Slashdot Mirror
"Witty" Worm Wrecks Computers
An anonymous reader writes "A new Internet worm wriggled across the entire Internet in the span of a few hours Saturday morning to all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure, according to this story at Washingtonpost.com. The flaw that Witty exploited was discovered Wednesday by eEye Digital Security. The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data." Update: 03/21 02:18 GMT by T : Reader Jeff Horning points out that eEye actually disovered the worm on the 8th of March, and came up with a fix the next day.
Although they ain't perfect, at least they're not running on your computer. Yikes.
How can we blame M$ for this?
Insert "witty" first post comment
glad to see virus's doing some real damage now, im tired of these stupid virus that just send out emails.. how weak, if we had more virus's that would wipe out entire systems then there would be some more pressure on software companys to fix things
It's a shame when the very piece of software you set up to protect your system turns out to be your system's destruction :(
Worms and Viruses caused DATA LOSS!
It's nice to see a worm that actually damages your disk once again. Perhaps people will begin to see them as more than a nuiscance.
I mean seriously who ever thought it was a good idea to run a firewall on the actual computer connected to the net ? I mean you can buy an applicance router/firewall that is GOOD for what 29 Bucks , thats what I just paid for my netgear wireless router. I have never understood why you would want to run the firewall on the actual connected system. Guess they cant say its better than running nothing anymore.
Do you really expect us to believe more than ten people worldwide run Windows on their firewalls? ;-)
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
I was just thinking about this, can the company be held liable for their software allowing others to basically destroy all data on the computer?
:)
Then I got to thinking, what about Microsoft whose os's and products who have cost millions and millions of dollars.... while some of them require user interaction, others have effectively shutdown the internet for wide areas for short periods of the time.. remember the sql one?
Most infected computers will have to be rebuilt from scratch unless their owners instead decide to buy new ones
I didn't know worms were so powerful now that they could melt a computer into a pile of toxic sludge. : /
-Colin
"FGTRGDI" (Feels good to run gnu/linux doesent it?)
More cryptic acronyms to the people!
GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
Now that you've got yourself a computer system at home, you'll want to protect it from the evils of the Internet. Because Operating Systems are chock full of holes just waiting to be exploited, you should, at a minimum, take the following steps... Step 1. Go out and buy a firewall product for your machine. Also pick up some virus protection software. Step 2. Ok, now install the firewall software... Oh......Damn It!
First, the speed at which the exploit was translated from advisory to a malicious worm.. Second, this is one of the few old-school "do as much damage as you can" worms. At least it makes a change from the monotony of the mass mailing attachment exploit variety of viruses..Not a welcome change for the people who got hit by it of course :(
By the way, in case you get prompted for registration and your principles don't allow you to give out your email address, use Bugme Not to find a login. Click here
How would overwriting the first few sectors result in loss of all data? Wouldn't that just overwrite the boot sector only? Can't you still retrieve your data?
Sivaram Velauthapillai
Sivaram Velauthapillai
Seeking the meaning of life... @slashdot of all places
Now, every windows user aware of this will believe a firewall is a great danger for his computer.
Oh... After all, what will it change ?
If the only thing this does is wipe out the hard drive, how does it spread to other systems? Is there a dormant version of this, or does it postpone doing the damage for a certain number of hours? The articles didn't explain.
From LURHQ
"This worm has been found to be highly malicious, slowly destroying the systems it infects. Because of this activity, at some point this worm will cease to exist - unfortunately it will take all the affected systems with it. Rather than simply executing a "format C:" or similar destructive command, the worm slowly corrupts the filesystem while it continues to spread."
Like many biological viruses it slowly erodes the health of its host, permitting the host to go on infecting new hosts for some time. How long exactly appears to be unpredictable.
It doesn't kill its host outright immediately and it doesn't allow its host to continue indefinitely. Its like a true disease, a terminal illness for computers (pun not intended).
I think this will be with us for a while, particularly when mutations start showing up.
In the free world the media isn't government run; the government is media run.
Comment removed based on user account deletion
How can you recover someone's data from an unbootable HD?
Bolt it into a G4 Mac tower and pull files to your heart's delight.
It's a weekend, why should they care about putting out their timely alerts, eh?
"Officials at the Department of Homeland Security, which is in charge of the government's cybersecurity efforts, were unavailable for comment."
