Slashdot Mirror
You Don't Need an Antivirus (Except Microsoft's Built-in on Windows), Says Former Firefox Developer (ocallahan.org)
Former Firefox developer Robert O'Callahan believes that antivirus software is not necessary, AV vendors are of little help, and that you should uninstall your antivirus software immediately. From a blog post: Users have been fooled into associating AV vendors with security and you don't want AV vendors bad-mouthing your product. AV software is broadly installed and when it breaks your product, you need the cooperation of AV vendors to fix it. (You can't tell users to turn off AV software because if anything bad were to happen that the AV software might have prevented, you'll catch the blame.) When your product crashes on startup due to AV interference, users blame your product, not AV. Worse still, if they make your product incredibly slow and bloated, users just think that's how your product is.
i do all my porn and risky surfing on a VM on my main computer that i keep shut off unless i'm using it. and i avoid virtually all chrome extensions unless they are from someone i trust with a real corporate email in the contacts.
...VIRUS CLEAN ANTIVIRUS
The writing has been on the wall for a while now. You rarely get "just AV" when you install an AV product these days. You end up with a whole suite of value added applications like password managers, system optimizers, registry cleaners, web site scanners, IPS and content filters, etc.
The reactionary system we have been living in was never very good. Relying on signatures to detect malware is a fundamentally flawed system. As the operating systems and, more importantly, the applications that run on them become increasingly secure, the need for the signature-based AV systems declines.
Any AV software company has seen this coming for a long time. At least I would hope they have.
My eyes reflect the stars and a smile lights up my face.
Do they? Everyone I know associates AV vendors with bloatware/malware. Except for, say, MalwareBytes. There are exceptions, just not many.
Further, any software you install likely creates new security holes in your system. By installing an AV you are likely opening up more holes then you are closing.
There are three main sources of security holes:
1) Holes in the OS that the OS manufacturer needs to close
2) Holes in installed software that the software manufacturer needs to close
3) Holes in the user's general security intelligence.
None of those are solved by adding ANOTHER software suite.
I started removing AV from clients computers years ago. All it does is slow your PC down. Every time I had to deal with an infection, the PC involved had AV, that was sometimes very hard to remove.
malware removal services should just be a tax on the easily confused.
I like to have Malwarebytes on my machines.
The textfiles site has a collection of old CD. One of them has virus signatures that trigger Windows Defender, among others, and some of them are quite harmless.
I don't use AV, but the average person still needs it. The average person either doesn't know or doesn't care what they are clicking on. As part of a layered defense strategy for the average user, it is still needed. Personally, I don't like AV stealing my CPU cycles. I use other methods, common sense chief amongst them, to prevent infection.
These days one of the best AV products is a good ad blocker. I can protect myself from sketchy downloads: don't download sketchy software or from sketchy sites. I can't prevent some asshat from exploiting a zero day in a browser through an ad on a mainstream site, except by blocking all ads on all sites.
*Yes, trusted sites can be comprised and it's happened in the past where downloads were infected but the odds that I'll download that software during that window where the infected files are being handed out are about the same as me getting stuck by lightning.
I browse on +1 so AC's need not respond, I won't see it.
Let's be real with ourselves. Nowadays the vectors for attack are easily protected so long as you use a modern browser that sandboxes itself and use an ad blocker you really don't need anything more than the built in AV and firewall tools for windows. I don't even think OSX provides an AV tool.
I haven't paid for antivirus software since 2005 which was coincidentally when I discovered Firefox and Adblocking extension.
I'll stick with the free tools.
This would be why even Windows Defender has an option to ignore files and directories of your choosing.
AV products actually make you less secure. They act as a MITM, replacing certificates with their own and totally defeating the purpose of TLS/HTTPS.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
That and organizations with more than ten PCs running Windows 7. The last time I checked, the built-in AV on Windows 7 (Microsoft Security Essentials) was licensed for use only on up to ten PCs in an organization, after which the organization is expected to either A. buy the appropriate Windows Server license and the appropriate Microsoft System Center 2012 Endpoint Protection license, or B. upgrade to Windows 8 or later where MSE was integrated into Windows Defender.
With Malwarebytes and BitDefender. I don't go for the big all-in-one "security quites", so the simpler approach works great for me.
Eat the rich.
always use an ad blocker
How will this remain practical once more sites follow the lead of WIRED and The Atlantic and start showing paywalls to ad blocker users? If you view one document on each of 20 different sites in a month, would you find it affordable to buy a $4 per month subscription to each of these 20 sites?
They suck your ram, bombard you with ads and tracking and they try to be an operating system over what used to be a static document viewer.
This story needs some APK posts.
All you have to do is limit your browsing (stay away from porn/downloads)
Is there a reason that erotic videos can't be made safe? And if you have a gaming PC, how do you obtain games other than through downloads?
