Slashdot Mirror
Reverse Firewalls As An Anti-Spam Tool
An anonymous reader writes "VeriSign's principal scientist Phillip Hallam-Baker believes one answer to stopping spammers and even crackers is by using reverse firewalls. He says reverse firewalls should be embedded in every cable modem and wireless access point for home users. "A traditional firewall is designed to stop attacks from the outside coming in; a reverse firewall stops an attack going out," Hallam-Baker said. Apparently, a reverse firewall would reduce the value of recruiting your home PC as a member of a botnet because "normal users have no need to send out floods of e-mail, which reverse firewalls can stop, but they do allow a normal flow of e-mail. ""
I have Kerio Personal Firewall on my Windows machine and it prompts me about every outgoing connection (to learn it, or allow it, or block it).
since they monitor traffic going in and out of the PC.
Comment removed based on user account deletion
Having a firewall required would hinder gaming efforts by making it harder to connect to servers.
So long as I can edit firewall settings I would
support mandatory default reverse firewalls for
any equipment that so much as touches IP.
Ahh, and who will control what defines an attack? Is using Freenet an attack? Bittorrent? Kazaa?
This looks like yet another way to force us to use the Internet in the way that corporations/governements want us to. No fucking thank you.
My other car is first.
Perhaps simply modifying mail protocols (migrating away from SMTP, POP3, IMAP etc.) to more robust and secured ones would be easier than having to create a product just to limit what you can do with your own machine and network connection.
But that would be silly now, wouldn't it? Sure, it would cost a lot a migrate your mail clients and mail servers to a hypothetical industry-standard "enhanced SMTP" or something like that, but wouldn't we all be better off in the long run?
Similarly, few individuals have a desperate need to run their own mail server, so ISPs should only allow mail connections to their own mail servers unless the user asks otherwise. How hard is that? Someone tell me this wouldn't have a major impact on spam zombies.
You could do the same for pretty much every unpopular service and just have an account page where users can specifically turn on services they need.
Comment removed based on user account deletion
How can you make a reverse firewall as easy to set up as a normal consumer firewall? Is technology advanced and automated enough where this reverse firewall can detect when a user is sending email via port 25 to his or hers ISPs SMTP server? Can a reverse firewall tell the difference between spam being sent out, and someone emailing his entire family with good news about his daughters report card?
A better solution is for ISPs to block port 25 for all consumer connections, and only allow port 25 traffic to their own SMTP servers. Why put the onus on the consumers, when it is the ISPs who seem to be failing us?
Feed the need: Digitaladdiction.net
I suppose the router manufacturers will take this step, which would certainly generate more tech support calls and higher engineering costs, out of the goodness of their hearts?
The manufacturers are in a beautiful position on the spam/virus issue - they just route the packets, virii are Microsoft's problem. Why rock the boat?
Seems reasonable. Too reasonable. Just like a deal with the devil.
ACs are modded -6. I don't read you, I don't mod you, I don't see you. Don't like it? Don't be a coward.
Great Idea! New technical concepts and products always excite me. We must keep one thing in mind however, hackers/crackers/spammers/whatever you want to call them are clever and very imaginative people. Single concepts and technologies will be overcome and bypassed. The security/spam fight needs to be a continuous and evolving process. One cannot simply rely on a single product or conceptual model to end malicious actions. When people start realizing that keeping computers secure is a process and NOT a product, the world will be a lot safer and secure.
I, being the ubergeek that I am, already have a 14k^H^H^H^H "reverse-firewall".
No hackers for me, no siree!
When things get complex, multiply by the complex conjugate.
So spammers either use slightly old hardware without the reverse-firewall, or simply use some of their ill-gotten gains to purchase higher end equipment, same as large companies or ISPs already do, which wouldn't have the reverse-firewall in it. Or even find a cheap hardware manufacturer who is will take simply not include the reverse-firewall in exchange for the spammers buying all their hardware for them.
Disclaimer: The above comment was made while under the influence of too much coding and not enough sleep.
The problem is that unlike traditional NAT'ing firewalls where everything not part of an existing TCP/IP conversation can be thrown to the bit bucket there is no such simple rule for a reverse firewall. So you get into heuristics and signatures, which have to be constantly updated and which give a LOT more false positives than a simple NAT box, ask anyone who has worked with intrusion detection systems. Not only that but since updates have to be done constantly to screen for new threats there is an ongoing cost, and so companies will of course want to charge an ongoing fee, so instead of a cheap Linksys box just costing $50-100 it will cost that much AND have a monthly maintenance fee. I personally wouldn't want such a device for the same reason I don't own a Tivo, I hate perpetual revenue streams that add little value over what I can get with fixed function device. Now I personally would LOVE this for my business customers, I already utilize Sonicwall's with integrated virus enforcement, blocking machines with unusual usage paterns would be nice so long as the false positive rate were sufficiently low.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
at least name it right!
I don't get it, how is this different from a regular firewall? Do they come configured to block everything by default?
If anything, maybe filters that worked on a "if x packets in n time access y port then block" would be a decent idea. Like a lot of IRC scripts do as flood protection.
SMTP is limited to one port (25), and most people are simply not sending out hundreds of emails per hour. A simple bit of rate limiting of the outgoing traffic (say 60 emails per hour) wouldn't even be noticed by 99% of home users. The other 1% probably knows what they're doing and could disable it. 60 per hour is plenty for the average person, but a hinderance to a spammer.
First of all, the linked article simply describes a firewall blocking some outgoing traffic with easy rate limit rules (i.e. no email after x messages sent in y amount of time). There's no need to call it a reverse firewall. It's a firewall, plain and simple. Just because most people allow all outgoing traffic doesn't mean that if you block some you've invented a new type of firewall.
The other article is really describing a completely different thing. They use the same term, reverse firewall, but they talk about firewalling each individual machine inside a lan. Basically, they suggest a firewall on each machine to protect the internal network from attacks that originate inside it. Completely different use of the term.
It sort of looks like the submitter just googled for "reverse firewall" and posted the first match. Or actually it appears to be the 4th match. Anyway, regardless, the two links seem to be talking about different things. Both of them have merit, but neither seems particularly innovative. I do like the first articles idea of rate limiting outgoing email on home router boxes by default. Seems like it would solve a lot of spam problems.
