineSGen.Linux.Lime

Linux.Satyr Trojan.Linux.Rootkit.40 Backdoor.Linux.Ltrap

Sniffer.Linux.Sysniff

Linux.Siilov.5916 Trojan.Linux.Rootkit.c DDoS.Linux.Kaiten

VirTool.Linux.Elfwrsec.a

Linux.Silvio.a Trojan.Linux.Rootkit.c2 Exploit.Linux.Teso

VirTool.Linux.Elfwrsec.b

Linux.Silvio.b Trojan.Linux.Rootkit.d Exploit.Linux.Apache.1327

VirTool.Linux.Infect

Linux.Snoopy.a Trojan.Linux.Rootkit.e Exploit.Linux.Apache.134

VirTool.Linux.Mhttpd

Linux.Snoopy.b Trojan.Linux.Rootkit.f Exploit.Linux.Da2

VirTool.Linux.Mmap.443

Linux.Snoopy.c Trojan.Linux.Wudel Exploit.Linux.Interbase

VirTool.Linux.Rawsocket

Linux.Staog Backdoor.Linux.Blackhole Exploit.Linux.Espacker

Linux.Svat.a Backdoor.Linux.BO.002 Exploit.Linux.Evilc

Linux.Svat.b Backdoor.Linux.BO.101 Exploit.Linux.IIS-Attacker

Linux.Svat.c Backdoor.Linux.BO.121.a Exploit.Linux.Kaot

Linux.Telf.8000 Backdoor.Linux.BO.121.b Exploit.Linux.KArtsd

Linux.Telf.9812 Backdoor.Linux.Bodoor Exploit.Linux.Login

Linux.Telf.11208 Backdoor.Linux.Bodoor.plugin Exploit.Linux.Nhttpd

Linux.Telf.210148 Backdoor.Linux.Bofishy.a Exploit.Linux.OpenSSL

Linux.Telf.211140 Backdoor.Linux.Bofishy.b Exploit.Linux.OpenSSL.a

Linux.Vit.4096 Backdoor.Linux.CGI.a Exploit.Linux.OpenSSL.b

Linux.Winter.341 Backdoor.Linux.CGI.b Exploit.Linux.Qpop.30

Linux.Winter.343 Backdoor.Linux.Cyrax.a Exploit.Linux.Shinject

Linux.Ynit.827 Backdoor.Linux.Cyrax.b Exploit.Linux.SSHD22.a

Linux.ZipWorm Backdoor.Linux.Darkux Exploit.Linux.SSHD22.b

Worm.Linux.Adm Backdoor.Linux.Divine Exploit.Linux.Syslog.a

Worm.Linux.Adore Backdoor.Linux.DobDrag Exploit.Linux.Syslog.b

Worm.Linux.Cheese Backdoor.Linux.Eko Flooder.Linux.Bliz.a

Worm.Linux.Corn Backdoor.Linux.Gulzan Flooder.Linux.Bliz.b

Worm.Linux.Godog Backdoor.Linux.Gummo Flooder.Linux.Pong

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread Valdis . Kletnieks
On Thu, 15 Jan 2004 17:04:02 EST, Chris Harrington <[EMAIL PROTECTED]>  said:

> it properly. If you are referring to Dan Geer, you'd better do a little
> research as to why he was fired. It was not for pointing out MS flaws.

So it was totally coincidental that he got fired by press release the day after
the report came out, and THIS posting from this list had nothing to do with it
(Yahoo link expired, sorry).  I'm sorry, but when a company lets you know that
you've been canned by sending out a press release, and the company statement
says that the report wasn't the company viewpoint, it's not a very large jump
at all to conclude that the compay is just a teensy weensy pit pissed at you.
Now granted, it may have been the proverbial "last straw", but you're going to
have a *very* hard time convincing people that the report didn't have ANYTHING
to do with it...

Date: Fri, 26 Sep 2003 10:02:49 -0400
From: Tetsujin28GO <[EMAIL PROTECTED]>
Subject: [Full-Disclosure] Talk about biting the hand that feeds you
To: [EMAIL PROTECTED]
Message-id: <[EMAIL PROTECTED]>

Massachusetts-based AtStakeInc., a computer security firm, said yesterday
that chief technology officer Daniel R. Geer Jr. is "no longer associated"
with the firm. A company statement added that Geer's participation in
preparation of the report was not sanctioned by the firm, and that "the
values and opinions of the report are not in line with [AtStake's] views." 

http://story.news.yahoo.com/news?tmpl=story&ncid=1209&e=1&u=/washpost/20030926/tc_washpost/a2328_2003sep25&sid=96168965




pgp0.pgp
Description: PGP signature


RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread James Patterson Wicks
True.  That why further down in the post I talk about using the Mozilla browser, 
anti-virus, IDS and spyware apps.  Nothing is 100%, but getting into the 90% range 
helps me sleep better at night.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Nicob
Sent: Friday, January 16, 2004 7:03 AM
To: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day,
help the cause


On Fri, 2004-01-16 at 05:44, James Patterson Wicks wrote:

> Your NAT router works at Layer 3.  You still need a personal firewall or
> proxy system that looks at as many layers as possible.  You need
> something like Sygate Personal Firewall that alerts you when an
> application or process that you have not approved tries to go OUT to the
> Internet from your PC.

Even with a personal firewall, a trojan could go out to the Internet
without your knowledge, using different tactics :

- exploiting a bug (in filtering) of the personal firewall used (like
not monitoring UDP 53 outbound)
- exploiting a bug (like a buffer overflow) of the personal firewall
used and using these new privs to modify the setup and allowing itself
- bypassing the personal firewall by using authorized applications (like
Internet Explorer via the OLE controls)
- bypassing the personal firewall by injecting your own code in
authorized applications (à la CreateRemoteThread)
- bypassing the personal firewall by injecting your network data under
the hook in the TCP/IP stack
- ...