For the last 10 years I've had a laptop that I've used solely for web browsing/anything we based... and a gaming PC that only connects to the internet for games
Or just abandon the PC platform entirely: do non-gaming on a tablet running a smartphone-derived operating system, possibly with a Bluetooth keyboard, and use a PlayStation 4 for gaming.
I've been running AV free since the early 2000s up until MSE came out, and constantly took flak from self declared IT experts whenever I mentioned it (they'd insist that my computer must be an infected cesspool and I was just too dumb to notice). tbh I'm actually surprised the comments here aren't filled with people insisting that aftermarket AV is an absolute necessity and insinuating that the mozillia developer must be in league with some botnet owners.
I find that SPI firewalls, execution prevention, careful permissions for limited users, NoScript and other tools are far superior to an AV.
Liberal OS policies and platforms are not ideal for anything you;d hate to lose. Often you would not know that something malicious is running.
With multiple layers of security on a system that does not change often you can have fine grain control of anything. An odd internet connection attempt, a never heard of before program attempting to run etc -that reasonable easy to catch.
AV vendors have been packaging (shoving) everything included as soon as they realised AVs are done. Unfortunately the desktop class products are often more trouble than they are worth.
That being said, I still advocate the complete security packages from AV vendors for users that know little being logging into facebook. They are clueless and could not manage a complex system a "security suite" type program is their best bet.
A 'singular oddity' is an event that cannot be explained and only happens when you are alone.
Also, don't go to any sites with ads as they're a significant virus vector.
But wait, you're here so use an ad blocker.
But wait, some have been paid by ad co's to allow their ads. Including infected ads.
Now keep a list of which ad blockers, AVs, websites, official emails, are good. This week.
There are two types of people in the world: Those who crave closure
of the better commercial products. Kaspersky will typically catch 40% more bugs. All the people going "prevention is the best medicine" are right but you still need AV for when prevention fails. Across an institution with a thousand computers that is just bound to happen. It's only a question of how many times per year. And Kaspersky is dirt cheap. That's what we use where I work and that's what I use at home too.
an appliance [...] prevents anyone from programming aka becoming more productive [and] stops users reaching enlightenment and getting the computer to do what it's for - lots of repetitive tasks in an automated manner.
Which elicits a big "So?" from appliance fans.
The majority of the population do not read Slashdot. I imagine that most either A. use computing devices for entertainment rather than "becoming more productive" or B. prefer to outsource the programming to a specialist rather than "reaching enlightenment" themselves. For evidence of these, look at the popularity of iPod touch, iPhone, iPad, PlayStation 3, Xbox 360, PlayStation 4, and Xbox One. For evidence of preference of delegation to a specialist, look at the popularity of services such as Jiffy Lube rather than doing your own car maintenance.
Sites that require an exception in ad-blocker or a subscription are also sites that are unable to afford to be reckless with the advertisers they allow on their site. It's really about placing the responsibility on the site to make sure they are not serving up malware in ads.
Instead of using an "ad blocker" that tries to be smart, I use uMatrix to block everything except what I specifically choose to whitelist.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
I run Linux, a browser with ad blocking, and a hosts file with 94.5k entries (for shady sites) that redirect to a dummy IP.
My beliefs do not require that you agree with them.
Well, either you stop reading those sites, or you wait for adblocking to catch up. This is an arms race, and I am not about to give total control over my computer and my internet connection to an industry that has such a bad track record. A few articles are just not worth the annoyance and risk.
I think most of us have been bit too many times by the bloat that products like Norton AV and McAfee represent. Norton in particular is just a resource hungry monster, and as a good many of the machines in our organization are about seven or eight years old, the idea of putting that kind of CPU cycle ravisher on them fills me with horror. In the end, we upgraded to Windows 10 (a rather mixed experience), and just used the built-in Windows Defender plus a pretty locked down network and good backups so if, somehow, some ransomware gets loose, our actual data loss is fairly low. And that's really the lesson here, AV has never been the entire answer, and relying on it in the absence of good practices and user training has always been a dangerous path.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Don't visit porn sites either. Its not hard...
Well there's your problem.
He's getting rather old, but he's a good mouse.
By 'downloads' I was referring mostly to friends that still torrent a LOT of music/movies, and are always having problems with malware, etc.
Has there ever been a noticeable attack using corrupted music/movie files? I mean ".mp3," ".avi," etc. - Not ".mp3.exe," or ".avi.zip."
He's getting rather old, but he's a good mouse.
Off hand I can remember an attack on GStreamer's support for Super NES audio. The interpreter for the Sony SPC700 had some serious bounds checking defects, allowing a program running on the emulated SPC700 to manipulate host memory.
if you put up a paywall or block adblockers, you lose my trust and my readership.
If the majority of an online publication's readers run an ad blocker, how would you recommend that it keep its servers on and connected to the Internet and a roof over its writers' heads? After ads and subscriptions, what is the third funding model?
Use a script blocker instead of an ad blocker, and only whitelist the main news page.
Their answer to NoScript is to make everything past the abstract JavaScript-dependent.
