Rest assured, they are _not_ doing it for the warm fuzzy feeling you get by doing something nice. OSS and GNU/Linux are part of their business strategy. They are in it for the money. That they happen to help us geeks is certainly nice, but at the end of the day, Linux and such would survive anyway.
Umm, RedHat are in it for the money, SUSE are in it for the money, etc... Is that so wrong? Just because something that benefits everyone is going to make the person who's doing it some money doesn't make it a bad thing.
AFAIK the internet at large has no support for multicast at the moment, which is why your ISP needs peering with the beeb for it to work. So if the ISP's routers aren't set up to do multicast and they don't ahve peering with a multicast content provider then you won't be doing multicast any time soon.
What is to stop someone from using a proxy from the UK? If porn can't stop proxies, what makes BBC think they can? LOL.
The proxy would have to be on one of the ISPs that the beeb peer with - they only offer "broadband" content to ISPs that peer with them, everyone else is stuck with "narrowband" (48Kbps) stuff. (Which you can kinda understand - the BBC were predicting that the online Olympic content would suck up over 10Gbps of their bandwidth)
In the UK, you don't have to have annoying ads breaking up your programming. Imagine watching Star Trek, Farscape, The Simpsons, Buffy, Angel, The Office, sports or even just the news without any commercial breaks whatsoever. The BBC lets you do that.
Err, no it doesn't - The beeb don't show any new Star Trek series (Channel 4 show Enterprise), nor do they show Farscape or The Simpsons anymore, they have never shown Angel (Channel 4 showed that) and any imported shows like Buffy are always a year behind because the beeb only show the reruns, not the premiers.
Whilest I love the fact that the beeb are at the forefront of a number of very interesting technologies, their programming is absolute crap these days. Whilest they do have the occasional interesting documentary I haven't seen a good weekly science programme on the beeb since they cancelled Tomorrows World (whilest claiming they would be replacing it with similar science content that never appeared). And the last good comedy that came out of the BBC was Red Dwarf VI, which was *years* ago. (Sorry, The Office just makes me cringe).
Rather than being forced to pay the TV licence I would prefer to have the option to pay a licence for the services I do use (the online content) and be able to buy the occasional BBC show that's worth watching on a pay-per-view basis. Over 120ukp a year is just too much money when a large chunk of it is paying for content that I'm not interested in which panders to the masses (no, oddly enough I'm not interested in hours and hours of football or "Fama Acadamy" just because 99% of the population seems to be interested in them - isn't the whole point of the beeb to provide content which _doesn't_ pander to the masses, i.e. stuff that's not feasable for commercial channels to produce?).
The most worthwhile programmes I've seen on the BBC over the past few years are the survival programmes by Ray Mears, which are absolutely excellent but there aren't that many episodes.
If you go on microsoft.com, they don't call linux "linsux" and have pictures of tux fucking a hooker.
microsoft.com is a corporate website, slashdot is an unofficial messageboard for geeks...
Besides, if slashdot used the real MS logo they're probably get sued into the ground for infringing the trademark every time someone made a bad comment about MS.
Suppose there is an issue in the IP stack itself? The machine can still be knocked over - a la early NT 4.0 - by crafted packets even if no services are listening. Can you see where a firewall might help?
No, I can't see how it would help - you're almost certainly going to have at least one port open so the bug is still exploitable.
There is a concept called "multi-level security"; you should look into it.
I think that was my point - by installing a firewall and not fixing the underlying problem (namely having services you don't want listening to the external interface) you are not implementing multi-level security. A firewall should be seen as a failsafe, not as a fix for an already flawed configuration.
Control: Even though I have broadband, I want control over what applications connect in and out. When a popup box appears, I am immediately informed what part of Windows or program is trying to access the outside world. I start the PF by locking everything, then clicking yes to everything I want to access the Internet and no to the others (making quick rules). I get a quick and easy overview. This gives an extra control over potential spyware and applications that shouldn't connect remotely.