If it destroys just the first sector, and the disk had just one big partition, you can use fdisk to fix the mess.
If it had more partitions, use gpart to find the partitions. It's not perfect, so watch what you're doing.
If it destroys more than just the first sector, it'll (on FAT filesystems) destroy the partition boot sector, the directory, and the FATs. Which means you have to recover the data from backups.
I suffer from attention surplus disorder.
Several months ago, Microsoft CHKDSK effectively destroyed one of my NTFS partitions -- it managed to screw up $MFT (which points to the location of the Master File Table) and the copy of $MFT within $MFTMirr (which is supposed to be used if $MFT is broken). Anyway, long story short, I spent a couple weeks staring at hex dumps and printouts of the Linux-NTFS project's NTFS documentation. After consuming inordinate amounts of caffeine, I came up with SalvageNTFS, an open-source NTFS data recovery tool that got back all the data I wanted. Assuming the physical media is intact (as in, all read requests to the disk are successful), SalvageNTFS can retrieve data if there is even a single record of the MFT intact.
If the first few sectors of the disk are overwritten, you'll lose the MBR, the partition table, and maybe the boot sector of your first partition. However, the filesystem of that partition is likely to be largely or completely intact. Think: in a few weeks with no prior knowledge of NTFS internals, I created a tool that can continue to operate in this environment. I'd hardly call that a "total mess".
Newspapers, magazines, letters, and stamps.
How 1980s. Yikes.
My father is a blogger.
HEY SMARTY!
This virus was because of people running firewall software.
I'm sorry that you read so poorly. Here, let me help by quoting the relevant sentence for you:
h p
"all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure,"
Google tells me Quantian is Knoppix/Debian.
http://www.iss.net/products_services/blackice.p
While there are RealSecure sensor nodes for Linux, the desktop software being referred to here is also a Windows product.
In other words, BZZZT! Thanks for playing the troll today.
"Nothing was broken, and it's been fixed." -- Jon Carroll
I'd advise anyone who depends on any kind of software firewall to go out and buy some sort of hardware firewall.
I reccomend Linksys
Those who depend on Windows Firewalling should beware also.. in fact I'm surprised it wasnt that firewall that was exploited in the first place.
Hey, serves these folks right! I mean who'd be stupid enough to have a Windows machine on the internet without any kind of firewa...
err, never mind.
Installed a snort rule this morning using:
7 76974747920 6d6573736167652068657265|";re\v:1;)
2 0.
alert udp any 4000:5000 -> any any (msg:"Witty Initial Traffic";
content:"|29202020202020696e7365727420
Found via http://isc.incidents.org/diary.html?date=2004-03-
After running it for about 10 minutes and seeing 1,000's of matches, I decided it was better to delete the rule since it was logging to a MySQL database for fear of overloading the disk, and go back to bed.
This is indeed a particularly nasty worm. Several other divisions of my company are battling infections. The master boot record on an infected host is almost certainly destroyed by this little dandy and any host which might have been rebooted before an infection is detected is inoperable. Thankfully it is only the relatively recent versions of the software packages that are effected. The divine combination of wisdom and laziness has found this systems administrator blessedly behind the times. The decision to stop upgrading out ISS tools in favor of a push towards OSS now seems all the more prescient. For those in the community who expect big businesses to flop over to OSS immediately, don't hold your breath. Nothing happens over night because big business is slow, no matter how fast the company's advert department declares them to be. We've been actively switching systems over to Linux and OSS for two years now, but the average depreciation cycle means that it takes a minimum of 5 years to switch over an environment, and that only if you put a stake in the ground. Realistically it takes 7 to 10 years to switch over and IT environment in a company which judges IT investment solely on Cost Benefit Analysis.
Yeah. Knoppix to the rescue! (Again)
Most if not all user agreements for any software, anti-virii, Windows and it's related software usually contain:
In no way can you hold us responsible for loss of data, damange to your system bla bla bla.. basically use at your own risk.
I bet this worm was written by a disgruntled network administrator sick of those "I'm being attacked" emails.
> More cryptic acronyms to the people!
That's MCATTP around here, chum.
Sheesh, evil *and* a jerk. -- Jade
but this is inherently why the idea of a firewall LOCAL to the system it is protecting is a ... shall I say "retarded" idea.