If you're commenting on a Slashdot story whose featured article is from one of those sites, other Slashdot users are likely to berate you for being uninformed on grounds of not having read the article.
Hostfiles are a horseshit way to manage this. If you don't want to use addons then do it at the firewall where you can more easily manage lists you use and you don't have to do it on a machine by machine basis. This is more than possible with consumer gear and third party open firmware.
I browse on +1 so AC's need not respond, I won't see it.
This is terrible. If you want to it this way use a firewall that supports block lists. Doing host files is idiotic. It's machine by machine and a PITA to manage.
I browse on +1 so AC's need not respond, I won't see it.
Linux. Enough said.
Bullshit. I can block hosts using any list you can use in APK at my firewall. And when I do it covers my entire network, not just the machines I put them on.
I browse on +1 so AC's need not respond, I won't see it.
To some extent I agree.......the -1 posts should be shown in collapsed form, so at least you know they are there.
"First they came for the slanderers and i said nothing."
See my post: If you don't want to use addons then do it at the firewall where you can more easily manage lists you use and you don't have to do it on a machine by machine basis.
There are firewall firmware available that can use the same blocklists APK uses, but they cover your entire network. Stop shilling for APK.
I browse on +1 so AC's need not respond, I won't see it.
The app stores are about control and money. None of it to benefit you!
First and foremost almost all app stores are about the company making money off of other people's products. Apple really showed this when they stopped applications from being able to buy things like ebooks. Apple wasn't happy because they were not getting their cut for doing nothing.
Then you have control. Again Apple shows this best with not allowing anyone to compete with their products and not allowing other app stores to function.
Microsoft, Apple, Google, Amazon what's the difference? All steal money from devs and control with walled gardens.
Not sure what you don't understand, but do these look like IP addresses to you? https://imgur.com/a/44AnF
You can block hosts at the firewall, you are not limited to just IP's. I think it's you that needs to take a refresher in compsci and networking. Your understanding seems to be a few decades out of date.
I browse on +1 so AC's need not respond, I won't see it.
I don't run any antivirus software on my PC. I still have to kill firefox a couple times a day because it's "not responding" for five minutes or more doing some kind of background task across the 3 gigs of ram it's consuming.
You're not wrong about Antivirus software (your reasons are precisely why I don't have any installed) but that's no excuse for Firefox's poor code quality.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
I run software and hardware firewalls, plus AV, Ad and script blocking. Makes my web experience much better.
I think long ago most of us realized that ALL AV products suck. I get asked frequently by others outside of IT world which AV they should run and they are shocked when I tell them just use MS security essentials, or windows defender as they are free, come built in to windows, and while they suck about as much as the other AV products at least it doesn't nag you and eat all available resources.
Time to offend someone
And we should trust the developer of a browser whose development team didn't see the problem with their memory model chewing up resources until Firefox ground to halt and took an ivory tower position of something along the lines of "you shouldn't have your browser open that long." I know quite a few people who switched to Chrome over that nonsense, myself included. Why should we trust your recommendations again?
We'll make great pets
I haven't used Antivirus Software in about 15 years, and I use a PC or similar device for 12+ hours a day. I haven't caused a single infection - the only time a computer of mine was infected was when someone snuck onto my computer to try a practical joke, loaded a porn website to set as my homepage *but did it in Internet Explorer* back in the days of IE6
Of course, I know what to click and what not to click. I know to examine dialogue boxes and have critical thinking skills to evaluate the website I am downloading from, or viewing. My parents, maybe they need Antivirus... but then maybe not, as they get infected approximately annually despite actually having it anyway. So OP is probably right.
You have no idea what you are talking about. None. It literally works like what your program does, but at the firewall on the edge of my network. The firewall downloads the lists and any DNS request goes against that cache first before forwarding the lookup. There is NOTHING running on the PC, the DNS lookup is just as fast (faster actually since it doesn't have to use the forward DNS servers). Your solution uses MORE system resources since I have to run your app on the PC. Also big hosts files are not resource free when the TCP stack goes to do a lookup. Your solution also does not protect every machine behind the firewall. Mine does. Using the exact same lists. I can manage them from one place and can cover devices your solution cannot (game consoles, TVs, IoT devices, tablets, phones, etc) plus any device that comes on my network. Also APK's GUI looks like a nightmare to deal with.
Finally, my solution is fully open source, where APK appears to be closed source.
I browse on +1 so AC's need not respond, I won't see it.
APK doesn't understand that it is possible to black hole DNS lookups with a non garbage router/firewall. He probably also doesn't understand that on a non garbage firewall you can do a lot more than just have it look at packet headers and do block/allow actions based off of the data in there. I mean who would want to have an NIDS/NIPS running on the edge of their network doing DPI to block malicious content? Why would anyone want to have something inspecting all web traffic to block virus laden content? Who would ever want to have a secure VPN server so that they can access their stuff remotely and also ensure that dodgy WiFi hotspots can't spy on their activities? Finally who wouldn't want all of that in a little box that sits there quietly consuming 8-14W?
