Re: [Full-Disclosure] January 15 is Personal Firewall Day, help the cause

2004-01-19 Thread Cael Abal
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
| i dont usually comment on this list because of my lack of knowledge
but on
| this issue i feel qualified to comment since you are commenting on the
gray
| haired non tech type which is what i am.i am 54 and a grandmother .
| ...
| br3n
My initial delight at learning a 54 year-old grandmother monitors FD
quickly turned to horror after noticing the leet-speak.
Cael

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (MingW32)
iD8DBQFAC+OvR2vQ2HfQHfsRAgNWAJ0YGm5CK4N6CRaEBnAEAwG2fXTpYQCglDnu
Ssv2VzqnUMRvRLGkcpgUCcs=
=aBXk
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread Joris De Donder
> I just wanted to remind everybody that tomorrow is Personal Firewall
> Day.
"False Sense of Security Day" would be a better name, imho.

Raising awareness is a good thing, pretending that people will be safe
if they install (buy) one or more products is not.



Joris


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread Mike Shaw
On Thu, 15 Jan 2004 09:28:39 -0800 Ron DuFresne <[EMAIL PROTECTED]>
wrote:
>
>There have been alot of 'complaints' or FUD replies concerneing the
>efforts for personal firewall day, 1/15/04, yet not a single, "this
>would
>work much better" replies or offerings.  do  any of the unsuporteres
>have
>something better to offer that is;

Okay, here's the deal.

a)  If this is truly an 'education' effort and not a security software
pushing effort, it's an extremely poorly named one.  The average uneducated
user is going to look at this and say "huh?"..and I don't mean the "let's
find out more about this" huh...I mean "this makes no sense and I don't
even begin to understand firewall and I'm moving on to the next easy
thing to grasp" huh.

"Safe computing" day or something else warm and fuzzy would have been
far better.

b)  If the name simply must be something technical, then personal firewalls
are probably the 3rd most valuable thing to push.  Patching and AV are
waaay ahead.  I would say anti-spyware is probably even more important
to the average Windows user than a personal firewall.

Personal firewalls are also far too complex for the average user to be
good as an 'on message' movement.  If they can understand that stuff,
 they already understand patching, AV, and clicking "no" when prompted
to install malware.

c)  When you center an education effort around a niche product whose
very existence depends on the very security holes that cause the problem...don't
expect to garner much support.  The marketing behind these products has
far more sinister potential than that of $150/hour security consultants.

So to wrap up...IMHO, if this had been "safe computing day"--focusing
on patching, AV, and possibly anti-spyware, it would have gotten far
far more positive reaction.  Leave the personal firewalls out--not nearly
enough bang for the buck.

Now...not to be fatalist, but while this effort is well intentioned,
the bottom line is the population in general toast until the primary
players fix their code and defaults.  There are millions of unsafe PC's
out there manned by non-experts, and there are a handfull of key software
companies manned by plenty of experts.  Where should the primary effort
be?

-Mike




___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread Kenton Smith
On Thu, 2004-01-15 at 08:21, adf--at--Code511.com wrote:
> more than raising awareness it looks like a corporate marketing
> operation from majors:
> 
> "ArialWhere to Get a Personal Firewall
> 
> ArialPersonal firewalls
> are available from several vendors, including these sponsors of
> Personal Firewall Day:
> 
> Arial  ,005A,0127â
>   McAfee Security
> 
>   â Microsoft
> 
>   â Sygate
> 
>   â Zone Labs"
> 
> 
> is that education?
> 
> 


Sygate and Zone Labs both offer free personal firewalls for personal
use. Capitalist bastards!

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread Tobias Weisserth
Hi Ron,

Am Don, den 15.01.2004 schrieb Ron DuFresne um 18:28:
> cheap

There are cheap personal firewalls, no question about that. But there
also are cheap, yet secure end user operating systems which are better
serving the end users interest than a combination of an insecure
operating system, an insecure webbrowser, an insecure email client and
so on.

> effective

I don't think personal firewalls are effective. People don't want to
spend time learning about personal firewalls and all personal firewalls
I know require the end user to interact with the software frequently.
The end user has to deny requests from programs he doesn't recognise to
access the Internet. The end user has to act on requests from the
personal firewall itself if there are updates and so on. Most end users
can't even make the difference between virus threats and threats
resulting from insecure end user software that requires a wall in front
of it.