It sounds like you're reasonably clueful... but just put yourself in the place of an average windows user who's probably been trained by the torrents of popups and warnings just to press yes on everything: how much would this new torrent of warnings that you have to click yes on without reading annoy you?
Trust me, I've done support - most users won't read error messages at all, they'll keep hitting the ok button until they get very pissed off and phone tech support to give them a hard time. The number of times I've answered calls complaining "I can't send email to this address, it keeps giving me an error message" and when asked what the error message is I've been told "oh I don't know I just deleted it". Usually upon further investigation the error is something exceptionally self explanitory such as "recipient's mailbox is full" - you don't need to phone tech support to knwo what that means.
Nice to lock down Internet Explorer and Outlook that way for extra security.
Obvious question here (and no disrespect or anything) but why do you use IE and Outluck when you know they're absolutely riddled with security holes? The only time I ever fire up IE is when I really need to see a site that won't work with firefox or opera... admittedly it's slightly more effort for me to fire up IE since I have to power up a windows machine, but the same would apply if I was using windows on my workstations.
Setup and configuring simply doesn't compare to a PF with a nice GUI.
I'd disagree here - you can buy standalone firewalls that will give you a nice GUI you can access through your web browser. Although I will admit that having the firewall identify what application is trying to access the port is useful.
In my eyes, not trusting XP or its applications
I think this is probably one of the biggest problems - you wouldn't let a drunk drive your car, why let an untrustworthy OS drive your computer?
An additional argument FOR PF is that security can be enhanced by making it easier for clueful users to setup a firewall with high enough level of restriction to prevent most attacks.
But for the usual "open this service" and "block that service" rules that most users will be setting up would you not agree it would be a far better solution to have a nice centralised place where you can tell it what services to run and which interfaces those services are bound to? Adding a firewall to do this seems like building a proch with a lockable door on your house because you can't be bothered to lock the existing door.
Many will never be able to figure out a hardware firewall in this lifetime. If you want security, best not use XP either, but OpenBSD or something similar.
I am convinced that there should be some kind of "internet licence" so you have to understand the basics of security though. There are such simple things that users can do whcih are really obvious if they stop to think about it. i.e. don't open that random executable that someone sent you unless you're sure it does what it claims to do, even if it came from people you know. The only problem with this is that the computing world is changing rapidly enough that we would require people to take the test every few years - I can still remember the days when we used to laugh at people who thought they could get a virus through email or a word processing document... oh how Microsoft changed that.
However personal firewalls have a -lot- of benefit at least from a business standpoint.
I beg to differ - a very large proportion of the support calls we get here are because someone has a personal firewall on their machine that's blocking something important. It is far too difficult to administer a separate firewall on every machine in a company. Admittedly this means that if one workstation gets compromised then the other workstations are accessible to the malware too, but again, services that are not needed should just not be running.
From a tech-support point of view, personal firewalls are nothing but trouble.
As a for instance, limiting the number of outgoing TCP connections that can be opened per second. If you've ever seen some of the viruses take out network bandwidth - this is one of many ways to help.
This kind of thing can be handled by a central firewall - it can filter such attacks from exiting the network and alert the sysadmins who can unplug the affected machine. If you have managed switches then the main firewall can even pull the plug on the affected workstation.
I do agree that there is most definately a place for a personal firewall, but I don't believe the place is (as microsoft and most of the personal firewall manufacturers seem to suggest) on a standalone home machine as the first (only) line of defense.
I also think that anyone who plugs a windows machine directly into the internet is completely nuts. (You're slightly less nuts if you shove it behind a NAT).
Do you know how to stop Windows from using ports 137-139? I think many people don't know. I myself have no idea (as I don't use Windows) if it's even possible. If it's not, it's something you need a (personal) firewall for to block access to these ports (which I _do_ know to be exploitable).