Personally I think APK is the reason we have RoHS as he was licking too many boards with lead solder, either that or he needs to give up his hobby of hat making.
Time to offend someone
I've never needed one.
Then again, I run Linux.
If my firewall fails, then I'm 100% safe because NOTHING is getting out. With your "solution" I have to make sure every machine is running the host files, and has the latest updates. That's massively inefficient. Any one of those can stop updating or fail outright and I have no way to know. My firewall I can just check the logs. Plus now you are using up system RAM on every machine, yet you complained earlier about the RAM that plugins take up? It's fewer moving parts, not more. I have one place to manage it. I also can protect systems that you absolutely cannot. Plus how do I know APK isn't going to inject an exploit or sell out like AdBlock plus did? I've got a closed source app running on all my PC's, with elevated privileges, with your "solution". With mine nothing needs to be installed or run on the endpoint. Your solution is much more open to exploitation than mine is. My firewall can't be easily altered by malware, a host file on a Windows OS can be. It's closed source so I can't inspect the source. Trust failure.
I browse on +1 so AC's need not respond, I won't see it.
Your program uses more resources than my firewall, and that multiplies with the number of machines that need to be protected. Again, if my firewall fails there is no point because NOTHING is getting out. Although if I wanted I could always load balance the firewalls to provide redundancy. Seems overkill for my house but I could do it without much effort. My solution protects EVERYTHING behind the firewall, yours only works on devices where the host file can be modified and, it only "protects" windows machines. Yours requires a bunch of hoops to protect multiple machines, mine just works. One device or 1000. If I need to add a host name quickly, I just add it and done. No replication to machines required. Takes about 5 seconds. New machines are protected the moment they touch the network, yours requires the admin to do work to protect them. As for speed, the difference between a local hosts lookup and a local network DNS lookup would be meaningless. We are talking maybe a millisecond or two at the most, not seconds or minutes. I also don't know why you keep going on about layer drivers. My firewall is not using a "layer driver" since it's NOT INSTALLED ON THE PC. I don't know how you are not getting that yet. It's a hardware device, the block lists feature is incorporated into the firmware and used EXACTLY like a local host file on a linux box (which is essentially what it is). My firewall is unaffected by processes running on the client PCs (nice that you lock the file, but what stops malware from terminating your process first? Nothing. Also assuming malware would be running in a user vs admin context is foolish. There is NOTHING APK can do that my firewall doesn't already do. In fact APK can't do some things, like protect every device on the network, that my firewall can.
I browse on +1 so AC's need not respond, I won't see it.
Original poster here.
My post says "Except Microsoft's", right in the title. I think that's important. I believe that Microsoft's Defender stuff is probably less bad than the other major players and worth having enabled for average users. Unfortunately that's been left out of the Slashdot summary.
I always trust people this uninformed about the basics of networking when deciding on how to protect my network.
Unobtrusive ads
I'm told that ads wouldn't be obtrusive if unobtrusive ads brought in enough revenue to continue operations. Advertisers are willing to pay far more for obtrusive ads, and switching from obtrusive ads to unobtrusive ads might cause your favorite site to bring in so little revenue that it has to stop responding to HTTP requests.
and asking nicely for people to turn off the blocker
This sort of "begging" is reported to have anemic results.
The ads shouldn't [...] track me.
The only ads that can be proven not to track viewers are ads hosted by a site itself. And those have a far lower revenue per thousand impressions for two reasons. First, most advertisers don't know that a particular site exists in order to bid up prices for the site's inventory of ad space. Second, those that do know that a site exists prefer to advertise through a network with analytics powerful enough to filter out click fraud.
They usually don't give you a Windows CD anymore when you buy a PC/Laptop so I couldn't tell you how to install the Windows version you paid for when buying the computer on anything...
Microsoft makes iso images available. The vendor probably provided a key some where.
AV is just part of the reason that we use SEP. It also allows us to do things like control access to USB devices, lock down which processes can be ran, etc.
I agree that the traditional AV portions of the product have questionable utility.
Evolution: love it or leave it
Why do I need antivirus on the thing I use to start Steam? We mandate antivirus on our work computers, still hasn't stopped cryptolocker from encrypting stuff on network shares.
On Windows not running as an administrator is more important than having AV, especially for users who will click and install anything, like kids, or those who do not know any better.
Beware of the Redittor who loans you a Sharpie.
They are falling into a misconception that everyone uses their computer like they do. An experienced developer will have common sense, won't use administrator account, will update their OS and won't do crazy things like typing "Watch movies free" to Google and click the very first site appearing.
Most of the developers won't even change their wallpaper.
So, you don't need AV if you can manage a gigantic code like Mozilla but it doesn't mean everyone is the same.
Ms antivirus is a joke regarding detection rates.