Best slashdot comment
Wow. "VeriSign's principal scientist" recommends "reverse firewalls". Nice, but I believe the term and thoughts about EGRESS firewalling has been around for a while. Reverse firewalling - Yesh. Get a clue. It wouldn't be that bad of a idea but 1. It won't be turned on by default 2. People won't turn it on 3. People won't get it.
[tinfoil_hat_on]
1. What if I where to have a good reason to send loads of e-mail?
2. Whould these firewalls keep logs, and if so, who would have access to them.
3. This sound alot like microsoft Trusted Computing project, bad idea
[tinfoil_hat_off]
-Joey
For about 3.2 seconds till the UPNP enabled virus tells the UPNP enabled firewall that it is an authorized app...
cheap labor conservatives - they want to keep you hungry enough to be thankful for minimum wage.
Reverse firewall polarity!
all mine does is prevent me from playing halo or warcraft... thats pretty mean, blocking the viruses so they stay in your computer!! "great, my computers infested with viruses, and we have to install a whole new operating system, but at least everyone else doesnt have it!!" comon, are you really going to think of that? how very american of them ever think of the fact that we would WANT to send lots of viru-*cough*emails out to the general public? oh, so im not normal now?!?!?!?
A cable modem with a reverse firewall sounds nice but I would rather handle this at the CPU level. I want to choose what to block and accept.
Strange women lying in ponds distributing swords is no basis for a system of government.
If he means a firewall based on network level and not on content it will fail miserably in providing good service for power users, because the firewall won't be able to react to new traffic trends. Even the NAT can give you headheaches and has been around for a while.
If he means a firewall with content scanning embedded, is certainly a security risk... for the user, I don't trust my router deciding what is right and not right for me thank you.
What is needed here is a protocol for mail exchange designed with spam in mind, not zillions of dumb firewalls fighting their own users.
Stop bloating networks with security fails at top protocolos, some guys should reread OSI stack fundamentals...
Regular people need to stop using port 25. It's time for users to switch to 587 or 465 for sending mail to their mail server. If you're running a mail server on purpose, then you can disable the rate limit.
Just the thing to protect the computers of... Reverse Vampires
I know, instead of trying to band-aid the problem with a hack that does nothing but weaken the peer to peer concept of the net even more, how about getting microsoft the fix the crux of the problems in the first place?
Reverse Firewall? As far as I know, a wall of fire would be flaming on both sides.
All kidding aside, all capable firewalls do have outbound protection built into them. Consumer software firewalls monitor which programs are allowed to access the internet, for example, and enterprise-level firewalls allow you to define heuristics to block certain traffic patterns.
So, basically, the article is just suggesting a new name for an old concept. Really, the author wants consumer networking devices to have more capable firewalls.
He's missing something: home PCs aren't spam-generators, they are spam relays. The spam has to be getting in somehow, and that is something a normal firewall should be able to stop. On top of that, they have downloaded a trojan or been hit by a worm to turn them into relays in the first place, which is something a firewall + AV should prevent.
Also, it's probably just as easy to educate 75% of the people how not to become a spam relay as it is to get 75% of the people to buy something with a reverse firewall and then train them how to use it (most people I know just put their computers into the DMZ when they play games because they don't know how to forward ports).
Sure, layered security is a good thing, but I see this as likely to generate many headaches with not much benefit
-Ryan
AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
that spam is a difficult problem to solve, but that is the most idiotic idea I think I've ever encountered. That's like making it difficult to do encryption to prevent terrorists from communicating safely. Granted, "normal" people's computers are a vessel for spammers, but it's asinine to limit normal people's hardware. Why not fix the problem at the source and work on making consumer's computers secure? The day I find out my DSL modem is blocking ports or something like that is the day I wreck the thing while trying to fix it. I mean, really.
ZoneAlarm software firewall already checks for unreasonable outgoing email, and asks the user if it is okay. ZoneAlarm check time, number of recipients, and attachment reasonability.
Just Put a Condom on it.
It could be worse, it could be Monday.
The virus is already on the inside with "root". It would be trivial for the virus to simply disable the firewall before spewing.
No, for a "reverse" firewall to make any sense, the firewall must be on a different machine.
until of course a cablemodem (or whatever the llawerif is embedded in)is reverse engineered and a hack found and described for the world to see.even if most couldnt do the hack,some would.
this is more nonsense.
software will always be hackable.(after all its just commands to harness the hardware)
hardware will always be hackable(it would take a meta man to create hardware unhackable by man)
GTF over any notion that computers on networks will EVER be secure.Gawd if you could just show legislators that simple logic we could quit wasting valuable tax dollars in this country.
we make machines to work for us.
we have to talk to the machines in a language they understand.
The language can conduct nice business with the comp.
The language can conduct nastiness.
we make machines that block nastiness.
we move this circuit.shunt.rewire.reprogram the cmos or in the case of nvidia just move this resistor from here-> * to here ->* and save a buncha mon$y.
so in reply:no it wont stop virii and worms as well.
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
While it is true that the reverse firewall will stop too much traffic from a "home" computer, there are some aspects of this which raise interesting questions: 1. How much is "too much" ? How is this decided? 2. What abt proxies to circumvent this? 3. The majority of spam, generated is probably not from a home computer. 4. Modern firewalls can be configured for outbound filtering as well. How radically will the propsed scheme be different from this? Correct me if i am wrong in any of the assumptions above. If we are achieving too less while applying too much effort, the low of economy wouldnt justify this.
This sounds similar to the reasoning used by the RIAA and others use to conclude that DRM is a good thing. Copyright fair use turns into a permission model. At least in this case the problem is one of real theft of resources.
speaking of "floods of e-mail," one of the most entertaining things is to take my original copy of win2k without any service packs, :-)
do a fresh install,
plug in without any firewall,
and watch how fast the damn thing tries to send out mass mailings
Um. I highly doubt a reverse firewall would be UPnP enabled.
It wouldn't add functionality. It would add a glaring security flaw. Let me think about that.
ip access-list extended EGRESS_FILTER
permit tcp any eq smtp
deny tcp any any eq smtp
permit ip any any
interface
access-group EGRESS_FILTER out
Fixed!
This would limit the rate of outgoing emails (or presumably anything else) to a limit that most people wouldn't hit in normal use. If implemented this limit would be configurable in the "firewall" so that users who know what they are doing can alter it.