I have no idea if you can disable those ports - I don't use Windows (I'm a pure Linux person). However if you can't, that is a design flaw with the os that needs to be addressed - the solution is not to work around such flaws, the solution is to _fix_ the flaws (and the fact that it's the company responsible for these flaws that is publishing workarounds instead of fixes makes it even worse). As I said originally, what is needed is a unified way of configuring which network interfaces a service is listening on - this can be presented in *exactly* the same way as a personal firewall configuration (i.e. a list of services and tick-boxes showing which interfaces they're listening on)
And 'false sense of security'? Many people don't care about security, but need to be protected (sometimes even from themselves) anyway.
True, many people don't know or care about security. But when the media publish lots of problems about security holes and then Microsoft make a press release saying they have made the system really secure, it would be nice if they actually had...
Besides, if this 'personal' firewall is all you have protecting your network, even if it's only by being on by default, you're still better off security-wise.
Maybe... but how many people will get pissed off with the firewall blocking their outbound connections and rather than just opening the ports they need or disabling the oubound filtering they'll disable the whole bloody thing because they don't know/care anything about security.
Security is always a balance between usability and sexurity - if you wanted full security then unplug the network connection. But I can guarantee that almost everyone would find that too restrictive and plug it back in. If your default policies are too restrictive you run the risk of people just disabling the lot.
The firewall can pop up a message for each connection asking if it's ok to allow it, but we already know that windows users are so innundated with popups and errors that they just hit ok on all of them without caring what they're oking. Again, annoying the user into not paying any attention is a bad idea.
Configuring your OS/services well still doesn't protect you from a DoS on your computer though.
Depends what sort of DoS you're getting - I don't really see a firewall as a solution to any of them though:
- SYN flood: this problem was solved years ago through the introduction of SYN cookies - anyone who isn't using SYN cookies these days has no business allowing anyone connect to them anyway.
- Bandwidth flood: A firewall ain't gonna help you here - even if you're blocking the packets, they have already traversed your (reasonably low bandwidth) internet connection... The only thing that's going to help here is to block the packets on the ISP side of the connection.
- Slashdotting (i.e. many concurrent connections - may be legitimate connections but they're gonna kill your server anyway): Most services will let you limit the number of connections they will serve at the same time - a firewall is not the answer (unless it's on the ISP side of your internet connection).
IMHO having a firewall running is useful even if only to provide an extra stumbling block for malware.
It's a stop-gap solution - when 99% of computers block outbound traffic by default the malware will all automatically work around the firewalling. Malware is a very fast evolving problem, just like spam - simple stuff like this will only have an effect for a very limited amount of time. I think it's exceptionally bad that it will produce a false sense of security, and the very protocols that worms will be using are likely to be open anyway since they're protocols that people need to use.
Ok, how about a home network then? Many people use one Windows computer using "internet access sharing" to enable other computers to connect to the internet. In this case the internet-connected computer running a personal firewall would be a seperate device and could defend itself (and the internet) much better against the internal compromised machine.
I wouldn't suggest that a firewall is useless in this situation, however I was talking about personal firewalls and would argue that once you start protecting a whole network instead of a single machine you can nolonger consider it a "personal" firewall.
An unrelated example: brain disease has tripled in the past two decades in most developed countries. But not in Japan. Aren't you curious as to why? Or would you rather stick your head in the sand and proudly proclaim everyone who is curious to be an alarmist?
But sticking my head in the sane might shield my brain from the radiation:)
firewalls can also be used to get some sort of acl functionality out of them (you might want to enable ssh access to only a few known ip's on the internet), can do packet inspection, perform rate limiting tasks, prevent DoS attacks
Right, because how many Windows personal firewall users are going to be doing that? I haven't seen Microsoft's offering but I'd be quite supprised if it could be configured any mroe specifically than "block this port" and "open that port".
protect the internet from _your_ machine should some malware be running
IMHO blocking outbound traffic from personal firewalls is of dubious use at best - once the machine has been compromised the malware can quite happilly disable your firewall (a number of viruses are known to disable ZoneAlarm automagically) or look at the firewall rules to see which port it can make connections on.