-- 
Nicob <[EMAIL PROTECTED]>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


This e-mail is the property of Oxygen Media, LLC.  It is intended only for the person 
or entity to which it is addressed and may contain information that is privileged, 
confidential, or otherwise protected from disclosure. Distribution or copying of this 
e-mail or the information contained herein by anyone other than the intended recipient 
is prohibited. If you have received this e-mail in error, please immediately notify us 
by sending an e-mail to [EMAIL PROTECTED] and destroy all electronic and paper copies 
of this e-mail.


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-16 Thread Nicob
On Fri, 2004-01-16 at 05:44, James Patterson Wicks wrote:

> Your NAT router works at Layer 3.  You still need a personal firewall or
> proxy system that looks at as many layers as possible.  You need
> something like Sygate Personal Firewall that alerts you when an
> application or process that you have not approved tries to go OUT to the
> Internet from your PC.

Even with a personal firewall, a trojan could go out to the Internet
without your knowledge, using different tactics :

- exploiting a bug (in filtering) of the personal firewall used (like
not monitoring UDP 53 outbound)
- exploiting a bug (like a buffer overflow) of the personal firewall
used and using these new privs to modify the setup and allowing itself
- bypassing the personal firewall by using authorized applications (like
Internet Explorer via the OLE controls)
- bypassing the personal firewall by injecting your own code in
authorized applications (à la CreateRemoteThread)
- bypassing the personal firewall by injecting your network data under
the hook in the TCP/IP stack
- ...


-- 
Nicob <[EMAIL PROTECTED]>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread James Patterson Wicks
>Richard said " Linksys and Netgear.  They only let thru packets from
the >outside world which are in response to packets originating from
inside the >LAN.  That's how NAT routers work."


I understand how these NAT routers work.  The problem is that these
routers also let OUT all packets originating from the PC or network
WITHOUT discretion.  So, if you are using Internet Explorer and
happen upon a page with malicious code that the router is not equipped
to look at, you can catch all sorts of little nasties (that problem in
IE has not been patched for two months).  If that malicious site happens
to drop in a little Trojan, your whole network can be compromised.  Your
NAT router works at Layer 3.  You still need a personal firewall or
proxy system that looks at as many layers as possible.  You need
something like Sygate Personal Firewall that alerts you when an
application or process that you have not approved tries to go OUT to the
Internet from your PC.  

The newer NAT routers work in conjunction with software firewalls like
Zone Alarm, but they are still are not as effective as having a software
firewall running on your system.  Software firewalls receive frequent
updates that help defeat new threats that appear almost weekly.  Router
firmware updates come every quarter or so.

At home I had a Linksys router, locked it down pretty good with
additional custom rules (so I thought).  I was surprised to see the type
of messages that popped up when I installed a software firewall.  I
finally broke down and bought a Cisco 501 hardware firewall.  

So this is what I have at home:  The Linksys is still on the network,
but it does not perform NAT.  It mainly acts as a perimeter router
trying to keep the spoofers at bay.  Static NAT is now performed by the
Cisco 501 firewall, on which I placed a very restrictive set of access
lists and some nice IDS rules.  Norton Internet Security 2003 runs on
all the PC's.  Mozilla is the browser on the three PC's and Linux
system.  All Microsoft critical updates are installed on the PC's.  The
PC's also have Ad-Aware 6.0 installed from Download.com.  For a home
network, this is as about as secure as I plan on taking it.

Linksys Router - $80 
Cisco Pix 501 firewall  - $400 
Norton Internet Security 2003 for three PC's - $180 
 (Linux system does not have commercial firewall installed)
Ad-Aware 6 - $0
Mozilla browser - $0
Total implementation time - About four hours

Knowing that it's going to take some real effort to compromise my
network without detection - priceless.

Is my home network hack-proof?  Of course not!  Will some snot-nosed
script kiddie running blind scans happen upon my network and enter
undetected?  Not bloody likely.  I still apply patches and test my home
defenses from time to time, but I think that I have a decent setup for
now.  Can some of the people who read and post to this thread break
through my defenses?  I think that some might be able to, which is why I
am sending this message from a friend's house  :)

Bottom line, computer security is a process, not a product.  This is why
there is a layered approach to security.  You watch the doors on the way
in and on the way out (sometimes twice).  You also have to watch the
people authorized to operate within your environment.  

Makes you wonder why we even bother sometimes.  Oh well, time to go look
at some new Brittney Spears photos   ;)



-Original Message-
From: Richard M. Smith [mailto:[EMAIL PROTECTED] 
Sent: Thursday, January 15, 2004 10:22 PM
To: James Patterson Wicks
Subject: RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day,
help the cause

Linksys and Netgear.  They only let thru packets from the outside world
which are in response to packets originating from inside the LAN.
That's
how NAT routers work.

Richard 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of James
Patterson
Wicks
Sent: Thursday, January 15, 2004 9:33 PM
To: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day,
help
the cause

A router that protects you from "Future security holes in the Windows
networking software", huh?  I would love a router like that!  The thing
is, Cisco, Symantec, Network Associates and Trend Micro have joined
forces to try to do what you say your router is doing already.  Tell me,
what is this router have?
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Richard M.
Smith
Sent: Thursday, January 15, 2004 6:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day,
help the cause

I run a NAT router box at my house which acts as a hardware firewall for
my
home LAN.  It protects me from the following problems:

   - Messenger popup spam
   - RPC worms
   - Accidentally sharing a disk directory with the world
   - Future security holes in the Win

Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread Christopher Downs
Hey how come no one said anything about a computer being a "tool" ? 
curious about that.. I think everyone took my slang joke the wrong way 
and only saw the s m o k i n g part.

People really dont care about computers they just use them and thats it. 
They print pictures and play video games - simple and I dont get upset 
cause that what they want and what they paid for.

Oh i also wished luck too ? hahah oh well no big deal guys. I still 
think its a good idea to help people that can or want to be helped but 
not everyone wants it.

take care all.

~!>D

Bill Royds wrote:

National Smokeout Day has been very successful in getting people to quit
smoking for those wanting to quit smoking. It is not perfect because 
smoking
is an addiction and only stupid people smoke anyway these days so it 
is hard
to persuade them to stop.