It is different to software "reverse firewalls" such as Zonealarm as it couldn't easily be turned off by viruses and the like. But on the other hand it lets anything through once.
It would be beneficial to prevent the massing hordes of clueless broadband users from being juicy targets to the spammmer - since each zombie could only send out a pathetically tiny number per hour.
groklaw, wired and slashdot. The holy trinity of work based time wasting.
Please check and see what % of currently shipping sub 100 USD firewalls/NAT devices are UPNP enabled. You might be shocked.
Wonderful, Just what I need, yet another wing of the cable company telling me what I can and can't do. And just how do you propose monitoring this system? What if I run a mailing list or support group from home, why would I want to pay another $20 to send out 50 emails to poeople, and at what point would this firewall cut me off?
What if a new game comes out which makes a odd form of connection for multi-play. Or perhaps my software dose something thats not viewed as "normal" by Joe Schmoe, M.C.S.E.
And what could I do about it?
Here is the problem.
You have a flood of water 15 foot high coming for your house.
So lets paint the basement with some water-sealant.
There are bigger problems to fix.
Complex things lead to complex problems.
--
However, the security model in 802.11 may not be enough to prevent an attacker to get access to the intranet.
you're kidding..
Obviously this is a practical concept, but I'm hesitant. I personally feel that spam blocking is the burden of the receiver, just by the nature of the email protocol. I hate obtrusive advertising as much as the next guy, but I do recognize it as a form of speech. And no matter how inane, idiotic, and offensive it may be, I feel it is protected under the 1st amendment.
I recognize that spam is an inconviniece for end recipients, and a serious waste of resources for networks. Regardless, i feel that a reverse firewall process as described sets a dangerous precedent. Many might concede to blocking mass emails, but would they also concede to blocking of private web servers? Would the blocking of P2P be acceptable?
I've encountered numerous mail servers that are rejecting emails sent from cable modem and DSL users. I think that that is a significantly more responsible solution, even though it may not be as efficient. I feel as a paying customer of my broadband provider, I should not be prevented from emailing whoever I want, in whatever manner I want, though I cannot force any mail server to actually receive my emails.
This sounds like a really dumb idea to me (It might be time to shit can their principal scientist) Not only will it be easy to get around after someone figures out how it works, but it sounds like something that should be done more centrally, maybe at the ISP level instead of each individual cable modem.
Actually if this "scientist" did his research he would have found it has already been done by ISP's. Cox.net blocks outgoing port 25 so you are forced to use their email servers. I'm sure they have something in place to prevent an outflow of spam.
ISP's can block whatever they want because all traffic must flow through them. Therefore this is an old idea, that may just need to be implemented in more places.
..in Japan.
No. See. There's a difference.
On those routers, it provides functionality. It allows software the ability to portmap itself to allow functionality as a server. For P2P, for instance, that's a boon.
On a firewall specifically designed to block outgoing attacks, that it a worthless function. It would, however, allow malicious programs free access, making it worthless.
If you can't see the difference, you're hopeless.
..when it was called "egress filtering", done at the ISP's hardware.
This guy shouldn't even get the time of day on Slashdot.. what's next:
"To filter spam we should use DNS to publish the IP addresses of spamming hosts. I call this 'DNS-based Naughty Lists' or 'DNSNL'.. no one ever thought of this before.. I AM TEH GEN1US!!!!!!!!!!!!11111111111"
so how did you post to slashdot?
----
http://www.hellection.com
Better yet, make the thing totally configurable so you can block all of the spyware inherently loaded into Windows. Not only can you lock down all incoming ports, but lock down all outgiong ports. Of course....iptables already does this. Just one more way they need 3rd party hardware/software to catch up to what Linux is already doing.
Mod points are pointless when you browse at -1.
how I am I supposed to crash Half Life servers when some admin is being a real dick?
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
If we can't get people to run anti-virus software to scan their systems and remove viruses, how can we hope people will run a reverse firewall?
Installing anti-virus software is not too difficult but apparently too difficult for a significant number of users. If we can't get people to install anti-virus software to keep the viruses from destroying their hard drive, how can we hope they'll install a firewall to stop their machine from sending spam?
-Art
Anyone who takes control of your PC will also use it to punch open holes through your firewall to allow spam to go out through the modem/router/whatever!!
Your company advocates a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential
employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
(x) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Extreme stupidity on the part of people who do business with Microsoft
( ) Extreme stupidity on the part of people who do business with Yahoo
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(x) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid company for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burnyour house down!
This proposal is different, though - it's saying that ISPs should restrict Port 25 by default, but let customers have it turned on if they do want to. That means that you can still do what you want, but if you weren't using it, and you get some Outlook virus because you're careless, you won't got spamming everybody. Some cable modem companies have started doing this, and it's much more reasonable than the policies that they used to have.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The idea of putting that sort of thing near the customer (in the ISP) isn't new at all. It's been promoted and advocated for years. There's just one problem: ISPs don't want to do it.
They claim that they're just in the business of moving bits from one point to another. They dig in their heels and resist just about any sort of filtering on their customers. There's just one irony: They all whine, moan, and complain when someone else's infected/stupid/malicious customer causes problems for them, and the other ISP doesn't take care of it.
I can't tell you how many times I've been approached by people, and asked "Why doesn't anyone offer a service where you're protected from (insert virus/spam/whatever)?" While I haven't (yet) started a business doing it, I've made quite a few people happy by giving them email through my mail server, where any executable attachment is blocked. A couple of times per year, it'll block a legitimate email. But (literally) tens of thousands of times per day, it's preventing malicious email from ever hitting their computer.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
Why rate limit? Just shut off the port altogether. Unless they are running a mail exchanger, cable/DSL users should not be using port 25; they should use SMTP Auth over port 587 instead. If they are running a mail exchanger, then that person should have the port open for as much traffic as they need.
I use zonealarm. Most of the time its a nice sane product, and the price can't be beaten.That gives me an alert every time a new piece of software tries to access the net, for both outgoing and incoming connections. I then get to choose whether to always allow the program to make the connection, or just allow that particular instance.
Only problem is its impractical to disallow common programs from connecting for themselves. So a trojan infecting one of these would make this feature useless. Perhaps what we need is an "allow x number of connections per y time" feature. That would stop floods and DDOS attacks at least.