A firewall is best a physical device between your network and the "great big intarweb". That way if your firewall IS comprimised, you arent immediatly toast.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
Two ways to recover data from an 'Unbootable Drive'.
/F' command I think it is for recovery). From what I understand of NTFS, the FAT table is spread over the drive, so it shouldn't be affected by it as much. Still, everything should be recoverable easily (relatively speaking). It's not as if the data was overwritten.
#1 Install it as a secondary drive on a computer that has a bootable drive. Asuming the File Alocation Tables have not been overwriten, you can read the data as usuall. Also assuming that the windows permisions let you do this. I have known some NTFS drives that won't let you, but that is fixable with a software program I think.
#2 Same way you recover information after a hard drive crash. Take it to the people that do the pro recovery.
Since it has been said that it only overwrites the first few sectors, sounds like only the boot sector is affected. If the it is running a FAT file system, the FAT tables may get overwritten, bu the data is still recoverable (try using the 'scandisk
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
If it overwrites the first few sectrs of the harddrive, as opposed to the first few sectors of the partiton, then it will take out the MBR which contains the partition table. You can have a physical disk broken up into several partitions eg a 60Gb disk that is partitoned as a 10GB C: drive and a 50GB d: drive.
Who knows who windows will interpreit a partition table containg random data, it might boot far enough to write to the drive using a mistaken idea of how big the partitions are reducing the chance of data recovery.
We are just guessing based on these first reports. Someone will analyse the worm properly in a day or two and give a better idea of how to deal with it.
I told him I would never buy any of their products since I figured they were just as likely to insert their own backdoors in the products due to maturity reasons.
This is just priceless though, I wish that guy a hardy Nelson "har har".
Never overestimate the end user. -jeramy b. smith
Surelly you could still access the data and copy it onto another Hard disk, burn it to CD or copy it to a USB pen by running Knoppix.
Virus for Linux are not likely to be very damageable. For doing such kind of things (ie. the first blocks of a hard disk), the virus should be based on a remote root exploit, which happens, but is *very* rare. Most exploits are local, so you can't use them if you don't have a ssh account on this computer.
It's easier in a windows environment to make big remote damages because many programs and servers run at administrator rights ; which is the case of this firewall software. In linux, all the firewalling stuff is based on netfilter/iptables, netfilter in kernel space, and iptables as the super-user interface. The benefit of having firewalling facilities in kernel space, integrated with the TCP/IP stuff, are that the size of the potentially unsecure code is quite small, when in windows all the security stuff is a user space developers responsability.
I know this may look like a troll. But windows security design is a disaster ; and I don't think this will really change soon.
According to Symantec's Witty information page, Norton Antivirus can't detect it because it is memory resident only, and never written to disk.
As the story summary states, it "attempts to overwrite 128 sectors in a random location of one of the first eight physical hard drives with data from memory. If the randomly picked physical hard disk does not exist, the worm simply continues." Devastating.
BlackICE patches are available.
Code running with Administrator privileges is assumed to be trustworthy and know what it is doing. The problem is that there is way too much code running as Administrator.
Mea navis aericumbens anguillis abundat
The average joe isnt going to be monitoring any lists.. they will just ( hopefully ) plug in whatever box that came with their pc.. or at worst, accept defaults on software, which normally is useless..
Thast the reality of 90% of the 'home users'.. so a 'free' hardware firewall is the best solution. Since they give away printers, they shoudld be giving away firewalls too.. they are just as cheap. ( though, yes i realize that they make their money via ink carts.. but you get my point )
---- Booth was a patriot ----
This is why having a firewall running on the machine(s) it's supposed to protect is idiotic.
When will the Windows world (and, to a lesser extent, the *nix world) wake up and realize that putting all services on a single box is just asking for trouble?
A firewall should be a dedicated, hardened host that is easily rebuilt if compromised. A firewall should not be the only layer of security.
.@.
Actually, pretty easy.
:-)
If you could actually turn off unwanted and insecure services you wouldn't NEED a firewall.
My FreeBSD/Linux based routers serve as firewalls for my Windows boxes. Very easy to turn off everything but ssh.
In Windows you can't even tell whats running let alone shut it off. There are many ports that get attached to every interface and no way to fix it.
The first and only firewall most people need is an OS that doesn't open itself up to the world like a cheap two-bit, umm, door. Or something.