Running a firewall to block outbound traffic only seems sane if it's a completely separate device since once the device running the firewall is in a position to send malicious data the security of the firewall should already be considered void. As far as I can tell, all it does it provides a false sense of security, which is a very bad thing.
I'd love to know what the point is in a "personal firewall" - seriously.
A computer does _not_ need a firewall - it is configured correctly, all those nasty services with security holes in aren't even listening to the internet-facing interface (because you've got it configured correctly). There's no advantage in having a firewall over having the services configured correctly.
The *only* reason to have a firewall is that if you make a mistake and accidentally open a service you didn't intend to, the firewall is there as a failsafe. If you link the firewall and service controls together so you only have to press one button to enable a service you remove this advantage and there is again no reason to ahve a firewall.
Rather than running hundreds of services you don't need and then blocking them, it would be far better to have a unified way of telling all services which interface to bind to - to the end user this would appear like a firewall configurator anyway.
And if you must insist on prompting the user each time Doom 3 opens a listening network port then tie it in with the IP stack properly and prompt the user when it actually opens the port.
To me, the concept of using a personal firewall as your primary method of security is a kludge - if you need one then your machine's configuration is fundamentally broken and that's where you should be applying security.
Probably not catastrophic. It would certainly have a DRAMATIC IMPACT but we could adjust (after a painful transition period).
A lot of sea life relies havilly on the tides and would die out (with all the knock-on effects that mass extinctions would have - afterall, we all rely on the sea life)
The tides also affect the weather since they shift large lumps of (differing temperature) water around - I'd guess there would be some pretty nasty consequences for the climate.
Yes it would be cool but not really practical. I'd much rather have a message on the screen telling me whats wrong instead of having to look up a color and see what it means.
I dunno about you but I don't have my monitor turned on all the time. It'd be pretty cool if it glowed blue or something when I have new email coz then I wouldn't have to actually turn the screen on the check.
It is a bit difficult to understand the role of money in taking decisions impacting national security. Surely, the US will have more control if the project is within it's own boundaries?
I guess (as usual) the US will be joining the pissing contest and demanding that ITER be built in the US...
the resulting singularity shouldn't cause massive gravitational changes since it will have the same mass as the moon and the same orbital velocity. Might even be sorta handy as a bottomless garbage pit.
Mmmm... and using it as a bottomless garbage pit won't have any effect on it's gravity at all will it... besides, if it's already a singularity before it swallows the moon it stands to reason it's probably already quite massive.
the systems will be connected to the internet. Even if they are heavily firewalled, they will have to get their information somehow, so some port will be open listening for incoming requests; so watch out for buffer overrun exploits and spoofed packets.
Yes, although the risk can be reduced through VPNs - if all the banks are connected through a big IPSEC VPN then the only services that need to be open to the internet at large are IPSEC itself and the key exchange protocol such as ISAKMP (if you use one). All other services will only be listening to the VPN so will be safe from direct attacks across the internet so long as the VPN remains safe.
targetted denial of service attacks
This is probably a rather more serious threat. I guess it can be reduced by having multiple redundent connections but if someone who "owns" a large number of zombies knows all the backup IPs then you have a problem (as we know, security through obscurity is bad)
the network simply going down or being slowed; slammer slowed down the internet, not just a few machines. If that means some transactions get delayed, some people will be losing money.
The internet at large being slowed down probably isn't a big deal - I'd guess the amount of traffic needed to make a bank transfer is reasonably small and so wouldn't be hit anywhere near as hard as stuff like web access. I'd guess they could fall back to ISDN dialup or something - they *must* have contingency plans for network outages (even now on their private network).
the traffic will be intercepted, and, if not decrypted, at least the volume of messages will be interesting information for corporate espionage
This problem can be reduced (admittedly at the expense of bandwidth) by sending regular fixed sized messages - if nothing's happening they are just blank (or contain garbage), otherwise they contain the data you want to transmit. If someone is capturing the encrypted traffic they will just see the same quantity of traffic nomatter what's happening.
targetted BGP spoofing, DNS poisoning attacks and the like resulting in loss of service
Exactly BGP spoofing is going to be the same problem as a DDoS on their IPs... and there's no reason to use internet-exposed DNS at all... You could always sign the DNS records with a public key to guarantee they're not spoofed though.