These posts express my own personal views, not those of my employer
But then what will happen to you? You are just a lamb surrounded by wolves.
I have linux and, as far as I am concerned, have never been subject to such worms spreading by mail. So my situation is similar to a windows system properly configured to block outgoing mail.
The fact is that I receive a lot of email for those worm that oblige me to configure a spamassassin on my computer. I think that an anti spam filter is more efficient, at first, and quite easy to configure to block harmfull spam. Moreover, before trying to fix what goes out from your computer, if the incoming traffic was stop in the first place, no unwanted outgoing traffic would even exist.
I really think that the problem comes for laxist default firewalling rules (if any...) in widows system: if there was a blocking one for incoming traffic, it would be good thing for the average windows user, that would have to take firewalling into account if he wants to act as a server. At least he would know about the problem...
ZoneAlarmPro is best known for its ability to block to control outgoing traffic. However, lesser known is its ability to control outgoing email, by specifying which applications can send email, along with how many emails are sent at once before an alarm is raised about possible virus/worm, and the offending application is frozen by ZoneAlarm until the user intervenes & allows it permission to do so. So, the functionality of the reverse firewall to reduce spam that the author is asking for is already available.
I think that convicted spammers, and especially crackers and virus writers, should be executed on public tv. The method of execution should be particularly gory and disturbing to watch. Firing squad, electrocution, hanging, beheading, and especially disembowling would all be my top choices.
I think that all executions should be shown on TV. How is the death penalty supposed to be an effective deterrant if no one ever sees it being used?
Aren't they packet filters that can be configured to allow or deny in any direction on any interface?
"Reverse firewall" seems to assume a bit too much to me. It seems to assume that one side is untrusted and the other side is trusted. But that is for the admins to decide. Regardless, what they will use in both cases is a firewall!
Do we really need the term "Reverse firewall" for a firewall configuration that is pretty obvious for that given problem?
I guess my OpenBSD PF firewall is a firewall, reverse firewall and whatever the next firewall flavour of the week will be.
If its not much extra to have embeded into a router, I would get it in a second.
Sure, it would be a better idea. But how long would this take to implement? Just take the example of ICANN adding IPv6 to their root servers. They expect it'll take 20 years before IPv4 is out of the business. How many years would it take for SMTP/POP/IMAP? 10? 15? 20? ... not to mention how long it would take for the new protocols to be developed and accepted by the major players.
VeriSigns idea is a quicker but uglier solution.
/John Sjolander, project manager Contribio
The manufacturers will make the cable modems ect with this feature and the ISP will sell them.. or they'll become common and everyone will have one...
The problem with anti-virus software is its an ongoing commitment.. with this thing there would be much less user maintenance needed.
groklaw, wired and slashdot. The holy trinity of work based time wasting.
When a real letter comes from my bank, it is printed on letterhead with a prominent bank logo.
Every snail mail I get from my bank is done with a laser printer - pretty easy to fake the bank logo.
No electrons were harmed creating this post, though some may have been subjected to electrical and/or magnetic fields.
Provided the clueless millions install the Service Pack, that is. They obviously don't use updated anti-virus software to stop the mass-mailing worms, so I won't hold my breath. Everything you ever wanted to know about SP2, and many things you didn't, is here.
When I am king, you will be first against the wall.
Reverse Firewall is essentially what ZoneAlarm, and ISS try to do by explicitly requesting permissions by changed/modified programs. Although, if poorly configured it may not do the job. I dont really understand how a reverse firewall will actually help since Firewalls generally work at the Network layer (If performance is of any concern) and therefore will allow the legitimate traffic such as email. Maybe a reverse intrusion prevention/detection system would be more apt to detect traffic abnormalities such as a high # of emails being sent in a short amount of time. Just have MS build secure code and we would not have these discussions. /.
With all the worms, spyware and apps violating user's privacy, we need a strong security model for individual processes rather than just different users.
Let's say, by default the application is allowed to only open one top level window and access it's own directory on the disk ala chroot jail. No internet access at all. Users can pick application type from a list of profile, for example "A typical web browser" and further edit permissions manually. Only priviliged system processes will be able to install or modify executables. Now try to turn my PC into a spambot.
fantastic can we get more of this IT pr0n.
This reminds me of an old joke.
Our university doesn't need a firewall to protect itself from allt the "hackers" on the internet, the internet needs a firewall to protect itself from the students at the university.
Not funny? Try telling it on a party, really late..
I just think it's funny that VeriSign's "chief scientist" said we should use "reverse firewalls" ... I'll foil his plans by installing a reverse router with dual reverse Ethernet switches between my hosts and my cable modem. And I'll connect it all using my reverse CAT6 cables. This way, by the time a packet arrives at the reverse firewall it will already have been reversed...in which case...uhhh...it will be re-reversed and forwarded normally. Yup.
I'm gonna go to reverse sleep now.
"A clear conscience is usually the sign of a bad memory."
no, the server is the vampire. The wheels are it's markings. ~We's dumb...dumb as hell.
They already have this. For internal accounting they keep track of everything traffic related, ports, amounts, frequency. If you abuse it, they send you a letter. This is governed by laws [in most sensible democracies].
Stop eroding our rights under a smokescreen of SPAM prevention.
[% slash_sig_val.text %]
Yes should start from the big companies and move to small ones.
Chris ,
Php Programmers.
A lot of spam originates from servers located in China, Taiwan, HongKong and Korea. I don't plan to receive mail from these countries in a foreseeable future; yet, spamassassin doesn't catch all the spam they send me. So I designed a tool to filter them at the firewall level : netfilter iptables geoip
In the business world, the need for egress filtering (i.e. what they are calling a 'reverse firewall') has been needed and met for a long time. For example, my network's firewall only allows *out* legitimate traffic, rather than the typical NAT home broadband router which by default blocks in on all, but passes out on all. My default rule is block in on all and block out on all, and only open port/IP combinations where there is a definite legitimate need to be met.
Many people fail to see the value in egress filtering by default - most small-business network administrators see the obvious need to protect their network from incoming traffic from the Internet, but don't think about the consequences of a cracker getting in and being able to defeat your ingress filtering by having their machine listen to a port, and then remotely (say, via a webserver vulnerability) have a shell connected as an *outbound* connection to their machine. Not to mention that egress filtering helps you be a good net neighbour - if someone manages to run a trojan, it's at least contained.