Personal Firewall Day is only one of many possible approaches to 
improving
security on home machines. Too many people on this list have binary 
minds.
Either it works perfectly or it doesn't work at all. This may be OK for
logic circuits,but it is not valid for humans and computer users are 
human
not mechanical.
  Microsoft sells lots of software for two main reasons:
1/ It is installed on machines when delivered (which is why they were
convicted of being a monopoly in desktops).
2/ Because most desktops run Windows, most software aimed at desktops 
runs
only on Windows.

 So you are not going to get MS off the desktop. How else are you 
going to
protect the Internet and other computers from these users. A personal
firewall is much better than closing your eyes and saying "run Linux, 
run
Linux". A separate firewall between the modem and the box is probably 
better
and they don't cost that much (about $50-$100) and they can act as a 
switch
for a home network as well.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of cdowns
Sent: January 15, 2004 11:57 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: [Full-Disclosure] Re: January 15 is Personal Firewall Day, 
help the
cause

Out of curiousity, you cant get people to stop smoking with the 
"National Smokeout Day" what makes anyone think that this would do 
anything ?

Most people consider thier computer the equivelent of a hammer ( a 
tool ), in the toolbox at 4:00 pm sharp until they start thier next 
workday.

maybe im wrong, I wish the best on this.

~!>D

[EMAIL PROTECTED] wrote:

 

I just wanted to remind everybody that tomorrow is Personal Firewall 
Day.

http://www.personalfirewallday.org/

The Personal Firewall Day is a campaign designed to raise awareness 
about
  
the dangers we face without a personal firewall. Security experts 
such as
yourself are encouraged to use the occasion of Personal Firewall Day to
share your expertise and advice with your lesser technologically skilled
friends and family, and help get them secured by installing a personal
firewall - this could be as simple as helping them turn on the XP 
firewall.
Direct them to the website where they can learn more about personal
firewalls and other layers of protection.
 

Compromised end-user machines affect us all and the Internet as a whole
  
when they are used as zombies for DDoS networks or proxies by criminal
spammers, and your personal effort can help remedy this.
 

PFD is a direct result of the discussions that originated from the
  
NTBugtraq Retreat '03, and would not have been possible without the
dedication and hard work put into the project by Paul Robertson, 
director of
risk assessment with TruSecure and the original proponent of the idea.
 

Regards Thor Larholm Senior Security Researcher PivX Solutions 24 
Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com 
[EMAIL PROTECTED] 949-231-8496 PivX defines "Proactive Threat 
Mitigation". Get a FREE Beta Version of
  
Qwik-Fix  



  


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread James Patterson Wicks
A router that protects you from "Future security holes in the Windows
networking software", huh?  I would love a router like that!  The thing
is, Cisco, Symantec, Network Associates and Trend Micro have joined
forces to try to do what you say your router is doing already.  Tell me,
what is this router have?
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Richard M.
Smith
Sent: Thursday, January 15, 2004 6:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day,
help the cause

I run a NAT router box at my house which acts as a hardware firewall for
my
home LAN.  It protects me from the following problems:

   - Messenger popup spam
   - RPC worms
   - Accidentally sharing a disk directory with the world
   - Future security holes in the Windows networking software

This type of firewall seems like a bargain to me.  I would use one of
these
router boxes even it I had only one computer to connect to the Internet.

Richard 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brandon
Butterworth
Sent: Thursday, January 15, 2004 2:10 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help
the
cause

> I just wanted to remind everybody that tomorrow is Personal Firewall
Day.

Yuk.

Whilst I support people taking care of their security I rank personal
firewalls on the same level as virus detection

They don't fix the real problems and lead to a dependency culture of
constant upgrades (if people bother) and alternative vendor sales fud



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


This e-mail is the property of Oxygen Media, LLC.  It is intended only for the person 
or entity to which it is addressed and may contain information that is privileged, 
confidential, or otherwise protected from disclosure. Distribution or copying of this 
e-mail or the information contained herein by anyone other than the intended recipient 
is prohibited. If you have received this e-mail in error, please immediately notify us 
by sending an e-mail to [EMAIL PROTECTED] and destroy all electronic and paper copies 
of this e-mail.


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread Tobias Weisserth
Hi Ron,

Am Don, den 15.01.2004 schrieb Ron DuFresne um 18:33:
> It seems all the sec experts here complaining about this initiative value
> their time far to much to donate it to those about them that might benefit
> from theit skills, advice, and a few helpful mouse clicks?

Actually I fail to see why _I_ have to pay with my valuable free time
for the rotten software other people sell and get rich of.

They sold the products so they should support their customers.
Especially MS which is claiming that the Open Source community can't
supply the kind of support that MS can supply. Now MS is begging for the
support of the community TO DO THEIR WORK. This is pathetic.

I'd rather take the time to _REPLACE_ any operating system that needs
the additional investment of a personal firewall for anybody I
personally know with a secure by design system that doesn't come with
all doors open and doesn't require to update three different levels of
security (OS, virus scanner and firewall).

cheers,
Tobias W.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread Richard M. Smith
I run a NAT router box at my house which acts as a hardware firewall for my
home LAN.  It protects me from the following problems:

   - Messenger popup spam
   - RPC worms
   - Accidentally sharing a disk directory with the world
   - Future security holes in the Windows networking software

This type of firewall seems like a bargain to me.  I would use one of these
router boxes even it I had only one computer to connect to the Internet.

Richard 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brandon
Butterworth
Sent: Thursday, January 15, 2004 2:10 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the
cause

> I just wanted to remind everybody that tomorrow is Personal Firewall Day.

Yuk.

Whilst I support people taking care of their security I rank personal
firewalls on the same level as virus detection

They don't fix the real problems and lead to a dependency culture of
constant upgrades (if people bother) and alternative vendor sales fud



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread James Patterson Wicks
And we all know that there are no flaws in Linux security, right?