But noone who is providing you with a service is benefiting. If the Mozilla Foundation were getting the money from the advertising then I would consider it.
I am all in favor of Google's ads - they're nonintrusive and targetted (Hell, I use them on my website... I wish they would pay in sterling instead of sending 'checks' in dollars though). And I am in favor of the free websites using them (afterall, the ads are paying for the site instead of me). Whilest Google's ads are often useful, if they're not paying for something I'm using I would far prefer to have a list of related websites displayed rather than related adverts.
I'd also argue that this is spyware in a way - I don't have a problem with it, but google will know where you're going since it _has_ to ask google for ads relevent to the current page. The difference between this "spyware" and true spyware is that the authors of the adbar aren't getting the data, Google is (and I would doubt that Google would ever use the information they can collect since it would be exceptionally bad publicity).
What might be cool would be for the adbar to provide a list of projects to support and you could tick the ones you want your money going to (I would be much happier installing it if I could choose for the money generated by my clicks to go to the Mozilla foundation and various opensource projects that I use). This could quite easilly be done using the Google's AdSense categories to identify which project to pay a click to.
The whole point of the firewall is so that bad applications (like the ones that would turn a firewall off) don't get installed in the first place.
Yes - once a bad application is running with the right privalidges then it can do anything it wants, including turning off the firewall (didn't some virus automagically disable ZoneAlarm?).
The concept of a personal firewall doing outbound filtering seems broken to me as well - what's stopping some bad software looking at the firewall to see what ports it's actually allowed to use to talk to the outside world? Usualy you have a small number of services that you want prople from the outside to connect to, and maybe you have to punch the odd extra inbound hole for your latest P2P software, but you generally use a _lot_ more random outbound protocols from a workstation - that's a lot of random holes to punch in the outbound filtering.
Popping up a message asking if it's ok for each and every application to scratch it's arse is silly - windows users already get enough popup messages, chucking a bunch more at them to train them into just pressing "yes" without reading the error is a really bad idea. It also opens up the possibility for virus writers to trick people into OKing the firewall change - "WindowsUpdate is trying to make a connection, is this ok [yes] [no]?" - how do you know WindowsUpdate is actually Windows Update and not some worm going by the same name?
Nope, he's pure script kiddie - a cracker understands how an exploit works and spends a lot of time working out how to use it. This kid just modified someone else's code and almost certainly has no clue how the exploit works.
"he is forever be known as a script kiddy" (which begs the question, Why? Modifying a virus isn't a good way to make yourself popular).
Script kiddies aren't popular (at least outside script kiddie circles) - they are usually considered the lowest form of life.
* Virus writer: understands how stuff works, spends a long time putting together viruses (this is not right but he's put some effort into it) * Cracker: again, like the virus writer, understands how exploits work, spends lots of time writing the exploit (again, not right but some effort has gone into it and in the long run it _does_ uncover bugs in software, which might be a good thing) * Script kiddie: Can't type properly, inserts numbers in everything because he thinks it looks "cool" (actually it make him look like a 12 year old tosser). Uses someone else's virus/exploit code and either uses it as-is or makes some minor modifications. This guy has done absolutely no work in writing the code he's using and almost certaionly doesn't havea clue how it works.
Virus writers and crackers deserve some respect because they understand stuff and work for it, even if it is wrong. Script kiddies don't deserve respect because they don't understand anything, just rip off someone else's code and then think it's cool to compromise a few thousand/million machines.