And most people need antivirus, because brain 1.0 is not internet ready, yet.
you're new here, aren't you?
just stop visiting such sites. They do not deserve your visit.
you don't get to talk to me about security.
OK then how does your product block ads on my iPhone? My firewall does this.
I browse on +1 so AC's need not respond, I won't see it.
Lol what? Of course firewalls can resolve host names. Why would you think they could not? It's a linux OS running the firewall. Look, it's obvious you wrote APK and that's fine. But it's also obvious that you don't know anything about networking or IT. Stop arguing when you are arguing from a position of ignorance. I showed you a screenshot of the firewall using the same lists that you can use with APK. It works the same, but it doesn't require any configuration on the clients and protects everything behind the firewall. It's a vastly superior way to do it.
I browse on +1 so AC's need not respond, I won't see it.
Also you do realize this is a dedicated firewall device, right? This isn't some slapped together implementation of iptables. The entire OS is dedicated to being a firewall, including quite a bit of custom code. This isn't some PC you install Linux on and turn on a client firewall. You hounding on about windows and linux "firewalls" you are talking about client firewalls on the OS. THIS IS NOT WHAT I AM TALKING ABOUT. This is a dedicated hardware device running custom open firmware (Tomato Shibby).
I browse on +1 so AC's need not respond, I won't see it.
poor imitation is the sincerest form of flattery
Flattery of whom? Mr. John Hosts, inventor of the hosts file? I'm pretty sure hosts was never intended for this type of security usage. I mean, vanilla hosts doesn't even allow wildcards and thus is often useless as any attacker can just bypass it using a rotating subdomain. (Though you can use dsnmasq instead.) Use it under the hood, sure, but it's clearly not sufficient.
Let me rephrase: Not everybody has a nerd card to begin with.
By using a regular proxy?
And watch the hit rate decline over time as it falls back to the CONNECT verb when more and more sites switch to all HTTPS all the time.
I mean, as long as the public images, scripts, style sheets and other resources are served over HTTP
Serving the HTML over HTTPS and public resources over cleartext HTTP causes browsers to refuse to load the resources at all because of rules against mixed content. Serving the HTML as well over cleartext HTTP results in demotion of your site in Google and (as of recent Firefox versions) scary warnings on your login page's password field. Serving only those resources needed for the login page over HTTPS and the rest of the site over cleartext HTTP, as Slashdot did until a few months ago, results in vulnerability to Firesheep, a tool for copying session cookies of others on your network.
Unless you suggest I run without a network firewall then this entire post of yours is moot. I have the device anyway. The added functionality adds zero overhead (unless you are trying to argue hosts in a Linux box adds overhead, which means your software has the same problem ). It hey you keep spamming forums like a lunitic for your probably malware infested closed source crap ware.
I browse on +1 so AC's need not respond, I won't see it.
imitating my ware
Are we talking about /etc/hosts or is this some extension called "hosts" you've written?
On/Off for sites is ALL you need
Which is just nonsense. Ad blocking doesn't work properly on a lot of sites if you do that.
/etc/hosts every once in a while. No reason you can't. Doesn't replace most uBlock's abilities, nor its quick to use UI.
And as I previously alluded to, I have found that gstatic.com is required for some sites to function but not for others. So do you choose to block gstatic.com entirely and break a bunch of sites or are you going to let random sites hit up Google (thus letting them track you directly) and run lord knows what scripts that are there? That is an abysmal choice that you're forced to make, instead of whitelisting gstatic only on specific sites that you need it for.
The rest is just blithering, telling me that a Vespa is more fuel efficient than a Boeing 767. By all means, flush your list of explicit blacklisted domains from uBlock into
I sold my first software project in 1986 child. Don't even try to come at me claiming experience. You still use Delphi let me guess you learned Pascal in school and never managed to master any other language. Delphi is horrible and it is why Borland failed. I was writing in MASM before you were out of diapers. I went through my Pascal phase but unlike you I've kept my skull relevant over the years. Considering how you spam under AC accounts I'm going to wager most of those /. "Praises" are you creating fake accounts.
Fact is your app is a bandaid. It lacks the ability to protect every device on a network that current open firmware can do for free (it's open firmware it adds zero cost to the firewall boy). Like your skills your solution lost relevance over a decade ago.
I browse on +1 so AC's need not respond, I won't see it.
Again, all a decade or more in the past. You went stale and you know it. As for me, I was too busy getting paid to do work at the enterprise level to be bothered with shilling myself to magazine articles or contests. 27 years and counting in my career. 18 years and already a has-been. That has to sting.
I noticed you are still avoiding my question: How does your "solution" protect an iphone on the local network? Mine protects it, yours cannot. Ditto for game consoles, smart TVs (preventing phone-home data reporting), or new machines just booted.
I browse on +1 so AC's need not respond, I won't see it.
Answer my question: How does your "solution" protect an iphone on the local network? Mine protects it, yours cannot. Ditto for game consoles, smart TVs (preventing phone-home data reporting), or new machines just booted.