Security group warns of hole in Linux kernel - 
http://www.infoworld.com/article/04/01/05/HNlinuxhole_1.html

Flaws raise red flag on Linux security - 
http://www.computerworld.co.nz/news.nsf/UNID/ECE4790310BB04F7CC256E1900083AC2?OpenDocument

Hackers Attack Debian Linux - 
http://enterprise-linux-it.newsfactor.com/story.xhtml?story_title=Hackers_Attack_Debian_Linux&story_id=22748&category=distributions

I could go on, but you all get the picture . . . .


Is Linux by nature more secure than Windows?  Of course.
Are any operating systems totally secure and without flaws?  Of course not.
Can an average user set up and operate a Linux desktop easier than a Windows desktop?  
Of course not.  The functionality that Windows desktops users are accustomed to is not 
easily duplicated in Linux desktops, especially when it comes to video editing 
software and games.

Many people jumping on their soapboxes calling Windows everything but a child of God 
have something in common - they are very good at using Linux and have found a way to 
function in the home and/or work environment without it.  It does not take a rocket 
scientist to use a Linux system, but it takes a lot longer to learn to use Linux 
effectively than it does Windows.  That is time that businesses and home users are not 
willing to commit to.  And yes, that unwillingness comes at a cost - security.

Bill Gates created an imperfect product, rushed it to market and dominated the market. 
 He continues to make a product that focuses on ease-of-use rather than security.  
Does he suck for having suck a awful business focus?  Yes, but then again he's a 
billionaire and I'm begging the boss to pay for a better hotel at the Networker 
conference.

The reason Windows is so popular is that the average Joe can go to Walmart, buy a 
complete Windows XP PC for about $500 and send out an e-mail in about an hour.  Is his 
system fully secure out of the box?  Heck no, no system is.  You have to work to 
secure any operating system, you just need more skill/training to secure a Linux 
system.

What does Joe have to do to make his Windows XP system somewhat secure?
- Install a personal firewall (with basic IDS features)
- Install an anti-virus program
- Apply all of the critical updates
- Install an anti-spyware application like Spybot or Ad-Aware 
- Make sure that his computer, firewall, anti-spyware and anti-virus 
applications stay updated.

Now, does the average Windows user do this?  Of course not.
Since the average user fails to perform basic maintenance and software updates on a 
Windows-based system, just how in the heck do you expect him to learn Linux 
command-line syntax and how to compile an Linux operating system when new kernel flaws 
are found?  Can he use the web and an x-windows interface to secure his system?  
Possibly, but to suggest that you can properly secure a Linux system without using the 
command-line interface is being coy and deceptive.

This whole "Linux is the answer for the average home user" is a fantasy.  If Grandma 
Bessie in the mountains of West Virginia has to take a couple if Linux classes at the 
local community college just to email her grandkids, then I think that she might just 
opt to just call them on Sundays. 

While I feel this whole "Personal Firewall Day" is just some marketing gimmick, I do 
feel there is still a need to educate Windows OS users on what basic home computer 
security is about.

And how to download the Mozilla browser . . . . 
;)




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of David F.
Skoll
Sent: Thursday, January 15, 2004 3:37 PM
To: Exibar
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day,
help the cause


On Thu, 15 Jan 2004, Exibar wrote:

>  But not 100% safe though...  there are Linux viruses,

Such as ... ?

> what about all those e-mails that
> try to steal my SS# and CC#'s?

Never had one of those, because our anti-spam system blocks them.

> Education is the key, not the OS that you run or don't run.

That's not entirely true; the OS makes a huge difference.

> > A default install of a modern Linux distro includes firewalling rules
> > by default, and is fairly safe.

> there aren't any holes in that Linux distro?

There are, but none are exploitable remotely on our systems.

> there sure are, pleanty of them.  Oh, so the Personal Firewall is
> protecting the user... interesting, aren't there Personal Firewalls
> for Windows OS's?  Tons of them

Linux has them built-in, and on modern distributions, turned on by defa

RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread Schmehl, Paul L
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> David F. Skoll
> Sent: Thursday, January 15, 2004 2:37 PM
> To: Exibar
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Re: January 15 is Personal 
> Firewall Day, help the cause
> 
> I've been in the computer security business for a while now; 
> I think I know what I'm doing.
>
That's unfortunate, because you're not even aware that there *are*
viruses, worms and trojans for Linux.  Ignorance is bliss, I guess.
 
Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread Christopher Downs
Bill,
   Nice one ! intelligent words of a smart person. Speaking of smart, 
ive never seen an exploit or bug posted by you ?? kinda weird.. . Then 
again maybe not.

   Start smoking and you will find stuff hahahahaha.

~!>D
  

Bill Royds wrote:

National Smokeout Day has been very successful in getting people to quit
smoking for those wanting to quit smoking. It is not perfect because smoking
is an addiction and only stupid people smoke anyway these days so it is hard
to persuade them to stop.
Personal Firewall Day is only one of many possible approaches to improving
security on home machines. Too many people on this list have binary minds.
Either it works perfectly or it doesn't work at all. This may be OK for
logic circuits,but it is not valid for humans and computer users are human
not mechanical.
  Microsoft sells lots of software for two main reasons:
1/ It is installed on machines when delivered (which is why they were
convicted of being a monopoly in desktops).
2/ Because most desktops run Windows, most software aimed at desktops runs
only on Windows.
 So you are not going to get MS off the desktop. How else are you going to
protect the Internet and other computers from these users. A personal
firewall is much better than closing your eyes and saying "run Linux, run
Linux". A separate firewall between the modem and the box is probably better
and they don't cost that much (about $50-$100) and they can act as a switch
for a home network as well.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of cdowns
Sent: January 15, 2004 11:57 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the
cause
Out of curiousity, you cant get people to stop smoking with the 
"National Smokeout Day" what makes anyone think that this would do 
anything ?

Most people consider thier computer the equivelent of a hammer ( a tool 
), in the toolbox at 4:00 pm sharp until they start thier next workday.

maybe im wrong, I wish the best on this.