Rest assured, they are _not_ doing it for the warm fuzzy feeling you get by doing something nice. OSS and GNU/Linux are part of their business strategy. They are in it for the money. That they happen to help us geeks is certainly nice, but at the end of the day, Linux and such would survive anyway.
Umm, RedHat are in it for the money, SUSE are in it for the money, etc... Is that so wrong? Just because something that benefits everyone is going to make the person who's doing it some money doesn't make it a bad thing.
AFAIK the internet at large has no support for multicast at the moment, which is why your ISP needs peering with the beeb for it to work. So if the ISP's routers aren't set up to do multicast and they don't ahve peering with a multicast content provider then you won't be doing multicast any time soon.
What is to stop someone from using a proxy from the UK? If porn can't stop proxies, what makes BBC think they can? LOL.
The proxy would have to be on one of the ISPs that the beeb peer with - they only offer "broadband" content to ISPs that peer with them, everyone else is stuck with "narrowband" (48Kbps) stuff. (Which you can kinda understand - the BBC were predicting that the online Olympic content would suck up over 10Gbps of their bandwidth)
In the UK, you don't have to have annoying ads breaking up your programming. Imagine watching Star Trek, Farscape, The Simpsons, Buffy, Angel, The Office, sports or even just the news without any commercial breaks whatsoever. The BBC lets you do that.
Err, no it doesn't - The beeb don't show any new Star Trek series (Channel 4 show Enterprise), nor do they show Farscape or The Simpsons anymore, they have never shown Angel (Channel 4 showed that) and any imported shows like Buffy are always a year behind because the beeb only show the reruns, not the premiers.
Whilest I love the fact that the beeb are at the forefront of a number of very interesting technologies, their programming is absolute crap these days. Whilest they do have the occasional interesting documentary I haven't seen a good weekly science programme on the beeb since they cancelled Tomorrows World (whilest claiming they would be replacing it with similar science content that never appeared). And the last good comedy that came out of the BBC was Red Dwarf VI, which was *years* ago. (Sorry, The Office just makes me cringe).
Rather than being forced to pay the TV licence I would prefer to have the option to pay a licence for the services I do use (the online content) and be able to buy the occasional BBC show that's worth watching on a pay-per-view basis. Over 120ukp a year is just too much money when a large chunk of it is paying for content that I'm not interested in which panders to the masses (no, oddly enough I'm not interested in hours and hours of football or "Fama Acadamy" just because 99% of the population seems to be interested in them - isn't the whole point of the beeb to provide content which _doesn't_ pander to the masses, i.e. stuff that's not feasable for commercial channels to produce?).
The most worthwhile programmes I've seen on the BBC over the past few years are the survival programmes by Ray Mears, which are absolutely excellent but there aren't that many episodes.
If you go on microsoft.com, they don't call linux "linsux" and have pictures of tux fucking a hooker.
microsoft.com is a corporate website, slashdot is an unofficial messageboard for geeks...
Besides, if slashdot used the real MS logo they're probably get sued into the ground for infringing the trademark every time someone made a bad comment about MS.
Suppose there is an issue in the IP stack itself? The machine can still be knocked over - a la early NT 4.0 - by crafted packets even if no services are listening. Can you see where a firewall might help?
No, I can't see how it would help - you're almost certainly going to have at least one port open so the bug is still exploitable.
There is a concept called "multi-level security"; you should look into it.
I think that was my point - by installing a firewall and not fixing the underlying problem (namely having services you don't want listening to the external interface) you are not implementing multi-level security. A firewall should be seen as a failsafe, not as a fix for an already flawed configuration.
Control: Even though I have broadband, I want control over what applications connect in and out. When a popup box appears, I am immediately informed what part of Windows or program is trying to access the outside world. I start the PF by locking everything, then clicking yes to everything I want to access the Internet and no to the others (making quick rules). I get a quick and easy overview. This gives an extra control over potential spyware and applications that shouldn't connect remotely.