I browse on +1 so AC's need not respond, I won't see it.
Answer my question: How does your "solution" protect an iOS devices on the local network? Mine protects it, yours cannot. Ditto for game consoles, smart TVs (preventing phone-home data reporting), or new machines just booted.
I browse on +1 so AC's need not respond, I won't see it.
^^^ See suffering from lead or mercury poisoning ^^^^
Like I said he is too dumb to realize what is possible on non garbage hardware. And by non garbage I mean a little 5"x5"x2" box with a 4 core celeron processor, 8GB ram, and a 120GB SSD which is garbage compared to my desktop but is substantially more powerful than the trash consumer firewalls and routers. In addition to being a firewall it also runs Snort in NIPS mode doing DPI, black holes a bunch of crap as a DNS server, runs a proxy server for all web traffic where it passes the traffic through an AV first, and acts as a VPN server so when I am away my mobile devices connect to it instead of being naked on some questionable WiFi connection. Also by not relying on a single hosts file on one my desktop I can protect even devices that otherwise couldn't be like smart phones and tablets.
Also APK doesn't seem to know much about securing systems because if he did he would understand the defense in depth philosophy. That is layer upon layer of protection to stop threats at as many different levels in as many different ways as possible. Snot will block threats attempting malicious activity that a hosts file can't stop. Just because all the web traffic flows through an AV on the firewall doesn't mean I don't have windows security essentials running on a windows machine doing checking there. Just because I have a firewall device at the edge of my network doesn't mean that I have disabled the OS firewall on machines behind it.
Time to offend someone
I'm sure that scales well to nontechnical people.
There are two types of people in the world: Those who crave closure
Lol how would I use login scripts to push out a host file to non-domain joined PCs? Also, you probably mean startup scripts since logon scripts a) run in user context so would not (unless you are an idiot) have the required rights to modify the hosts file and b) do NOT run at boot, they run at logon.
Also you CANNOT modify the host files on iOS without jailbreaking, so your solution is definitely not the easiest. Your solution is a giant fail, admit it.
And I didn't say I created it, ever. It is the solution I use, therefore it's "my solution".
And, again, it adds zero cost to my network since I ALREADY NEED A FIREWALL ANYWAY. The firmware is third party open source and costs nothing to install. The hardware I already need anyway. Only an idiot would run a network without an edge firewall. Relying on the OS firewall is asking for ownage.
I browse on +1 so AC's need not respond, I won't see it.
See my subject & this link: No denying it /https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785b [slashdot.org] & it's FAR from a complete list (even though it shows 100's of router security + inefficiency issues).
Your argument is so old and tired I get a /. 404 error, seriously I do. That said anyone who is using the factory provided firmware on a consumer router/firewall is dumb. OpenWRT or DDWRT are much better choices that offer better security and better options. Or if you prefer go and drop pfSense on some "powerful" but inexpensive hardware. As you will have a device like these between your computer and the internet I don't see how an argument about cost is an issue as you have your modem connected to the internet (DSL or Cable) and then either a router or firewall that your other gear sits behind. Depending on what hardware you have and layout your setup behind the router or firewall will vary greatly.
* LMAO - again, that's you "networking menials" (that can't program their OWN solutions because you're limited) to a tee
Not a millennial (I assume that it what you meant) by a long shot I do actually program and have through my employer contributed to a number of open source projects. You may have heard of a few of them.
WRONG! I don't understand "layered-security"/"defense-in-depth"? I wrote guides on it that even GOT ME PAID https://www.google.com/search?... [google.com]
Guess what I have contributed to guides on securing systems and am paid by my employer to do so when new versions and updates are sought. The difference is that what I have contributed to are respected and well known.
Also it looks like you are a bit to copy/paste happy as I see you are getting frustrated and double posting (see above and below). You really should look into getting treatment for your ails as something does appear to be wrong.
Time to offend someone
I NEVER talked about software firewalls. EVER. You assumed, and it made an ass out of you. The screenshot I showed you was from a HARDWARE firewall, not some useless client software firewall. You are the one lying.
/. endorsements. NO ONE. The fact is at the enterprise level (and anyone who's smart enough to do it at home) no one uses hostfiles to do anything if they can do it centrally. It's amateurish and anyone who knows what they are doing will laugh you out of the room for suggesting it.
You said that you can load hosts files on iOS: " I did answer how hosts can be migrated to iOS". The ONLY way to do that is to jailbreak. Period.
That list is cute, but it applies to stock firmwares. As I've said about 1000 times now, I don't use stock firmware, I use open firmware.
No one cares about your
As for your DNS comment, no shit. Guess what most modern, dedicated hardware firewall do? They run DNS so they can control domain resolution. On a larger scale dedicated web filters, which are exponentially more advanced that your pitiful host files, can block not only based on host name but also using deep packet inspection and these certainly do perform hostname lookups and they can do so with no perceptible impact to the user's speed. You, again, show that your knowledge is at least a decade or more out of date. So keep peddling your out of date software, written with an out of date language, buy a guy with out of date skills, to people who don't know how to do things correctly.