~!>D

[EMAIL PROTECTED] wrote:

 

I just wanted to remind everybody that tomorrow is Personal Firewall Day.

http://www.personalfirewallday.org/

The Personal Firewall Day is a campaign designed to raise awareness about
   

the dangers we face without a personal firewall. Security experts such as
yourself are encouraged to use the occasion of Personal Firewall Day to
share your expertise and advice with your lesser technologically skilled
friends and family, and help get them secured by installing a personal
firewall - this could be as simple as helping them turn on the XP firewall.
Direct them to the website where they can learn more about personal
firewalls and other layers of protection.
 

Compromised end-user machines affect us all and the Internet as a whole
   

when they are used as zombies for DDoS networks or proxies by criminal
spammers, and your personal effort can help remedy this.
 

PFD is a direct result of the discussions that originated from the
   

NTBugtraq Retreat '03, and would not have been possible without the
dedication and hard work put into the project by Paul Robertson, director of
risk assessment with TruSecure and the original proponent of the idea.
 

Regards 
Thor Larholm 
Senior Security Researcher 
PivX Solutions 
24 Corporate Plaza #180 
Newport Beach, CA 92660 
http://www.pivx.com 
[EMAIL PROTECTED] 
949-231-8496 
PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
   

Qwik-Fix 
 

 



   

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread hggdh
Hello Paul,

Thursday, January 15, 2004, 12:27:06 PM, you wrote:

>> -Original Message-
>> From: [EMAIL PROTECTED] 
>> [mailto:[EMAIL PROTECTED] On Behalf Of 
>> David F. Skoll
>> Sent: Thursday, January 15, 2004 11:07 AM
>> To: [EMAIL PROTECTED]
>> Cc: [EMAIL PROTECTED]; 
>> [EMAIL PROTECTED]; [EMAIL PROTECTED]
>> Subject: [Full-Disclosure] Re: January 15 is Personal 
>> Firewall Day, help the cause
>> 
>> That Web site is utterly disingenuous.  Rather than giving 
>> low-value information, how about high-value information that 
>> actually protects people:
>> 
>> 1) Don't use Windows.
>> 2) Don't use Outlook.
>> 
>> Our company uses neither Windows nor Outlook, and although we 
>> do have a firewall, we do not use anti-virus software.
>>
SPL> So why do you use a firewall?
 
Indeed. We the Righteous can have a firewall, but the incredibly
ignorant "we the people" cannot, because they (we the people, not we
the righteous) use Windows.

Sigh. I wonder who is more ignorant.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread Ron DuFresne


Date: Thu, 15 Jan 2004 05:25:51 -
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: [Full-Disclosure] UTTER HORSESHIT: [was January 15 is Personal
Firewall Day, help the cause]



We hereby reject this utter horseshit unreservedly.

What are you people doing? Who do you think you are fooling.

'Apply bandage day, because we live next to a leaking nuclear
reactor day'

Test our mettle and by god we'll crush these marketing
parasitical scum to shreds !

Fucking Flunkies.


Does give the impression that you're riding whichever tends to be the most
pallitable side of the fence at the moment...when taken with your reply to
Dave below...

Thanks,

Ron DuFresne

On Thu, 15 Jan 2004, Exibar wrote:

> Dave,
>Sorry to disagree with you, but telling people to simply not use windows
> and not use Outlook is like telling people not to ride in a car for the fear
> of getting into an accident.
>
>So you're telling me that if I don't run Windows and I don't run Outlook
> that I'm 100% safe?  Horsesh*t!   If I install Linux and not Windows XP (for
> example) I'm safe?  There isn't anything else that I have to do?
>
>Why not EDUCATE the end-user on how to use Windows and Outlook safely?
> This is the entire basis behind these personal firewall day, it's about
> EDUCATING those that don't know.
>
> BTW:  Not running Anti-virus software is just plain stupid (I will not
> respond to any flames on this point, so don't bother).  Plain and simple.
> I'm very surprised that any company is able to run that way.
>
>  Exibar
>
> - Original Message -
> From: "David F. Skoll" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
> <[EMAIL PROTECTED]>
> Sent: Thursday, January 15, 2004 12:06 PM
> Subject: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the
> cause
>
>
> > On Wed, 14 Jan 2004 [EMAIL PROTECTED] wrote:
> >
> > > I just wanted to remind everybody that tomorrow is Personal Firewall
> Day.
> > > http://www.personalfirewallday.org/
> >
> > That Web site is utterly disingenuous.  Rather than giving low-value
> > information, how about high-value information that actually protects
> people:
> >
> > 1) Don't use Windows.
> > 2) Don't use Outlook.
> >
> > Our company uses neither Windows nor Outlook, and although we do have a
> > firewall, we do not use anti-virus software.
> >
> > Of course, the sponsors of the site (Microsoft and a bunch of anti-virus
> > vendors) can hardly see it as being in their interest to actually create
> > a secure computing environment.
> >
> > Regards,
> >
> > David.
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread Exibar

> >So you're telling me that if I don't run Windows and I don't run
Outlook
> > that I'm 100% safe?  Horsesh*t!
>
> You are very much safer.  Our mail server receives on the average day 70
> viruses from cracked Windows machines, and none from cracked Linux
machines.
> We still receive several Nimda hits a day, and none from cracked Linux
> machines.

 But not 100% safe though...  there are Linux viruses,  what about all those
e-mails that
try to steal my SS# and CC#'s?  Education is the key, not the OS that you
run or don't run.

>
> >  If I install Linux and not Windows XP (for
> > example) I'm safe?  There isn't anything else that I have to do?
>
> A default install of a modern Linux distro includes firewalling rules
> by default, and is fairly safe.

there aren't any holes in that Linux distro?  there sure are, pleanty of
them.  Oh, so
the Personal Firewall is protecting the user... interesting, aren't there
Personal Firewalls
for Windows OS's?  Tons of them

>
> >Why not EDUCATE the end-user on how to use Windows and Outlook
safely?
>
> Because it is impossible to use Windows safely; the very design of the
> operating system is flawed.  This is not just my opinion; it's also that
> of Bruce Schneier and many other people, some of whom lost their jobs

  it IS possible to use Windows safely, with Education of the user.  Teach
them
how to setup a Personal Firewall, hardware firewall, and Yes, AntiVirus.