It sounds like you're reasonably clueful... but just put yourself in the place of an average windows user who's probably been trained by the torrents of popups and warnings just to press yes on everything: how much would this new torrent of warnings that you have to click yes on without reading annoy you?
Trust me, I've done support - most users won't read error messages at all, they'll keep hitting the ok button until they get very pissed off and phone tech support to give them a hard time. The number of times I've answered calls complaining "I can't send email to this address, it keeps giving me an error message" and when asked what the error message is I've been told "oh I don't know I just deleted it". Usually upon further investigation the error is something exceptionally self explanitory such as "recipient's mailbox is full" - you don't need to phone tech support to knwo what that means.
Nice to lock down Internet Explorer and Outlook that way for extra security.
Obvious question here (and no disrespect or anything) but why do you use IE and Outluck when you know they're absolutely riddled with security holes? The only time I ever fire up IE is when I really need to see a site that won't work with firefox or opera... admittedly it's slightly more effort for me to fire up IE since I have to power up a windows machine, but the same would apply if I was using windows on my workstations.
Setup and configuring simply doesn't compare to a PF with a nice GUI.
I'd disagree here - you can buy standalone firewalls that will give you a nice GUI you can access through your web browser. Although I will admit that having the firewall identify what application is trying to access the port is useful.
In my eyes, not trusting XP or its applications
I think this is probably one of the biggest problems - you wouldn't let a drunk drive your car, why let an untrustworthy OS drive your computer?
An additional argument FOR PF is that security can be enhanced by making it easier for clueful users to setup a firewall with high enough level of restriction to prevent most attacks.
But for the usual "open this service" and "block that service" rules that most users will be setting up would you not agree it would be a far better solution to have a nice centralised place where you can tell it what services to run and which interfaces those services are bound to? Adding a firewall to do this seems like building a proch with a lockable door on your house because you can't be bothered to lock the existing door.
Many will never be able to figure out a hardware firewall in this lifetime. If you want security, best not use XP either, but OpenBSD or something similar.
I am convinced that there should be some kind of "internet licence" so you have to understand the basics of security though. There are such simple things that users can do whcih are really obvious if they stop to think about it. i.e. don't open that random executable that someone sent you unless you're sure it does what it claims to do, even if it came from people you know. The only problem with this is that the computing world is changing rapidly enough that we would require people to take the test every few years - I can still remember the days when we used to laugh at people who thought they could get a virus through email or a word processing document... oh how Microsoft changed that.
However personal firewalls have a -lot- of benefit at least from a business standpoint.
I beg to differ - a very large proportion of the support calls we get here are because someone has a personal firewall on their machine that's blocking something important. It is far too difficult to administer a separate firewall on every machine in a company. Admittedly this means that if one workstation gets compromised then the other workstations are accessible to the malware too, but again, services that are not needed should just not be running.
From a tech-support point of view, personal firewalls are nothing but trouble.
As a for instance, limiting the number of outgoing TCP connections that can be opened per second. If you've ever seen some of the viruses take out network bandwidth - this is one of many ways to help.
This kind of thing can be handled by a central firewall - it can filter such attacks from exiting the network and alert the sysadmins who can unplug the affected machine. If you have managed switches then the main firewall can even pull the plug on the affected workstation.
I do agree that there is most definately a place for a personal firewall, but I don't believe the place is (as microsoft and most of the personal firewall manufacturers seem to suggest) on a standalone home machine as the first (only) line of defense.
I also think that anyone who plugs a windows machine directly into the internet is completely nuts. (You're slightly less nuts if you shove it behind a NAT).
Do you know how to stop Windows from using ports 137-139? I think many people don't know. I myself have no idea (as I don't use Windows) if it's even possible. If it's not, it's something you need a (personal) firewall for to block access to these ports (which I _do_ know to be exploitable).
