It's significantly different in SP2. All new UI, for one thing.
You're welcome to disagree with me on whether the stock XP firewall pre-SP2 is servicable for home users. I frequenty help out a bunch of home users who are not "computer people", and for them it's not.
As you might imagine, I have relatively little control over how USA Today chooses to present a half page (guessing... haven't seen the print version yet) article, or how Slashdot chooses to summarize that into a single paragraph. I had a chance to comment on the USA Today article ahead of time, and they had the option to ignore some of my comments.
I'm more than happy to tell people what the actual methodology was, what was trying to be measured, and what the results actually represent. Check some of the other threads on this story.
The die-hard Mac user in the group felt that having a few services on might better represent a typical Mac user. If I'm remembering right (I didn't personally set up the Mac) it prompts you with a group of items to check on and off during the install. Several services, including Samba, were turned on. This was an extra handicap on the Mac. All the Windows machines were installed by Kevin, with some discussion from the rest of the group. The Linspire box was the only one that was literally used out of the box. We unpacked it, gave it a weak root password, and got it on the Internet.
All boxes were given weak passwords, at least initially. It was part of the test that the reporter chose not to emphasize. That was how the Win2K3 box got popped the one time. After that mechanism was used (per box), the password was changed to something harder. Only the Win2K3 and XP SP1 boxes got nailed due to weak password.
SP1 doesn't come with a firewall (that most people are aware of.) You could technically force the ICS or IPSEC filtering to do that job for you, but that's beyond most home users.
It's not on by default. The Mac was, in fact, given an extra handicap of having some additional services turned on. The Mac zealot in the group felt that might be representative of typical usage. IIRC, during the install procedure, it prompts you with which services to enable, and users can check them on and off with a single checkbox each.
So... is your point that it's not good to remind people to patch and have firewalls, or that we shouldn't have bothered with the patched and firewalled boxes for comparison?
Good questions. I kinda expected more people to ask that, and I wish the article had covered those aspects better. Of course, reporters will report what they like, and the USAToday guys kept pointing out that they were targeting a less techical audience.
Anyway...
Attacks were counted by Snort with a default ruleset, as of early September when I set it up. I.e. For the most part, I could only count attempts that could be delivered. That means that any of the hundreds of thousands of TCP connection attempts to the firewalled machine couldn't be completed, and so no TCP payload, and no attack signature matching. Hence, the attempts recorded on the firewalled machines represented mostly UDP and ICMP traffic. For UDP, think SQL Slammer. Yes, this included things that many people would consider fairly innocuous, like ICMP information leak-class packets.
As for the firewalling... The "base" test case was Windows XP. Overall, they were going for SOHO-class machines, as you might get them out of the box. In the XP case, there's relatively little point in having the same config multiple times. Instead, we compare XP SP1 (no firewall) with XP SP1 (w/Zonealarm) and XP SP2. Because there would obviously be questions about the other OSes, the Mac, Linspire, and Win2K3 SBE were included. Linspir has a firewall by default, Win2K3 and OS X don't.
The OS X machine registered so many attempts because it was running Samba, and all the Windows attacks could deliver a payload (and have the attack registered.)
It would have been better described as "number of succesfully delivered attack attempts", but I guess that isn't good copy.:)
SP2 isn't perfect obviously, but it seems to help quite a bit with that, too. Several of the recent patches were already incorporated into SP2, and some of the redesigns seem to have mitigated some of the usual IE problems. I'm aware of one browser issue in SP2 so far, and it has already been used by the spyware distributors.
Of course, if your base point was to not use IE/Windows at all, I can't argue with that.
Yes, sorry... to answer your question as asked, the plain SP1 machine had the firewall off. If locked down tight enough, the built-in firewalling should have stopped the attacks as well. We did SP1 w/Zonealarm to represent that kind of combination.
SP1 doesn't come with a firewall (that most people are aware of.) You could technically force the ICS or IPSEC filtering to do that job for you, but that's beyond most home users.
The SP2 firewall is nice because it's closer to being consumer-friendly as far as configuration goes, and it bitches at you until you turn it on. I only wish it went a little further and did the outbound filtering.
Typical many-to-one NAT will act like a simple firewall. Highly recommended for purposes of downloading all your patches. There's basically zero chance you'd be able to patch a stock Win2K/XP SP1 machine before you got nailed on an open Internet connection.
The NAT won't help much with the client-side holes.
Which? It's in the USA Today story. You mean the Slashdot synopsis?
Yes, the SP2 machine, SP1 w/Zonealarm, and Linspire machines all had software firewalls, which appear to do their jobs just fine. One of the reasons the Max registered so many attacks is because one of the enabled services was Samba. Rather funny to watch all the Windows worms try their exploits on Samba, actually.