IMHO, there's a GOOD reason why the hardware router guys are pushing you to the "professional $200+ lineup" for these needs. They're "professional level" uses of the firewall product.
If you're so cheap, you can't see spending $200-250 or so for a hardware firewall/router product to protect your developmental web/database server - then the product you're developing must not be of much value to you?
Honestly, if money is really too tight and $200 is too much to spend on security, I'd look at Linux-based solutions running on an older, dedicated PC. I've seen several really nice firewall products you can download free ISO images of and burn to a CDR install disc, for non-commercial use. I'd feel much safer having my firewall on a seperate, dedicated box than running as a service on my desktop (where it's impacting my CPU and RAM usage, too).
From looking at the disassembly it looks more like it sends 20000 copies of itself to random destinations, then tries to open one of HD0-7, if the open fails it goes back to sending, if it succeeds it overwrites a random 64kB-aligned 64kB chunk of the first 2 GiB with some data, reseeds the prng and goes back to sending, if the open fails it simply loops back to sending another 20k copies.
I'd hardly call 2GiB a few sectors...
Try running Testdisk: http://www.cgsecurity.org/index.html?testdisk.html
It comes as part of Knoppix I believe, and was a great help last time someone lost their partition table. After that, just fsck as normal.
You can't remote root a system with no open ports unless the firewall code itself is compromised.
And _that_ I've never heard of (except in the case of BlackICE and ZoneAlarm)
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
It doesn't just write the the MBR. It pushes 64k of data to RANDOM locations on a randomly selected hard-disk. At some point it bombs the MBR, but it bombs other portions of the disks on a machine.
NASTY worm. Definitely old-school in nature- I wondered when someone would get around to making something along these lines.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
The worm's functionality is as follows:
1) Generates a random IP address
2) Sends the worm payload
3) Repeats steps 1-2 20,000 times
4) Opens a random PHYSICALDRIVE from 0-7, which allows raw hard disk access
5) Seeks to a random point on the disk
6) Writes 65K of data from the beginning of the vulnerable DLL to the disk
7) Closes the disk
8) Starts the process over from step 1
(emphasis mine)
Well i'm glad this was posted on slashdot even though I had submitted this *hours* before.
I've also updated my blog with all the relevent links and data . The speed of the worm creation is frightening, less then 5 days from the vulnerability announcement to the time that the worm hit the internet. No one can claim this is a spamming effort either since, as noted in other posts here, it is destroying the disks on the machine as well. It's actually like a game of russion roulette, it targets one of the first 8 disks and if the disk doesn't exist it simply continues it's routine of attacking 20,000 random addresses. This is the first worm I can remember that is actually malicious.
Listed on the above blog are the following links:
eEye advisory
ISS advisory
lurhq analysis
SANS diary report
F-Secure writeup
Symantec writeup
Witty Worm Capture 1 and 2 (from dslreports.com)
and the text from SANS capture of the worm.
I've been capturing UDP traffic all day and hope to compile some more interesting information later on.
I saw this one too! I have that as a non sequitor in the blog I run. Pretty funny that google didn't update on that one fast enough. I wonder how many extra hits they will get because of the worms name. Also I think it's ironic it's an "anal device" and the worm pretty much f'sck you there when it writes to disk.
Boot Knoppix too and pull anything you desire from ANY M$ formatted drive.
NTFS, FAT, whatever...
I NEVER make a service call without a Knoppix CD with me..
Blue screens and memory dumps are normal Windows behavior. Nothing to be worried about.
This is a huge hole. It requires no end-user action whatsoever to exploit. The "security" program it attacks is probably running with administrator privileges, even on locked down systems. There's no reason a packet filter should be able to write raw disks. In fact, if it still runs with those privileges, you want to get this "security" product off your system now. This might not be the only hole.
"Witty" Worm Wrecks Workstations!
I'd like to apologise for the poster your responding to and I'd like to point that the 99.9% of OTHER Linux users are not starry eyed PFB's trying to cram their particular religion down everyone's throats.
We know Linux needs work before its ready for prime time, just like we know that there are certain trade-offs between convenance and security.
I do believe that Windows users have gotten a bit of a drop here by Microsoft, but that would be more of a monopoly issue and bad planning (if we had the lead all this time WE would certainly have made some mistakes too).