> Why?  We have no machines that are susceptible to the viruses that are
> in the wild.  We do, of course, drop .exe, .com, etc attachments on
> our mail server, but that's just to save disk space and stop annoying
> messages from filling our mailboxes.
>
I don't buy that you block them ONLY to save disk space and stop annoying
messages...
don't buy it at all
>
> We have since 1999, and haven't had any problem.  If you don't use
Windows,
> you don't need anti-virus software.

 Ignorance is bliss they say...  If you honestly and truely believe what you
say, more
power to you.  I honestly hope that nothing bad happens to your systems due
to a virus
outbreak that A/V software would have taken care of

 Ex

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread Ron DuFresne
On Thu, 15 Jan 2004, David F. Skoll wrote:

> On Wed, 14 Jan 2004 [EMAIL PROTECTED] wrote:
>
> > I just wanted to remind everybody that tomorrow is Personal Firewall Day.
> > http://www.personalfirewallday.org/
>
> That Web site is utterly disingenuous.  Rather than giving low-value
> information, how about high-value information that actually protects people:
>
> 1) Don't use Windows.
> 2) Don't use Outlook.
>


this only works in an env whence M$ does not have the power to force all
PC vendors to *have* to include unsafe apps and OS's on their systems
rather then put out alternatives.

> Our company uses neither Windows nor Outlook, and although we do have a
> firewall, we do not use anti-virus software.
>

except perhaps for the mac OS, which is not available I beleive for the PC
users, there's not really another OS available that has the ease of
use./install/and click and play capabilities that windows tries to
provide, so, few corp env's will go another route for the desktop, as they
are already far too commited in present envestments to consider it.  And
mom and pop will never get printers, cameras, and various other devices
like scanners to work in any other OS's, withouth having their skilled
kids and grandkids devote some time to educate and advise.  But, seems
none of then are willing to offer mom & pop their time, it;s to 'valuable'
to even help them get a bit of protection in place and they are of far
higher value mailing lists of complaints about how imperfect their world
is...

> Of course, the sponsors of the site (Microsoft and a bunch of anti-virus
> vendors) can hardly see it as being in their interest to actually create
> a secure computing environment.
>

This a shame, but, tis the world we bought into 

Thanks,

Ron DuFresne
~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread Gary Flynn
Folks,

Argue the technical merits of firewalls all you want
but keep reality in mind:
1) There are millions of vulnerable computers out
   there on the net operated by people you have
   little or no chance of training as a system
   administrator.
2) Fixing tomorrow's software (whether by not shipping
   it with open ports or by somehow magically shipping
   it with no flaws) will not do anything to help the
   vulnerabilities, exploits, and criminal behavior that
   are out there TODAY.
3) A firewall is going to make the immediate situation
   better, not worse. (Except perhaps for the support
   folks who have to put up with all the silly, worthless,
   and alarming popups some commercial offerers choose to
   include in their default installation settings.)
Simply put, we are currently in a bad situation. Affixing
blame and crying because the solution isn't perfect or
doesn't magically and retroactively solve all the problems
isn't going to do anything to improve the situation. A
firewall will help rectify bad business decisions that led
to shipping consumer devices with ports open by default,
and shield all the defective software running on those
machines. The environment changed under us in the last
decade. There is plenty of blame to go around.
That said, I wonder if its necessary to push third party
products. Windows XP and 2003 ship with ICF...a nice quiet
firewall. Windows 2000 has IPSEC policies which, although
complicated, can be used to provide a functional incoming
communications firewall. Wrap it up with some scripts and
an HTA web interface to make it user friendly. 9x has fewer
open ports and is slowly going away.
While the outbound application filtering is useful,
when firewalls become common, then malicious code will
incorporate firewall disabling software just as often
as they now include SMTP software. Shoot, AV vendors
might do us all a favor if code inspection detects
firewall API calls or process kills to firewall
or AV processes and pops up a warning. :)
--
Gary Flynn
Security Engineer - Technical Services
James Madison University
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread Bill Royds
National Smokeout Day has been very successful in getting people to quit
smoking for those wanting to quit smoking. It is not perfect because smoking
is an addiction and only stupid people smoke anyway these days so it is hard
to persuade them to stop.

Personal Firewall Day is only one of many possible approaches to improving
security on home machines. Too many people on this list have binary minds.
Either it works perfectly or it doesn't work at all. This may be OK for
logic circuits,but it is not valid for humans and computer users are human
not mechanical.
   Microsoft sells lots of software for two main reasons:
1/ It is installed on machines when delivered (which is why they were
convicted of being a monopoly in desktops).
2/ Because most desktops run Windows, most software aimed at desktops runs
only on Windows.

  So you are not going to get MS off the desktop. How else are you going to
protect the Internet and other computers from these users. A personal
firewall is much better than closing your eyes and saying "run Linux, run
Linux". A separate firewall between the modem and the box is probably better
and they don't cost that much (about $50-$100) and they can act as a switch
for a home network as well.
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of cdowns
Sent: January 15, 2004 11:57 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the
cause

Out of curiousity, you cant get people to stop smoking with the 
"National Smokeout Day" what makes anyone think that this would do 
anything ?

Most people consider thier computer the equivelent of a hammer ( a tool 
), in the toolbox at 4:00 pm sharp until they start thier next workday.

maybe im wrong, I wish the best on this.