Oolite: Elite-like game. For Mac, Linux and Windows
Apart from the annoying debasement of the word "scientist", this really does reveal VeriSign's view of the function of the Internet and, unfortunately, it's becoming more common.
If I buy an "Internet" service I have a reasonable expectation of being able to run any service I can encode in IP packets and have that service routed transparently end to end. I *should* be able to run a VPN, remotely mount filesystems, use VoIP or even run a mailserver if I want to. If I can't it isn't an Internet.
Increasingly, ISPs seem to think that providing a link to their web proxy and a POP3 mailbox constitutes an adequate service. It might be for some people, but it's not the Internet, it's CompuServe revisited. It's good for ISPs though, because they can start charging you extra for "services" which simply involve them removing rules from your compulsory firewall.
I had to actually phone them to ask them to turn it back on when it happened, because naturally they were blocking me sending an email to request it. But it's good that it's there now, even though it did mean a bit of inconvenience in the beginning.
Karma: It's all a bunch of tree-huggin' hippy crap!
but a firewall is a piece of software which allows or denies packets based on their properties; it cares not in which direction they are flowing.
A reverse firewall, then, is just a firewall. It's like the difference between a slash and a forward slash (pet peeve). In fact, if you use an iptables or ipchains firewall, you only need a few extra rules to implement this on your gateway machine.
What about startup companies that don't have a huge corporate mailserver and the know-how to set one up? Should sending newsletters be this difficult when its blocked by the ISP? If it were only spam I would agree, but you can't for example make media unreadable so that people can't copy it? If I buy a cd i expect it to play on my computer or cdplayer just as much as I expect to be able to send out newsletters from my home to subscribing costumers using my ISP!
I'm not talking about unsoliscited email, I'm referring to what makes the Internet an incredible resource in communication! Reverse firewalls would probably block a percentage of spammers who don't have their own servers but also the startup companies that rely heavily on their home DSL account.
Also, spammers my friends, don't all live in america... so I am NOT pro this ridiculous idea of blocking mass emails not knowing the content of them... whats next? ISP customer blacklists? How would one acquire those blacklists as an ISP? Read the customer emails? lol...
...a "reverse firewall" was called the OUTPUT chain.
too late ... http://yro.slashdot.org/article.pl?sid=04/07/20/10 15234&tid=95&tid=17
`find / -name "*your_base*" -exec chown us:us {} \;`
Perhaps it's just me, but egress filtering is the default behaviour on all FW boxes I set up. And I'm not even that much of a harcore security geek.
"Consistency is contrary to nature, contrary to life. The only completely consistent people are the dead." A. Huxley
It is endlessly frustrating when there are posts like this.
Why isn't it obvious that the only traffic allowed in and out of a network or PC is that traffic that has been explicitly defined as being allowed. Even if that network consists of nothing but your home PC.
You don't "block email not coming from your server", you simply do not *unblock* anything but the traffic you need.
Explicit! Not implicit! Repeat until you either get it or you get someone else to do it that gets it.
Sigh.
This was disappointing five years ago, and will undoubtedly disappoint in another five.
koan
This signature intentionally left blank
Everyone stop saying "reverse firewall".
No, just stop.
A firewall is something that controls traffic flow through it. Not in a particular direction.
A reverse firewall is one that you have simply turned around. This just makes it harder to plug the cables in. Or easier if you are using non-specific hardware as a platform.
So don't say it anymore.
Oh crap look at Google, there are already 670 entries for "reverse firewall".
Damn, thats another one.
koan
This signature intentionally left blank
Your eager analysis is flawed.
The only people who will be affected are
1) those who use the ISP-supplied modem
AND
2) don't ask to have that feature disabled because they are running mailing lists
Most users with trojan'd machines are not running a mailing list, are using the ISP supplied modem and will not be asking to have this feature disabled.
You are correct when you say it requires co-operation from many people at once, but each ISP that uses it gives their customers an advantage as spamming moves to other networks and their customers avoid being black-holed.
Most cable ISPs have remotely updatable firmware so it is technioally managable - I think this covers any valid parts of your "lack of centrality" objection, and the fact that the end user is not required to install any patches.
Sam
blog.sam.liddicott.com
SPF is flawed, and won't become a popular standard for reasons like this.
I don't want to debate about it, but the few people who behave against the SPF rules in the various different ways add up to a lot of people.
If folk don't want to hear from me because of SPF, then I don't want to talk to them.
Sam
blog.sam.liddicott.com
yeah just like all the other "personal firewalls".
I believe there is a future for this afterall:
"welcome to the setup of your personal firewall. To install some personal settings please anwswer the following questions:
- Do you click on banners.
Yes / no / Banners?
- Do you use floppies and CD's provided by your idiot neighbour.
Yes / no / also from my uncle
- Is your default webpage www.msn.com.
Yes / no / Banners?
- You have created a personal webpage about your hobbies.
Yes / no / with my cat
- Running Outlook and Outlook express.
Yes / no / I like it
- Paid for more space on the hotmail account.
Yes / no
- You made friends with a Gorrila.
Yes / no / I like him because he is purple
- Do you trust company popups that trie installing software.
Yes / no / They are here to help me run the internet arent they?
Thank you for filling out these questions, your personal setting will now be choosen. While we are doing that please fill in as many square boxes below as possible and a few email adresses from YOU and your friends so we can GIVE you information for FREE......
Setting found, If one of the questions above was not no your personal firewall will be put in the L-User setting, dis-engaging internet connection now, thank you, go read a book or play solitaire........still here? the setting was permanent, shoo, SHOO, rebooting now......
Message from god, Please logoff, rebooting the Universe
I'm sure this would conflict with some mailing list senders who have many contacts and decide to send all the emails at once, that always gives a burst in email sending. This would block all the messages from your mailing list.
Have you metaroderated recently?
Router manufacturers compete on features, and that includes security. See for example Cisco's "Network Admission Control", or HPs "ProCurve Networking Adaptive EDGE Architecture". It may take a while for those sort of security features to appear in consumer products, but defending the rest of your enterprise network against an infected PC is a real market for the router and switch manufacturers. If a particular idea is not taken up it is more likely that the people who really know the business think it will not work.