So keep using your Windows PC in peace. Its got a lot of useful functionality and as a Gnome developer once suggested, the most secure operating system is the one your comfortable with and can keep updated. As Linux gains marketshare you can bet some vunerabilities will be found, some we'll expect and some we wont. Maybe you'll find it more appealing after its had more time to mature. Don't let zealots color your opinions too much, they speak for themselves.
Quack, quack.
A memory dump is a blue screen. And most memory dumps in an NT/NT based environment are due to hardware or driver problems. Programs run at ring 3 in their own memory spaces. Windows 9x blue screens could also be caused by hardware or drivers but were usually due to bad memory management, direct access to hardware and everything running at ring 0.
Actually, we don't really give a crap about what you want. You're mostly cluebies who shouldn't have a say in the matter, and the cause of most of these problems. You're the ones who use the vulnerable software, and click on things because they tell you to. (Remember, one of the last worms was purely a trojan---the user had to do all the work.)
You should use Linux (or OSX, or whatever), because we tell you to, and we know what we're talking about. You're causing problems that affect a lot of people (the networks get saturated), and you need to stop.
Let's look at your points:
Anyway, your last (unnumbered) point about programs needing refinement is probably the only accurate one. Most do need refinement; however, the beautiful thing about the Linux and Free Software community is that they constantly are being refined. And if there's something you don't like, I suggest you help out, or quit complaining about it.
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
Now where have I seen this before? Let me think. What are the distinctive points about Witty's design?
Now where have I seen this before? Oh yes - SQL Slammer/Sapphire.
Witty roots a firewall, it spreads rapidly, it's extremely small and minimalistic (sort of bootsector size) yet still carries a destructive payload... this is not your average 16-year-old, this is one of the old school. Probably in his 30s, it's very probably the same author who wrote Sapphire, and he's probably a pro by now (white-hat? av company? competing firewall?).
Technically what you are asking, yes it could be written. But it couldn't really do anything usefull.
You could write an x86 asm routine that did not make an OS call. So it would not care what OS it is running on. I used to write my own string copy routines that would work on any OS.
But, if you take out all access to OS related functions you don't have much you can do. No reading or writing files. Unless you want to try and write a file system into it that would interface with the hardware to read any file system. No access to network interfaces, unless you wrote and added drivers for any hardware the machine might have. And so on.
So basicly you can write an OS that did not talk to a host OS, that is what Linux, Windows, BeOS, and all of those do. But it would not be a very small thing if you wanted to read the users files and send them somewhere.
Actually you basically can't for a simple reason.
Yes, you can write x86 *CODE* that will run on any OS, by using BIOS interrupts, or even making different calls/checks to see what OS this is, and then using the appropriate system calls. But how to run this code?
Windows uses PE files, Linux uses ELF files, MacOS 9 uses data+ressource forks...etc. It would take a hell of a lot of hacking the formats to somehow make the PE offsets correspond to the ELF offsets or somehow put both kinds of headers in the executable program so it can run on both OSs.
So while your code might be multi-platform compatible, the cointainer itself will end up being OS-specific.
Actually, we don't really give a crap about what you want. You're mostly cluebies who shouldn't have a say in the matter, and the cause of most of these problems. You're the ones who use the vulnerable software, and click on things because they tell you to. (Remember, one of the last worms was purely a trojan---the user had to do all the work.)
You should use Linux (or OSX, or whatever), because we tell you to, and we know what we're talking about. You're causing problems that affect a lot of people (the networks get saturated), and you need to stop.
Oh god shut up, shut up, shut the FUCK UP.
*cough*
Excuse me, but you can shove that condescending know-it-all attitude straight up your ass.
I use Windows because the overall experience, at least for Desktop use, has been better. Stuff actually works the way I expect it to. I plug in a firewire hard disk, it installs and loads drivers, and the partitions, if any, appear. Instantly. No going to linux1394.org, downloading a shell script, and hoping it works. I click a torrent in mozilla, or Explorer, or whatever, and it loads my Bittorrent client automatically. More recent distros are better, but you won't win anyone over with that attitude.
Last time I had reliability problems with windows, the hard disk was failing. But since I fixed that problem (which not even Linux is immune to) I've had ZERO problems booting. And to be honest, I haven't had any security problems.