Nothing beyond that. However, I should point out that, for the most part, we didn't let the machine continue long after compromise. After an intrusion was detected, we restored it, patched that particular hole, and put it back. We also made no particular effort to analyze what happened on disk and in memory, the bulk of the analysis being done from the wire.
At least a couple of times, a minimal rootkit was installed. It's highly likely that if we had left them, the 0wners in the IRC channel would have finished moving in at some point.
There was an SP2 machine included in the same test. It went unmolested, due largerly to the new firewall enabled by default. This particular test environment included no user activity, i.e. no email reading, no web browsing.
Generally speaking, I'm pleased with SP2. As long as you're running XP, and it won't affect your critical functionality adversely, install it. It won't be exploit proof moving forward, but it's the easiest way to patch the current set of problems.
I wasn't expecting this to get Slashdotted. Kevin and I set up the honeypot machines and monitored the network during the test. If anyone has any questions, I'm happy to answer.
I don't disagree with you that the solver is deficient if it can't adapt, I was just explaining what I thought the discrepancy was.
Also, you would think that the person using the solver could make a quick color translation table to account for the hard-coding. You only need to look at the center squares to see what the layout is...
I *think* he's saying that the solvers have hard-coded relative color face positions. I.e. they "know" that Green and Blue share an edge. (as an example. I don't have a Cube in front of me to see the real color positions.) If you've re-arranged the stickers such that Green and Blue are now on opposite sides of the cube, the solver is hosed. Of course, a human under that circumstance is still good.
This would kill apple however because nobody in their right mind would pay $2000+ for a good mac when they could pay for a PC at $1500 and get mac OS on it as well.
No kidding! That would be like Sun porting Solaris to x86. Can you imagine what that would do to their hardware market? Yeah, right... Sun is going to make Solaris for x86, and I suppose they are going to give it away and open-source it, too.
Slashdot Mirror
It's significantly different in SP2. All new UI, for one thing.
You're welcome to disagree with me on whether the stock XP firewall pre-SP2 is servicable for home users. I frequenty help out a bunch of home users who are not "computer people", and for them it's not.
They were, actually. The firewall (on by default, we weren't asked during setup) blocked everything.
As you might imagine, I have relatively little control over how USA Today chooses to present a half page (guessing... haven't seen the print version yet) article, or how Slashdot chooses to summarize that into a single paragraph. I had a chance to comment on the USA Today article ahead of time, and they had the option to ignore some of my comments.
I'm more than happy to tell people what the actual methodology was, what was trying to be measured, and what the results actually represent. Check some of the other threads on this story.
I mentioned it elsewhere here, someplace...
The die-hard Mac user in the group felt that having a few services on might better represent a typical Mac user. If I'm remembering right (I didn't personally set up the Mac) it prompts you with a group of items to check on and off during the install. Several services, including Samba, were turned on. This was an extra handicap on the Mac. All the Windows machines were installed by Kevin, with some discussion from the rest of the group. The Linspire box was the only one that was literally used out of the box. We unpacked it, gave it a weak root password, and got it on the Internet.
All boxes were given weak passwords, at least initially. It was part of the test that the reporter chose not to emphasize. That was how the Win2K3 box got popped the one time. After that mechanism was used (per box), the password was changed to something harder. Only the Win2K3 and XP SP1 boxes got nailed due to weak password.
Reparse this paragraph:
SP1 doesn't come with a firewall (that most people are aware of.) You could technically force the ICS or IPSEC filtering to do that job for you, but that's beyond most home users.
and get back to me.
It was off.
We also used versions of Windows that were newer than the Linux box.
All you've proven was that unpatched boxes are vulnerable.
Yes, that's correct. We were trying to measure the level of risk/how quickly one would be compromised.
It's not on by default. The Mac was, in fact, given an extra handicap of having some additional services turned on. The Mac zealot in the group felt that might be representative of typical usage. IIRC, during the install procedure, it prompts you with which services to enable, and users can check them on and off with a single checkbox each.
So... is your point that it's not good to remind people to patch and have firewalls, or that we shouldn't have bothered with the patched and firewalled boxes for comparison?
Good questions. I kinda expected more people to ask that, and I wish the article had covered those aspects better. Of course, reporters will report what they like, and the USAToday guys kept pointing out that they were targeting a less techical audience.
:)
Anyway...
Attacks were counted by Snort with a default ruleset, as of early September when I set it up. I.e. For the most part, I could only count attempts that could be delivered. That means that any of the hundreds of thousands of TCP connection attempts to the firewalled machine couldn't be completed, and so no TCP payload, and no attack signature matching. Hence, the attempts recorded on the firewalled machines represented mostly UDP and ICMP traffic. For UDP, think SQL Slammer. Yes, this included things that many people would consider fairly innocuous, like ICMP information leak-class packets.