I browse on +1 so AC's need not respond, I won't see it.
Hardware routers with those stock firmware have issues, that does not mean all hardware routers have issues. That's basic logic, something a programmer should understand. I AM NOT USING ANY FIRMWARE ON THOSE LISTS. And the firmware I am using is open sourced and fully vetted.
Most folks CAN protect iOS, by buying a firewall (that they already need), installing the proper open firmware, and configuring it (literally a checkbox). Done. And yes, apparently they can store those hostnames. Also, if it requires that much RAM, what does that say for your solution, putting them in PC RAM on EVERY PC? You said yourself it caches them to RAM
If you think depending on hardware over software is stupid you are an amature. Dedicated hardware trumps software every time. Maybe I was wrong, maybe your skills are even farther out of date than I though.
You are the one that moved the goalposts to using host files, not me. I said use ad block (not ABP btw, you don't even know the difference). Then you threw in hostfiles, and I put out blocking at the firewall. You moved the goalposts first.
You said you could protect iOS with a host file. I quoted your very words. To do that requires a jailbreak. There is no way to modify the host files otherwise, not even with the enterprise management tools.
I do not care, actually. A few random users and the "it doesn't look like malware" from a guy at Malware bytes is not very meaningful.
As for firewalls not being able to block host names, I guess you should call up Forcepoint, Palo Alto, Fortinet, Check Point, Juniper, Cisco, Dell, and the others and let them know that their firewalls really can't block hostnames. And go talk to all the open source firmware devs that also added the feature, or support it via scripts, that they, too, are not really doing exactly what they say they are.
I browse on +1 so AC's need not respond, I won't see it.
Name one thing a host file can do that I can't do blocking the EXACT SAME list of FQDNs at the firewall cannot. NAME ONE.
I browse on +1 so AC's need not respond, I won't see it.
See my subject software janitor (who didn't write those yourself where I have): What's the cost of the router & does it consume more power? Yes.
Man you really are a special kind of stupid. People haven't been connecting their computer directly to their cable/DSL modems in ages and in all cases will have a router or firewall device between their machines and the internet. So it doesn't matter there as you would have to purchase one any way and it would also consume power so it is a moot point. Also assuming that one isn't completely as mentally deficient, as you seem to be, even on garbage hardware you can avoid the security issues of vendor provided firmware by getting a device that you can drop OpenWRT or DD-WRT on.
Sorry back in the late 90s I wasn't writing a cheesy host file engine or another defrag utility for toy operating systems but was writing control and driver code to run robotic semiconductor test equipment over a HP-IB interface. Even now at a different job I don't work on toy windows machines so I don't need a kid GUI and the people who use the software I write want it to work without having to fiddle with it and change setting from one machine to another. They expect 99.999% up time, they expect it to work, they expect mathematically provable correctness. But what would I know working 12 years in the ICS world securing these systems and pushing management to get their shit together and working with and talking with auditors and regulators to stay ahead of where things are going and also influence where they should go. If you try to pillory me over the current state of ICS security I will be quick to point out that all of the issues you hear about are caused by management not following thing that I would have recommended and I would assume their security people recommended similar solutions that never got implemented. The Target breach, while not an ICS, is a fascinating one as there were so may places where the attack should have been stopped but wasn't. It is one of my favorites given that widely used existing standard technology would have stopped in in so many places but because of poor decisions the attackers had their way with the system. Unfortunately your dumb little hosts file would have gladly let it through and not stopped anything. Also your dumb little hosts file wouldn't have stopped Stuxnet and also would be unable to stop the attacks I have seen from state actors. At best it stops malvertising on a single device that is open enough to allow you to modify the local hosts file but on anything else it does nothing.
Time to offend someone
I'm still waiting for something that a host file can do that a firewall cannot. Fact is, there isn't anything and you can not answer. You keep going on and on about how a firewall can't handle millions of entries, yet they can. They do. I'm not sure how much RAM you think firewalls have these days, but it's probably more than is in most PCs. Hell even my home router can handle them. Don't believe me? Take a look: https://imgur.com/a/EFVRn Those lists look familiar? They should, I took them from your own INI file. All those loaded, and still over 87% RAM free. Must be magic. Or, you know, the people the wrote the firmware has some idea of what they were doing. And just like with your host files, if any client on my network does a lookup for any of the domains on those lists, they will get back 0.0.0.0. All while making no changes to the client devices. I don't need to worry about pushing out host files, don't need to worry about allowing an executable to run with elevation, don't need to worry about malware tampering with the hostfile entries. Every single device behind that firewall is protected, including those where the host file can't be accessed such as smart phones, tablets, gaming consoles, TV's, and IP cameras. And no, there are no backdoors in the firmware. It's not the stock crap from the manufacturer. It's also fully open source so I can (and have) verify this for myself.