~!>D

[EMAIL PROTECTED] wrote:

>I just wanted to remind everybody that tomorrow is Personal Firewall Day.
> 
>http://www.personalfirewallday.org/
> 
>The Personal Firewall Day is a campaign designed to raise awareness about
the dangers we face without a personal firewall. Security experts such as
yourself are encouraged to use the occasion of Personal Firewall Day to
share your expertise and advice with your lesser technologically skilled
friends and family, and help get them secured by installing a personal
firewall - this could be as simple as helping them turn on the XP firewall.
Direct them to the website where they can learn more about personal
firewalls and other layers of protection.
> 
>Compromised end-user machines affect us all and the Internet as a whole
when they are used as zombies for DDoS networks or proxies by criminal
spammers, and your personal effort can help remedy this.
> 
>PFD is a direct result of the discussions that originated from the
NTBugtraq Retreat '03, and would not have been possible without the
dedication and hard work put into the project by Paul Robertson, director of
risk assessment with TruSecure and the original proponent of the idea.
> 
> 
> 
>Regards 
>Thor Larholm 
>Senior Security Researcher 
>PivX Solutions 
>24 Corporate Plaza #180 
>Newport Beach, CA 92660 
>http://www.pivx.com 
>[EMAIL PROTECTED] 
>949-231-8496 
>PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix 
> 
>
>  
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread Tobias Weisserth
Hi,

Am Don, den 15.01.2004 schrieb David F. Skoll um 21:37:
> >  But not 100% safe though...  there are Linux viruses,
> 
> Such as ... ?

http://www.f-prot.com/virusinfo/unix.html

If those are POSIX they may be able to infect a buggy Linux box ;-)

http://www.sophos.com/search/index.cgi?scope=virus_info&lang=english&terms=Linux

Though of course those are not in the wild and current versions of the
affected systems are not vulnerable anymore.

And besides... what are 20 *nix viruses compared to 65.000 viruses able
to infect MS systems?!

> > Education is the key, not the OS that you run or don't run.
> That's not entirely true; the OS makes a huge difference.

I agree with might. When an OS ships with all doors open by default,
then this hardly is compensated by educating the end user.

There IS a contrast between the philosophy of security models. Take
OpenBSD. It is the exact opposite of ANY MS Windows product. In between
there are several different grades of grey but speaking of the secure
equality of operating systems is just plain stupidity.

> > there aren't any holes in that Linux distro?

Yes there are. But keeping track of them isn't requiring the end user
tons of action and lots of knowledge.

SuSE, Red Hat/Fedora, Mandrake and other "user friendly" distributions
offer everything in one place out of one hand. The irony in this is that
MS was feeding on this fact in commercials for years (everything out of
one hand) and now MS users have to buy two additional products from
other vendors and integrate them into their environment themselves.

Using SuSE, an end user simply calls Yast Online Update and el finito!

> > there sure are, pleanty of them.  Oh, so the Personal Firewall is
> > protecting the user... interesting, aren't there Personal Firewalls
> > for Windows OS's?  Tons of them

This isn't the same. See above.

> >   it IS possible to use Windows safely, with Education of the user.

Yes, you're actually right. Strip the modem, LAN card or whatever
connection to the outside world you use and Windows IS safe.

But relying on MS Windows and its secondary product line, Internet
Explorer and Outlook certainly leads to a lot of trouble.

> It's probably also possible to weld safely while standing knee-deep in
> gasoline.  You just have to be really careful.

This is the problem. The end user doesn't care. He can only recognise a
problem when the gas has already exploded.

End user products have to be secure by default and secure by design. A
lot of features in a product is great but not on the cost of security.

> > I don't buy that you block them ONLY to save disk space and stop
> > annoying messages...  don't buy it at all

If he doesn't use any win32 platform these executable binaries are
nothing worth to him, neither as useful application nor as malicious
virus. So of course he simply gets rid of them. So do I.

> I don't care what you buy or don't buy, but it's the truth.  We don't
> run Windows, so we aren't susceptible to the viruses in the wild.

Careful. There ARE viruses for Linux. Only do they work differently.

> >  Ignorance is bliss they say...  If you honestly and truely believe
> > what you say, more power to you.  I honestly hope that nothing bad
> > happens to your systems due to a virus outbreak that A/V software
> > would have taken care of

There simply isn't a way you could distribute a virus that is guaranteed
to execute on a broad base of VERY different Linux systems (different
kernels, different file locations etc.). In addition, Linux doesn't come
with open doors by default and the main entrance via Mail attachments
simply won't work because users are effectively caught inside their home
directories and Linux email clients have been developed with this
problem in mind. Since a virus might only affect the non-system, content
only part of a target system it is effectively robbed of its opportunity
to use the system to spread itself onto other systems.

If you've ever taken a look at forests lately you will know for sure
that they are in no good shape (Thanks, Republicans and paper
industry!). Part of the problem are mono-cultures which made it possible
for malicious organisms to spread fast and effective and infect large
quantities of trees of the same kind standing close together. The
Internet can be compared to this easily. The diversity of different
Linux kernels and systems makes it VERY difficult to write malware that
can spread and infect using a broad base of target systems.

> There is no A/V virus designed to protect Linux systems.

False. Sophos, F-Prot and a couple of other can find Ramen and so on.
You might include chkrootkit into this category of software since it is
looking for trojans and other malware that acts like viruses excluding
the reproduction behaviour.

>   There is
> A/V software that runs on Linux, but it's designed to catch Windows
> viruses.

And Linux viruses. :-) There only may be 20 and none of those might be
able to infect 

Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread David F. Skoll
On Thu, 15 Jan 2004, Mary Landesman wrote:

> This anti-MS drivel is so tiresome.

I'm sorry you find the truth tiresome.  Heck, Dan Greer got fired for
speaking the truth -- that's pretty tiresome for him.

I agree that security is not a product, it's a process.  I agree that
every product has its security problems.

But by ignoring the HUGE security problems with Microsoft, we're doing
everyone a disservice.  By ignoring the vast differences in openness
and responsiveness of open-source vendors to security problems compared
to Microsoft's responsiveness, we're denying reality.

The fact is that Windows is fundamentally insecure.  To give just one
example, encoding meta-data in filenames (eg: .exe means "executable")
is a monstrous design mistake that has cost the economy billions by
allowing virus propagation.  That design mistake is impossible to fix
without fundamentally changing Windows.  It's in a completely different
league from "bugs" like buffer and heap overflows.  It's a "design flaw",
not a "bug".

While security is a process, not a product, you'll find that very often,
insecurity of a product is something that no process can fix.