> quick

When you don't spend at least an hour to explain to end users that there
is more to security than a virus scanner you deploy once and leave it as
it is for the rest of the decade then nothing will be improved. "quick"
is the opposite of reality here. You may install Zone Alarm (the free
version) on a PC once and measure the time of the installation and leave
house without further explanations and I guarantee that you will be
bombarded with requests for explanations during the next few weeks
because the end user denied Outlook Express access to the Internet as
the Zone Alarm window popped open and so on.

> allows the non-IT-professional to make a new home system safer

This is even further away from reality than the last one. The
non-IT-professional actually believes what the Microsoft commercials
were saying: MS Windows is a secure operating system. Because of this,
it is already hard to explain to them why they would need a virus
scanner if they are already using a secure operating system. The
non-IT-professional end user doesn't even know that Microsoft is
offering Windows XP updates, how is he supposed to know about something
abstract such as the concept of a firewall?

If Microsoft wants people to know that there are patches available then
they have to show a TV ad right before the 20:00 news on all major
channels.

> Or are we seeing another version of FUD-based-job-security-seeking BS
> spewing from these folks who are not going to get $150 an hour fees in at
> least 4 hour increments from the average home users to 'fix' their systems
> that can't be broke/borked as they are brandy-spankin-new.

This is totally out of place reasoning.

Let me show you how this "Personal Firewall Day" idea hit my mind:

[cheap]
The "sponsors" of this campaign don't have "cheap" in mind. They are
aiming for additional income here. This campaign is meant to reduce
image damage for a certain company refusing to take security seriously
and increase profits for manufacturers of software you wouldn't even
need if this certain other company would take better care of its
products.

There are countless alternatives to established desktop solutions that
are way cheaper because you don't have to buy additional software to
safeguard the underlying one.

[effective]
The process of having to watch three different levels of software:
operating system, virus scanner AND personal firewall isn't effective.

Effective means turning on the PC and work away and maybe control ONE
level of software with ONE tool or even better with ONE button.

Most end users can't tell the difference what in the name of Christ they
have to update. They have lost control and they don't care as long as it
still is working. They only act when something is broken.

The solution to effective and end user friendly security in MS Windows
IS NOT a personal firewall that protects against the bugs of end user
applications that shouldn't even be there!

The blame is all on Microsoft. Why did they wait until the upcoming
service pack of Windows XP until they realised that security requires
"secure by default"? Why do all Windows operating systems come with all
doors open by default? Why did countless Windows XP machines have an
open RPC port when this feature REALLY wasn't needed on the average end
user PC?

This is the transition to:

[trust]
Why are there still well known bugs in the Internet Explorer 6 for
longer than two months without a patch?!

What happened about this idea of dear old Steve, who wanted to show us
that MS is releasing patches faster and more reliable than the Open
Source community? I guess, it died. Not only did it die, MS increased
the time we have to wait for patches. We get patches when they are ready
(better "if" they are ready...) and not when we need them. Sure, this
makes patching predictable. But hey, does a script kiddie respect
Microsofts scheduling strategy when he aims for a major worm attack on
the Internet?

Well, the initiator of this ad email (almost spam), pivX must know a
little bit about unpatched M

Re: [Full-Disclosure] January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread adf--at--Code511.com
more than raising awareness it looks like a corporate marketing operation from majors:
"Where to Get a Personal Firewall
Personal firewalls are available from several vendors, including these sponsors of Personal Firewall Day:
	• McAfee Security
• 	Microsoft
• 	Sygate
• 	Zone Labs"

is that education?

Other other hand firewall day seems like being used by some people to distribute new toys? I got more than 20 000 ms sql  worm propagation in the ids log today.

Come on guys try to objective for one day, next time do a copy/paste of http://directory.google.com/Top/Computers/Security/Firewalls/Products/ . That'd be education and not another useless corporate spam to sell products.

my 0.158 euro

deepquest
"Ubi solitudinem faciunt, pacem appelant"



On 15 janv. 04, at 02:21, <[EMAIL PROTECTED]> wrote:

I just wanted to remind everybody that tomorrow is Personal Firewall Day.

http://www.personalfirewallday.org/

The Personal Firewall Day is a campaign designed to raise awareness about the dangers we face without a personal firewall. Security experts such as yourself are encouraged to use the occasion of Personal Firewall Day to share your expertise and advice with your lesser technologically skilled friends and family, and help get them secured by installing a personal firewall - this could be as simple as helping them turn on the XP firewall. Direct them to the website where they can learn more about personal firewalls and other layers of protection.