Everyone is harping on the fact that the term "reverse firewall" is not really accurate. But, there's a more important issue here, and that is the idea that one of these should be forced on anyone who has a cable modem or access point. They're talking about taking more control away from Internet users, which I believe is the wrong thing to do.
a reverse firewall will keep Megabyte and Hexadecimal bottled up in the Tor... :)
The Mongrel Dogs Who Teach
What is the chance of getting everyone out there behind their own reverse firewall? Slim, very slim. However, blocking outbound port 25 at the ISP's router is the way to do it at the flip of a switch and still maintain the flexibility of opening it up to those users who have a business need or have demonstrated the "know how" to run their own mailserver. We can't even get all ISP's to block port 25, how you gonna get aunt Jane and kasaa loving cousin Sally to bother going down to Costco to pick up a router with reverse firewalling built in.
Blocked outgoing port 25 except from my Linux mail server.
My three-year-old daughter is an Administrator on my Win2k box (mutter, mutter, stupid Bob the Builder game), so if she manages to do anything that compromises the box, I won't be churning out spam now.
Ydco co
I set up a firewall at a medium-sized company and the only machine which was allowed to connect to some remote machine on port 25 was the mail server. In a similar vein, the transparent proxy was deliberately set up to break LookOut Express HotMail over HTTP.
Simple things like that, default to deny for both inbound and outbound, virus checking on the mail server: they all greatly reduce the risk of these Windows plagues.
And I thought it was all pretty much standard practice.
I personally think that individuals should take more responsibility for their equipment. It's not really the ISP's business to put in firewalls - perhaps if the users were to pay for the additional service, then the ISP can provide... The individual can always put in a firewall themselves which would only allow port 25 connection to their ISP's mailserver.
Perhaps - a "manditory" additional fee for a firewall for those who do not have an operational firewall?
Just thinking aloud....
-- The universe began. Life started on a billion worlds...
-- Except on one where stupidity was there first.
why run something to "fix" a buggy program. Fix the buggy program first. If MS doesn't fix it - throw it out!
what many ISP's are now installing on their servers. Bell south is now changing their servers so the clients must log in and verify their identity each time they send mail. BTW they told me they don't surport Mozilla but do support Netscape! Idiots...
Netscape IS Mozilla!
Obviously, if the firewall rather than the PC becomes the main point allowing or denying access to the network then attackers will concentrate on the firewall instead. Lots of consumer-level firewalls are likely to have 'easy-to-use' features which can be exploited. Probably even a firewall control panel accessed from Windows, so all you need to do is crack the PC and wait for the user to enter the firewall password once.
Arguing that we should use reverse firewalls to stop exploited PCs sending out traffic to the network is an admission that expecting security on the PC itself is doomed and we should rely on something, anything else - that doesn't run Windows. I think it would be better to attack the real problem and try to make the typical PC as hard to crack as the typical consumer firewall. For those stuck with insecure systems (or systems which make it very hard for a naive user to keep his PC secure) a reverse firewall might be a useful sticking plaster.
-- Ed Avis ed@membled.com
And the cable companies would NEVER use it to shut down things they don't like, e.g., online gaming servers, p2p programs, etc.
If someone says he and his monkey have nothing to hide, they almost certainly do.
If you're running any reasonably modern firewall (or using Linux and iptables for your firewall) this is fairly trivial to setup.
Feelin' a little bashful over here, hence the AC . . . I'm an OS X user and using a Linksys WRT54G router (or whichever is their wireless g model). How do I set it up to kill outbound port 25 traffic with execptions that I designate?
Support ethnic cleansing in Palestine and help censor the American press!
If you are at an American University we are recruiting active censorship drones to spy on fellow students, lecturers and guest speakers on behalf of the Israeli government.
We can stifle democratic thought and criticism of Israeli fascist oppression -But only with your help!
Free housing:In six short weeks we can show you how to build a rogue state by demolishing existing homes in Palestine and building new houses on top!
We are currently looking for experienced bulldozer drivers with a large western bank balance to emigrate to the expansionist state of Israel and call it home.
Simply choose a plot of land and start building! Its easy peesy!!
If your chosen plot is currently occupied by a Palestinian family, dont worry
-simply build over them!
Its as easy peesy as eeny meeny miney mo!
We can protect your residential developments on occupied land with experienced snipers in full body armour and appropriately armed Apache helicopters kindly donated by the American public.
If you are an American citizen with a view to emigrating to warmer climes and view of the Med, you may also be eligible for a fraction of the 3,000,000,000 (yes thats 3 Billion!) dollars donated yearly by American taxpayers to help support our broken-ass state.
Due to our endless appetite for weapons of mass destruction our economy is unsustainable and we require your support. WMDs don't come cheap you know. It costs $$$$$$s to terrorise a whole region.
Our military personnel can barely afford to maintain our arsenal of 200 nuclear weapons, spy satellites and attack submarines.
Give a man a gun and he can kill a Palestinian child. Give him a helicopter and he can kill them all.
Part-time vacancies available:We are currently in construction of the world record breaking apartheid wall surrounding the largest ethic ghetto since Krakow.
The Israeli military is hiring expatriates preferably with a military background to monitor the prisoners and maintain watchtowers. If you are blinded by a covetousness of other peoples land, but have a keen eye with a sniper scope you would be the ideal candidate for our border watchtower division.
We need your help. Sponsor an Israeli colonizer.
Do it today.If anybody criticises you, just point a finger an call them anti-Semite.
It worked for the Liberty.
i've always held that a good firewall ruleset should have an 'east german borderguard' type mentality. all traffic going in and out on either side is suspect of being bad things.
all the concept of 'reverse firewall' does is demonstrate how inadequate and inappropriately named the 'built-in' firewalls that come on cable/dsl router/modems are.
"Omnis tuus capsa sunt inesse nos"
I've been using Zone Alarm to do this for years. And as I recall, Windows XP SP2 will include a bi-directional firewall. While it would be nice to have this implemented into a set-it-and-forget-it hardware solution, apps like Zone Alarm are are free and quite effective.
Further, any effective hardware implementation will have to keep logs or send alerts because personally, I want to know what's being prevented from going out.
My mom always said, "Jim, you're 1 in a million." Given the current population, there are 7000 of me. God help us all!