--
David.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread Chris Harrington

>No, it's telling them not to drive a Pinto when they could drive
something safer.
It may be safer but the average desktop user couldn't drive it. Hence the
proliferation of Windows on the desktop. Some 92% if memory serves me??

>You are very much safer.  Our mail server receives on the average day 70
viruses from cracked Windows machines, and none from cracked Linux
machines. We still receive several Nimda hits a day, and none from cracked
Linux machines.
Safer yes.but the usability issue for a lot of desktop users still
exist. Things are moving forward in that area. RH 9 with the Ximian
desktop is pretty user friendly.

>A default install of a modern Linux distro includes firewalling rules by
default, and is fairly safe.
Hmmmsounds like a personal firewall to me.

>Because it is impossible to use Windows safely; the very design of the
operating system is flawed.
Typical opinion from the Linux crowd. Yes Windows security issues, that
not news. If Linux is so great, why isn't it on more desktops??

>This is not just my opinion; it's also that of Bruce Schneier and many
other people, some of whom lost their jobs for speaking out.
It's still an opinion, one to which I disagree. I generally hear this from
people who do not have enough experience with Windows to be able to secure
it properly. If you are referring to Dan Geer, you'd better do a little
research as to why he was fired. It was not for pointing out MS flaws.

>Why?  We have no machines that are susceptible to the viruses that are in
the wild.  We do, of course, drop .exe, .com, etc attachments on our mail
server, but that's just to save disk space and stop annoying messages from
filling our mailboxes.
We have since 1999, and haven't had any problem.  If you don't use
Windows, you don't need anti-virus software.
I would still use AV software, but I am paranoid :) If you don't have AV
software how do you know you get 70 viruses form cracked Windows machines
daily?

Regards,

--Chris



smime.p7s
Description: S/MIME cryptographic signature


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread Damian Gerow
Thus spake Exibar ([EMAIL PROTECTED]) [15/01/04 15:02]:
>Why not EDUCATE the end-user on how to use Windows and Outlook safely?
> This is the entire basis behind these personal firewall day, it's about
> EDUCATING those that don't know.

Because end-users don't want to be educated.  They just want it to all work.
They don't want to know *why* their connection is slow, they just want it to
be fast again.  They don't want to know *why* all their files are gone, they
just want them back again.

End-users are very different creatures from sysadmins or power users or
whatever you all are.  Treating them similarly will not bring you to a
solution.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread David F. Skoll
On Thu, 15 Jan 2004, Exibar wrote:

>Sorry to disagree with you, but telling people to simply not use windows
> and not use Outlook is like telling people not to ride in a car for the fear
> of getting into an accident.

No, it's telling them not to drive a Pinto when they could drive something
safer.

>So you're telling me that if I don't run Windows and I don't run Outlook
> that I'm 100% safe?  Horsesh*t!

You are very much safer.  Our mail server receives on the average day 70
viruses from cracked Windows machines, and none from cracked Linux machines.
We still receive several Nimda hits a day, and none from cracked Linux
machines.

>  If I install Linux and not Windows XP (for
> example) I'm safe?  There isn't anything else that I have to do?

A default install of a modern Linux distro includes firewalling rules
by default, and is fairly safe.

>Why not EDUCATE the end-user on how to use Windows and Outlook safely?

Because it is impossible to use Windows safely; the very design of the
operating system is flawed.  This is not just my opinion; it's also that
of Bruce Schneier and many other people, some of whom lost their jobs
for speaking out.

> BTW:  Not running Anti-virus software is just plain stupid (I will not
> respond to any flames on this point, so don't bother).

Why?  We have no machines that are susceptible to the viruses that are
in the wild.  We do, of course, drop .exe, .com, etc attachments on
our mail server, but that's just to save disk space and stop annoying
messages from filling our mailboxes.

> Plain and simple.
> I'm very surprised that any company is able to run that way.

We have since 1999, and haven't had any problem.  If you don't use Windows,
you don't need anti-virus software.

Regards,

David.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread Ron DuFresne

[SNIP]

>
> FWIW, Foundry and Juniper (hi BMat) continue to be much better technical
> solutions than Cisco. People buy Cisco because "no one every got fired
> for buying {IBM,Microsoft,Cisco}" and because finding someone who knows
> the Cisco CLI (or who has a Cisco cert) is much easier than finding a
> person who can properly set up and configure a Foundry "six-pack"
> configuration.
>
[SNIP]

cissp's overly full of themselves make me laugh and tend to be a dime a
dozen, much like a network engineer with cisco cli experience eh?

Of course, the real question is, does your earlier post whence you
stated:

All: shut up and deface their site:

Name:www.personalfirewallday.com
Address:  209.50.252.247

It's a Linux box running Web/Mail/DNS.


might well be a violation of the ethics standards for those holding the
cissp   might it not?

Thanks,

Ron DuFresne
~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.^H^H^H^H^HCISSP  Just don't touch anything.



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread Mary Landesman
That's pretty much like teaching your kids to never talk to strangers, or
never visit the "bad" part of town. Fact is, most crimes are committed by
people we know. Microsoft is often victimized, mainly because they are so
ubiquitous. Cisco is running a poll right now to see which of the 17
critical patches are most important to users, because they only have the
manpower to fix 10 of them. Should we all stop using Cisco products?

This anti-MS drivel is so tiresome.

-- Mary

- Original Message - 
From: "David F. Skoll" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Thursday, January 15, 2004 12:06 PM
Subject: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the
cause


On Wed, 14 Jan 2004 [EMAIL PROTECTED] wrote:

> I just wanted to remind everybody that tomorrow is Personal Firewall Day.
> http://www.personalfirewallday.org/

That Web site is utterly disingenuous.  Rather than giving low-value
information, how about high-value information that actually protects people:

1) Don't use Windows.
2) Don't use Outlook.

Our company uses neither Windows nor Outlook, and although we do have a
firewall, we do not use anti-virus software.

Of course, the sponsors of the site (Microsoft and a bunch of anti-virus
vendors) can hardly see it as being in their interest to actually create
a secure computing environment.

Regards,

David.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  1   2   >