Compromised end-user machines affect us all and the Internet as a whole when they are used as zombies for DDoS networks or proxies by criminal spammers, and your personal effort can help remedy this.

PFD is a direct result of the discussions that originated from the NTBugtraq Retreat '03, and would not have been possible without the dedication and hard work put into the project by Paul Robertson, director of risk assessment with TruSecure and the original proponent of the idea.



Regards 
Thor Larholm 
Senior Security Researcher 
PivX Solutions 
24 Corporate Plaza #180 
Newport Beach, CA 92660 
http://www.pivx.com 
[EMAIL PROTECTED] 
949-231-8496 
PivX defines “Proactive Threat Mitigation”. Get a FREE Beta Version of Qwik-Fix 
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Alexandre Da Fonseca aka Deepquest
Chief Technology Officer
"Ubi solitudinem faciunt, pacem appelant"
-
Code511 work:+33-14225-8585
http://www.code511.com  cell:+33-66258-5111
PGP DH/DSS http://www.code511.com/pgp   fax :+33-14225-8590
-

Re: [Full-Disclosure] January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread Ron DuFresne

There have been alot of 'complaints' or FUD replies concerneing the
efforts for personal firewall day, 1/15/04, yet not a single, "this would
work much better" replies or offerings.  do  any of the unsuporteres have
something better to offer that is;

cheap
effective
quick
allows the non-IT-professional to make a new home system safer

Or are we seeing another version of FUD-based-job-security-seeking BS
spewing from these folks who are not going to get $150 an hour fees in at
least 4 hour increments from the average home users to 'fix' their systems
that can't be broke/borked as they are brandy-spankin-new.

Thanks,

Ron DuFresne

On Thu, 15 Jan 2004, Joris De Donder wrote:

> > I just wanted to remind everybody that tomorrow is Personal Firewall
> > Day.
> "False Sense of Security Day" would be a better name, imho.
>
> Raising awareness is a good thing, pretending that people will be safe
> if they install (buy) one or more products is not.
>
>
>
> Joris
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] January 15 is Personal Firewall Day, help the cause

2004-01-15 Thread Joris De Donder
> I just wanted to remind everybody that tomorrow is Personal Firewall
> Day.
"False Sense of Security Day" would be a better name, imho.

Raising awareness is a good thing, pretending that people will be safe
if they install (buy) one or more products is not.



Joris


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] January 15 is Personal Firewall Day, help the cause

2004-01-14 Thread madsaxon
At 05:21 PM 1/14/2004 -0800, [EMAIL PROTECTED] wrote:

I just wanted to remind everybody that tomorrow is Personal Firewall Day.

http://www.personalfirewallday.org/
Excellent, excellent idea.

Kudos to all involved.

m5x

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Re: [Full-Disclosure] January 15 is Personal Firewall Day, help the cause

2004-01-14 Thread KF
Please remember to try and take local SYSTEM privs from a personal 
firewall  tomorrow. =] . You may be surprised by what you find. Make 
sure your choice of personal firewall does not explose you to other issues.

-KF

[EMAIL PROTECTED] wrote:
I just wanted to remind everybody that tomorrow is Personal Firewall Day.
 
http://www.personalfirewallday.org/
 
The Personal Firewall Day is a campaign designed to raise awareness about the dangers we face without a personal firewall. Security experts such as yourself are encouraged to use the occasion of Personal Firewall Day to share your expertise and advice with your lesser technologically skilled friends and family, and help get them secured by installing a personal firewall - this could be as simple as helping them turn on the XP firewall. Direct them to the website where they can learn more about personal firewalls and other layers of protection.
 
Compromised end-user machines affect us all and the Internet as a whole when they are used as zombies for DDoS networks or proxies by criminal spammers, and your personal effort can help remedy this.
 
PFD is a direct result of the discussions that originated from the NTBugtraq Retreat '03, and would not have been possible without the dedication and hard work put into the project by Paul Robertson, director of risk assessment with TruSecure and the original proponent of the idea.
 
 
 
Regards 
Thor Larholm 
Senior Security Researcher 
PivX Solutions 
24 Corporate Plaza #180 
Newport Beach, CA 92660 
http://www.pivx.com 
[EMAIL PROTECTED] 
949-231-8496 
PivX defines âProactive Threat Mitigationâ. Get a FREE Beta Version of Qwik-Fix 
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html