A *REAL* firewall rather than a cheap firewall appliance
A "hardware" firewall is just a software firewall on another machine. As such, it's still complex to keep it setup correctly. You can get close to a default good condition, but it's not perfect.
"but it also requires the user to accept or reject applications requesting access (and knowing users, they will just click accept all the time)."
You got it. There is no easy practical way to actually know what all the requests, even when presented with them, actually *mean* right then at the exact second you need to make an executive decision on allow/disallow. You have the tool to do this, but not the knowledge to make the decision intelligently without a LOT of prior research, it is not default "clear" to most people. For one, you as joe user have to know which host/process/connect/in/out is cool or not. The firewall will do what you tell it to do, that part is not difficult, it's binary, yes or no, but if you don't *know* intuitively,in advance of being forced to make a decision, you have to *guess* if you want to continue surfing.
All the guy's talking about is egress filtering, and I too wish more people did it. Thankfully, some ISPs have gotten a clue and started filtering individual outbound services (e.g. SMTP) or installed intrusion prevention systems at their NAPs (e.g. RoadRunner Business Class, who block my portscans, the bastards). Unfortunately, egress filtering, like ingress filtering, requires detailed knowledge of your network in addition to appropriate Acceptable Use Policies, and your typical business or residential customers rarely have that depth of understanding.
I'm proud of my Northern Tibetian Heritage
Anyone who goes on record as saying "normal people have no need for [technology x]" will find themselves quoted to hilarious effect when, within ten years, "normal people" are using [technology x] as part of daily life.
Hollywood, Television, has become the dream machine. We need to take that back; each of us is a Dream Machine
This isn't new. It's not even something that security practitioners don't know about. It's just something that management doesn't want to implement in most cases, and that personal firewall vendors are afraid to.
It's egress filtering and every firewall in existence should have been configured to do it a long time ago. When done correctly, it can allow you to filter all of your outbound traffic with ease on your existing firewall.
"Reverse" firewall huh. That sounds a lot like Egress filtering to me. Don't all real firewalls do that?
I wouldn't trust stateful packet inspection on my "modem" as far as I could throw it. The firewall built into my old (not-so)Efficient 5861 DSL router was horrible. It had no statefuly packet inspection, so you were letting in packets on ports outside the realm of established connections. The firewall built into my Cayman 3546 is smarter, but not very configurable at all. It's either on or off and I could map some ports, but it's not nearly as configurable as others.
The only thing I trust is my PF/IPF firewalls in place around the crappy DSL modem firewalls.
More than just tying the application to the port (email client to port 25) Zone Alarm warns if an excessive amount of email is about to be sent by the previously authorized client. My normal mail goes without a peep; my distributions to a mailing list gets a Zone Alarm confirmation.
With a compromised spam factory, such a volume warning may serve to wake up even the most naive user. OTOH, I wouldn't be surprised at a, "Oh that Zone Alarm thing? Yeah, it does that every night..."
Last I checked, my firewall blocks coming and going on 90% of the ports. It makes exceptions for things like FTP,POP3,IMs,ect... This reverse garbage isn't new. As a matter of fact, it's been around for a few years now. It's not a reverse firewall, it's just a well designed firewall. I picked up one for $100 at a shop. years ago.
and it has been considered a best practice for a looong time. Unfortunately, it requires a little bit of knowledge, comprehension, skill and time, and most computer users will have none of that, hence Windows.
Why spend all the money to stick this stuff in DSL and Cable modems, when they should be signing up ISPs to block the ports at the gateway. Then there is no need to have all these companies distribute a hardware option.
This is like reverse Discrimination....
Is it a firewall or isn't it?
If folks won't use AV software or patch their computers, why would they bother to set up a firewall properly?
I find it interesting someone coined a new term to describe what firewalls have always already been able to do and the security community has preached about for years now.
I've been trying to articulate a request
for something like Little Snitch for over a
year. I knew it was out there somewhere,
but I never expected to find exactly what I
wanted - but on a platform that has (comparatively) little need for such protection.
Please folks... is there anything like the snitch for those of us who can't afford a modern mac?
Just like the ReBoot cartoon! SWEET!!!!
And I've been using it for years.
Great for stopping those pesky programs that like to "phone home to mother" without your permission.
I always thought that the purpose of a firewall was to filter traffic, whether it be outgoing or incoming. Isn't the term "reverse firewall" about as ridiculous as "reverse discrimination?"
*wraps his cable modem in tin foil*
GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
Try SmoothWall Firewall. A great open source and easy to set up and use firewall.
SmoothWall.and no router is gona stop me from doing that!
Why not a balistic armor firwall system. Any thing like spyware etc when it hits your firewall fires back a kill program to the orginator that terminates that system. After about .002 seconds proabbly half of the worlds computers would be clean permently.
Locks only keep honest people out.
...that "normal email" means "everything goes through my ISP's server." Wrong.
Look here and here.
This is slashdot...if you're here, you're probably a geek, and cheap to boot...build your own.
First link is for control freaks, second link is for putterers.
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law
check mirage networks out
the firewall that the spam trojan is legitimate traffic?
I'm pretty sure that most folks see the little "Allow this application to connect?" dialog and click OK automatically. That's what Windows has been teaching them to do for eons... try and delete something, then click Ok. Try and close a program, then click Ok.
So when the firewall says "Do you want to allow Bob's Friendly Spam Puppy to connect to the Internet?" they just automatically click Ok. This is additionally reinforced when they click "No" after seeing "Do you want to allow msimn.exe to connect to the Internet" (What's that anyway - sound suspicous!) and mail stops working. Oh oh! Better never click No!
There's no silver bullet.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
My ugrad Clemson did this back when I was there 97-00 to keep all the kiddies from sucking up bandwidth using p2p programs etc, as well as using dialpad, for which we made /. I believe.
"Not knowing when the dawn will come, I open every door." - Emily Dickinson
Egress filtering is a normal function of a normal firewall, so I don't see a particular need for some new "reverse firewall" paradigm.
Even newbie-oriented firewalls have been doing egress filtering for some time. See also: ZoneAlarm.
There's nothing wrong with monitoring outgoing traffic in the cable/DSL modem if the user has the option to control the blocking rules. All good (software) personal firewalls have this capability.
I like to know when some piece of commercial software suddenly decides to phone home. It's also potentially a good trojan warning.