And that's just what is possible with a home device. Enterprise level I can block no only hostnames, but specific URLs, use deep packet inspection to stop malware that is being served by hosts not on your list (you know it's easy to REGISTER a domain name as well, right?), rewrite web traffic to remove potential scripting threats and report them for review by the admins, and even use machine learning to detect aberrant traffic patterns and stop them, providing protection from unknown exploits. Like to see a host file do any of that.
But lets go back and look at plugins. You know all that memory you complained about them using? Your solution, by your own admission, does the same thing. Only you hide it by offloading it to the OS, which has to cache your giant hosts files in RAM. So while your app may not use as much, you are being deceitful by not counting the RAM used by the OS to cache the host files. Also your solution can't block page elements. A browser plugin can block ads sourced by the same CDN as the site they are on, your host files cannot without also breaking the website itself. They can not only block ads from outside CDNs, they can remove the formatting around them, cleaning up the presented webpage in addition to blocking the ads. Hrm. Seems I found something else host scan't do huh?
I browse on +1 so AC's need not respond, I won't see it.
So it is a moot point on the cost and power consumption of the device on the edge of your network. So now why don't you go back to reliving your glory days of the 90s in you mind and realize that what you are peddling isn't worth the cost of electricity to transmit the bits. Writing a tool to either audit or implement a CIS benchmark isn't hard (I've written several myself they take about a day if I am slacking off), a script that consolidates various hosts files from several sources into one isn't hard (I wrote one for my firewall in a couple of hours that does more than just produce a hosts file), writing a defrag utility isn't that hard even if it is a tedious task. Now go away because none of your accomplishments impress me or anyone else as you brag about doing things that are little more than a college assignment. Add in your incoherent rants and and what I assume you believe to be witty, but it actually puerile, commentary and it was fun but I am board now as I have had better conversations with my parrots.
Time to offend someone
You assume (you should really stop doing that) that 23% is from the lists. RAM actually didn't increase at all by adding those additional lists. ZERO. You fail. Again. Also you keep bringing up DNS redirect poisons, but those don't apply to either of our situations, since my router isn't vulnerable and the lookups go against the local block list FIRST, before checking external DNS. But I wouldn't expect someone with your obvious lack of knowledge to realize that, so consider that lesson free. See, you learned something today!
I browse on +1 so AC's need not respond, I won't see it.
I didn't use your software, I extracted the archive and looked at the INI file. I'm not installing something I can't trust on my machine. You don't even bother with basic security like distributing hashes on the download site so I can know that someone else didn't tamper with it. No thought to security.
You keep talking about speed, so prove it. Show numbers for hosts vs local DNS (not internet based DNS). Put up or shut up.
Also you are the one stealing data, unless you claim to be the one who owns those lists? Not that lists of facts can be copyrighted anyway, but by your own definition you are the thief for stealing their block lists for your product. I'm just showing that my firewall can handle the same lists your software uses.
Also that bit about bypassing CDNs and going direct to site via hardcodes is bullshit. If the site assets are served off of the same CDN as their ads, there is nothing you can do. THEY ARE THE SAME SERVERS. Do you even know how the internet works?
I browse on +1 so AC's need not respond, I won't see it.
I said post numbers to prove your assertion. So, post some numbers boy! Or shut it. If you can't PROVE you are faster then you are just talking shit.
I browse on +1 so AC's need not respond, I won't see it.
Virus proof huh? You should put out a challenge for that. I'd LOVE to see those results.
I browse on +1 so AC's need not respond, I won't see it.
I don't doubt it's faster, what I do doubt is that the delta is enough that it would make any sort of difference. So what is the delta?
I browse on +1 so AC's need not respond, I won't see it.
I don't doubt it's faster, what I do doubt is that the delta is enough that it would make any sort of difference. So what is the lookup time delta?
I browse on +1 so AC's need not respond, I won't see it.
I sold my first piece of software to a financial services company. It was a program designed to parse and reformat text files for printing. It was a custom program based on an earlier freeware program I wrote to do custom printout of text files (allowing multiple copies, inserting custom control codes at the end of each copy, page sorting options, etc). That was simply called Copier. It was distributed around BBSs at the time. Maintained it up into 1993 IIRC.
All of my work since then is purely commercial and targeted at industry verticals, as well as providing security consulting services to find and fix issues in in-house applications. If you are asking for stuff you may have heard of, I doubt it. I don't write consumer software. I don't think I've written anything in the past 15 years that has sold for less than $25K.
As for your app, please feel free to put out public challenge for how "Virus Proof" your software is. I dare you.
I browse on +1 so AC's need not respond, I won't see it.
So what is the lookup time delta in ms?
I browse on +1 so AC's need not respond, I won't see it.
No, you haven't posted any proof. Proof = numbers. You say it's faster, I say it's doesn't make enough difference to matter. If you don't even know how much faster it is, then it's obvious you haven't really put much effort into it.
I browse on +1 so AC's need not respond, I won't see it.