As for the firewalling... The "base" test case was Windows XP. Overall, they were going for SOHO-class machines, as you might get them out of the box. In the XP case, there's relatively little point in having the same config multiple times. Instead, we compare XP SP1 (no firewall) with XP SP1 (w/Zonealarm) and XP SP2. Because there would obviously be questions about the other OSes, the Mac, Linspire, and Win2K3 SBE were included. Linspir has a firewall by default, Win2K3 and OS X don't.
The OS X machine registered so many attempts because it was running Samba, and all the Windows attacks could deliver a payload (and have the attack registered.)
It would have been better described as "number of succesfully delivered attack attempts", but I guess that isn't good copy.
SP2 isn't perfect obviously, but it seems to help quite a bit with that, too. Several of the recent patches were already incorporated into SP2, and some of the redesigns seem to have mitigated some of the usual IE problems. I'm aware of one browser issue in SP2 so far, and it has already been used by the spyware distributors.
Of course, if your base point was to not use IE/Windows at all, I can't argue with that.
Yes, sorry... to answer your question as asked, the plain SP1 machine had the firewall off. If locked down tight enough, the built-in firewalling should have stopped the attacks as well. We did SP1 w/Zonealarm to represent that kind of combination.
Hmm... did you read the article, where it pointed out that in addition to the XP SP1 machine, we also tested SP2, and SP1 with a firewall?
SP1 doesn't come with a firewall (that most people are aware of.) You could technically force the ICS or IPSEC filtering to do that job for you, but that's beyond most home users.
The SP2 firewall is nice because it's closer to being consumer-friendly as far as configuration goes, and it bitches at you until you turn it on. I only wish it went a little further and did the outbound filtering.
Typical many-to-one NAT will act like a simple firewall. Highly recommended for purposes of downloading all your patches. There's basically zero chance you'd be able to patch a stock Win2K/XP SP1 machine before you got nailed on an open Internet connection.
The NAT won't help much with the client-side holes.
Which? It's in the USA Today story. You mean the Slashdot synopsis?
Yes, the SP2 machine, SP1 w/Zonealarm, and Linspire machines all had software firewalls, which appear to do their jobs just fine. One of the reasons the Max registered so many attacks is because one of the enabled services was Samba. Rather funny to watch all the Windows worms try their exploits on Samba, actually.
Nothing beyond that. However, I should point out that, for the most part, we didn't let the machine continue long after compromise. After an intrusion was detected, we restored it, patched that particular hole, and put it back. We also made no particular effort to analyze what happened on disk and in memory, the bulk of the analysis being done from the wire.
At least a couple of times, a minimal rootkit was installed. It's highly likely that if we had left them, the 0wners in the IRC channel would have finished moving in at some point.
There was an SP2 machine included in the same test. It went unmolested, due largerly to the new firewall enabled by default. This particular test environment included no user activity, i.e. no email reading, no web browsing.
Generally speaking, I'm pleased with SP2. As long as you're running XP, and it won't affect your critical functionality adversely, install it. It won't be exploit proof moving forward, but it's the easiest way to patch the current set of problems.
I wasn't expecting this to get Slashdotted. Kevin and I set up the honeypot machines and monitored the network during the test. If anyone has any questions, I'm happy to answer.
I don't disagree with you that the solver is deficient if it can't adapt, I was just explaining what I thought the discrepancy was.
Also, you would think that the person using the solver could make a quick color translation table to account for the hard-coding. You only need to look at the center squares to see what the layout is...
I *think* he's saying that the solvers have hard-coded relative color face positions. I.e. they "know" that Green and Blue share an edge. (as an example. I don't have a Cube in front of me to see the real color positions.) If you've re-arranged the stickers such that Green and Blue are now on opposite sides of the cube, the solver is hosed. Of course, a human under that circumstance is still good.
Nice cheap supplier of Nero if it comes up again:
# 4239
http://www.softwareandstuff.com/otherutiltbl.html
This would kill apple however because nobody in their right mind would pay $2000+ for a good mac when they could pay for a PC at $1500 and get mac OS on it as well.
No kidding! That would be like Sun porting Solaris to x86. Can you imagine what that would do to their hardware market? Yeah, right... Sun is going to make Solaris for x86, and I suppose they are going to give it away and open-source it, too.
Yes... after the Supreme Court ruling... that's when I'll spring into action! The judge for THAT appeal won't know what hit him.
If they want to expand the genre a little, add the space weapons and travel back in.
This is 20-something years now I've been playing the Ultimas. EA finish screwing it over, and give it back to Richard, please.