This is actually a very good idea. It's the ISPs who choose which modems to use and their interests lie in reining back bandwidth usage, so they can put pressure on the modem manufacturers.
With a firewall in the cable modem itself, the cable company will be able to remotely configure it, and conceivably stop any kind of traffic they want to stop. Don't want you using P2P applications? Just firewall those ports! It's not like you "own" the cable modem anyway (most people just lease one). And even if you do own, they can just write a clause into the contract giving them rights to remotely configure it.
Before you know it, cable modems without such firewalls will be banned from the network.
Sorry, I'm not installing any piece of hardware that I don't own, is under direct control of the cable company, and can be used to filter my outgoing traffic. Not in a fucking million years. And definitely not in the name of "stopping spam."
"Stop spam" has become the cyber equivalent of "Save the children." It seems we're willing to throw away far too much in return for too little benefit.
All that's needed is for the OS to properly disable commonly unneeded/often abused ports until a user manually decides to open them. For example, windows typically comes with most ports open, whereas OS X comes with most ports closed. The reason for setting most ports closed by default is because most users are unaware of how ports are used and that certain incoming/outgoing ports should probably be disabled unless there's a dedicated reason for opening them. It shouldn't be the responsiblity of the user to have install some sort of "reverse firewall" program, it should be the responsibility of the OS to close "unsafe" ports by default and provide the user with good recommendations for port open/close actions based upon the actions they want to perform.
Firewalls work both ways, in and out. Which side is "in" and which side is "out" is also just a matter of definition and which network connection you connect to which port.
I think what they meant to discuss is "egress filtering" and this is not by any means a new idea. see "Consensus Roadmap for Defeating Distributed Denial of Service Attacks" at http://www.sans.org/dosstep/roadmap.php from February 2000 for one prior example of this concept.
the same.
today:
1. infect PC
2. zumbify it
3. ???
4. profit!
with that crap ideia in place:
1. infect PC
2. zumbify it
2,5. run some code to change the modem settings from the lan side.
3. ???
4. profit!
On the other hand, i mean, the regular user hand:
1. buy a PC and pay for an exorbitant adsl service
2. use it
with that crap ideia in place:
1. buy a PC and pay for an exorbitant adsl service
2. get lots of legitime services blocked because of crap implementantions of crap ideia.
Here's what I did. I bought a Netgear FR114P (combination router, firewall, switch, print server). I also bought a subscription to secure-tunnel.com, which allows me to tunnel out web, mail, news and some other traffic through their anonymizing servers. Then I put rules into my Netgear firewall to block ALL inbound traffic and block ALL outbound traffic. Then I put in exceptions for my secure-tunnel connections outbound to secure-tunnel's servers. I use Mozilla Thunderbird and Firefox, which do their own proxying rather than tying into Windows proxying. Result? Nothing on my system knows how to secretly call out anymore. No need for ZoneAlarm or any other kind of software solution. Nothing gets in or out unless I allow it. I tellya, for $80 you can't do much better than that.
For games, I open explicit ports only when I'm playing, so I can even game (very easily) with this setup.
Next step is to set the parents up with a rig like this. It's cheap, and the peace of mind rocks. And it's fun to watch spyware like RealPlayer flail around trying to call home.
Reverse firewall?! Only when I set it up. I don't want the cable or DSL provider deciding what can connect out of my machines!
And given the rock-solid nature of the platform in question, there's no way the bot software would ever be able to reprogram the `reverse firewall' to let the floods out anyway. Uh uh, no way.
Instead of calling in egress filtering, I'll call it a reverse firewall. Now, gimme loads of cash for being an internet consultant.
Excuse me, i'm going to go get a coke out of my compressor driven kitchen heater ( turns out the inside of it is cold! ).
I thought Verisign was a digital security company. Yet they don't know how a firewall works... and these people go around signing security certificates. Wow am I ever impressed.
For some reason evil monopolistic companies and stupid uneducated companies seem to always be the same.
Hypocrisy is the 8th deadly sin.
reverse firewalls are like 'inflammable'
True. But the rest (95%) of the population will just fsck up our internet because they will use the store bought UPNP enabled ones.
Just sayin... any human implementations possible?
Otherwise known as a firewall.
meh
While it's hard to believe someone who should know better will actually state something like "reverse firewall"; an idiosyncrasy common to denial-state bureaucrats who's been long resistant to giving control to the users and to applying better method of security policy and measure, it's a sign that finally industry is making step toward breaking that set-it-and-forget-it NAT'd mask as the only line of defense, an old odium among many security and control freaks.
Perhaps VeriSign can convince enough cable and dsl providers that setting security policy on the both side of the fence instead of simple NATing is a common practice.
"Don't let fools fool you. They are the clever ones."
one-way communication that you pay a subscription to access the "content" of
brilliant.
Up-to-date antivirus software and a hardware firewall will stop most of those machines from ever being used as open proxies or open relays, and you can sell it on the "hey, just buy one of those 'hub' thingies, and you can connect more than one computer to the internet at the SAME time!" (from past experience, try to stand back so when their jaws drop they don't hit your shoes).
Even non-techies are cheap...they'll bite, especially on a pitch made by their personal geek friend.
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law
I'm something of an inveterate language geek, and now a professional linguist (translator), and I read your post and the linked page with some interest.
Coming away from the linked page, I found myself thinking a couple things. For one, if the Latin speakers of the time considered "virus" a non-count noun, this clearly denotes a quite different concept from the modern one. In such a case, it makes sense for the word to change (i.e., to grow a plural when previously it had none).
For two, I find it admittedly unexciting that some English speakers should choose the "us -> i" for the plural. Sure, that might be inconsistent with the original Latin, but then so is the whole concept of the plural "virus" to begin with. (Incidentally, though the linked page was quite scandalised at the thought of anyone using "octopi", nowhere did it say what would be the correct plural; furthermore, Merriam Webster lists both "octopi" and "octopuses" as the plural forms...)
Waxing somewhat philosophical, I ask what is a word, in your view, and posit that languages change. My point is that, ten years ago, "blog" was not a word, while now it is widely understood. "Virii"/"viri" may cause some (considerable) cognitive distress, but if it has common currency, is it not a word? If it isn't, what would it take to make it one? I'm genuinely curious as to what you think, and would appreciate a response.
"What in the name of Fats Waller is that?"
"A four-foot prune."