Whoa, you think I'm lying, right?
No, I'm not. In the time I've been running 2K and XP, not once have I had:
A Trojan
A Worm
Spyware
Malware
of any sort have any sort of presence on my machine.
Granted, I run Mozilla, Apache (with a secured user-account of its own,) instead of the usual windows implements. Sometimes the opensource community does create stuff that truly JUST WORKS. At least they're smart enough to not get arrogant about it.
But for kicks I run without a firewall and as an administrator 100% of the time. Still waiting for all the problems you describe.
So, kindly, pull that stick out of your ass. Thank you.
I pretty much agree with you.
The only gotcha I see in the answer would be that the original question was asking if you could write a virus that would run on any (or multiple) OS's. That takes the requirement of a executable file out of it.
If somehow you could get a buffer overflow or something that jumped to your code (which would be OS specific I guess) you could then execute any "pure" x86 code you wanted. I just don't see it being able to do a whole lot. Best/Worst case would be directly talk to an IDE interface and corupt drive 0. That would probably take the original exploit to be in the kernal of the infected OS otherwise I think pretty much all OS block user code from that low level access.
But you are right, there is probably going to have to be some OS dependant code in there somewhere to get it started. And it would be some pretty nasty code.
"Witty" Worm did not destroy your system.
Pete Carr Owner Chatmag.com
I'm sure those who were around will remember the whole darned internet grinding to a halt when the Morris worm came out in 1988.
Can someone tell me why open systems basically learned their collective lesson on one big event and it never happened again, while Microsoft products get the beatdown at least once every ninety days and nothing changes?
The picture someone else makes to represent what they think is the best method to communicate to someone else what the computer is doing is a pretty sad thing when compared to the results that come from having your very own picture in your head.
You point and click types can whine, but vi
I am very easy to get along with, but I don't have time to waste being nice to people who are being stupid. -Theo
You can't tell whats running? This is very easy, actually. Try this:
To see what ports are currently listening:
netstat -an
To see what services are attached to what process: /svc
tasklist
To stop a process (until next boot):
sc stop _service_name_
To query a state of a process:
sc query _service_name_
[accidently posted this in the hardware router anonymously] After running BlackICE for less than a week, curious to see for myself what it was capable of, I was unlucky enough to get hit with this and lucky enough to kill it after it ran for an hour and half (blackd.exe opened port 4000 locally at 5:17 gmt, Mar.19.) It doesn't appear to have done any damage though, certainlly not to my MBR (though if it randomly writes to any sector I don't think there was a chance of this,) but I'm certain it sent more than the 20,000 needed to trigger the junk data being written in the 90 minutes it ran. With no record of the packets it sent, I do have a record of nearly 10,000 angry ICMP responses, the bulk of which are from a single address which first caused me to believe my IP was being spoofed, but I suspect this represents a fraction of the addresses it successfully sent to (locally it attempted to send ~6GB at 10Mb/s.) Up until now I've never felt the need for a hardware router.
Assuming this is one vulnerability, I'd have to also assume that these products share some common code or at least a common library with the vulnerability.
I don't see any discussion as to why several different products share the same vulnerability!
That in itself is a discredit to the value of choosing such products. It looks like they rely on some black box code that these companies do not develop themselves and thus doesn't get the type of code review required in a security product.
I did briefly run Black ICE on a machine designated for firewall/gateway several years ago when routers were more expensive than reusing an old PC. I'd likely not do that again, and I'd certainly never recommend using software firewall for protecting the machine running the firewall software.
It must be nice having benevolent cracker reflash your BIOS for you.
Ummmm... dialup users are screwed because PPP filtering is a completely different beast?
I'm not a kernel hacker but I would like to try and keep things straight in my head. In PCI ethernet networks, the ethernet card gets attached to kernel mem locations and a firewall attaches itself between kernel mem locations and the userspace programs that they serve. PPP, from my limited knowledge, gets attached to completely different kernel mem locations and dialup networking userspace programs are allowed to pass PPP mem locations to IP mem locations such that most userspace programs have no trouble getting the info they need from the TCP/IP environment.
So this brings up the interesting question: are there bugs in the PPP components of modern kernels which can be exploited before any commonly available firewalls can filter the packets from the IP stack?
I don't know. Feel free to correct me on the diagram.
+++ATHZ 99:5:80