I have no idea if you can disable those ports - I don't use Windows (I'm a pure Linux person). However if you can't, that is a design flaw with the os that needs to be addressed - the solution is not to work around such flaws, the solution is to _fix_ the flaws (and the fact that it's the company responsible for these flaws that is publishing workarounds instead of fixes makes it even worse). As I said originally, what is needed is a unified way of configuring which network interfaces a service is listening on - this can be presented in *exactly* the same way as a personal firewall configuration (i.e. a list of services and tick-boxes showing which interfaces they're listening on)
And 'false sense of security'? Many people don't care about security, but need to be protected (sometimes even from themselves) anyway.
True, many people don't know or care about security. But when the media publish lots of problems about security holes and then Microsoft make a press release saying they have made the system really secure, it would be nice if they actually had...
Besides, if this 'personal' firewall is all you have protecting your network, even if it's only by being on by default, you're still better off security-wise.
Maybe... but how many people will get pissed off with the firewall blocking their outbound connections and rather than just opening the ports they need or disabling the oubound filtering they'll disable the whole bloody thing because they don't know/care anything about security.
Security is always a balance between usability and sexurity - if you wanted full security then unplug the network connection. But I can guarantee that almost everyone would find that too restrictive and plug it back in. If your default policies are too restrictive you run the risk of people just disabling the lot.
The firewall can pop up a message for each connection asking if it's ok to allow it, but we already know that windows users are so innundated with popups and errors that they just hit ok on all of them without caring what they're oking. Again, annoying the user into not paying any attention is a bad idea.
Configuring your OS/services well still doesn't protect you from a DoS on your computer though.
Depends what sort of DoS you're getting - I don't really see a firewall as a solution to any of them though:
- SYN flood: this problem was solved years ago through the introduction of SYN cookies - anyone who isn't using SYN cookies these days has no business allowing anyone connect to them anyway.
- Bandwidth flood: A firewall ain't gonna help you here - even if you're blocking the packets, they have already traversed your (reasonably low bandwidth) internet connection... The only thing that's going to help here is to block the packets on the ISP side of the connection.
- Slashdotting (i.e. many concurrent connections - may be legitimate connections but they're gonna kill your server anyway): Most services will let you limit the number of connections they will serve at the same time - a firewall is not the answer (unless it's on the ISP side of your internet connection).
IMHO having a firewall running is useful even if only to provide an extra stumbling block for malware.
It's a stop-gap solution - when 99% of computers block outbound traffic by default the malware will all automatically work around the firewalling. Malware is a very fast evolving problem, just like spam - simple stuff like this will only have an effect for a very limited amount of time. I think it's exceptionally bad that it will produce a false sense of security, and the very protocols that worms will be using are likely to be open anyway since they're protocols that people need to use.
Ok, how about a home network then? Many people use one Windows computer using "internet access sharing" to enable other computers to connect to the internet. In this case the internet-connected computer running a personal firewall would be a seperate device and could defend itself (and the internet) much better against the internal compromised machine.
I wouldn't suggest that a firewall is useless in this situation, however I was talking about personal firewalls and would argue that once you start protecting a whole network instead of a single machine you can nolonger consider it a "personal" firewall.
An unrelated example: brain disease has tripled in the past two decades in most developed countries. But not in Japan. Aren't you curious as to why? Or would you rather stick your head in the sand and proudly proclaim everyone who is curious to be an alarmist?
:)
But sticking my head in the sane might shield my brain from the radiation
you're clueless, right?
No
firewalls can also be used to get some sort of acl functionality out of them (you might want to enable ssh access to only a few known ip's on the internet), can do packet inspection, perform rate limiting tasks, prevent DoS attacks
Right, because how many Windows personal firewall users are going to be doing that? I haven't seen Microsoft's offering but I'd be quite supprised if it could be configured any mroe specifically than "block this port" and "open that port".
protect the internet from _your_ machine should some malware be running
IMHO blocking outbound traffic from personal firewalls is of dubious use at best - once the machine has been compromised the malware can quite happilly disable your firewall (a number of viruses are known to disable ZoneAlarm automagically) or look at the firewall rules to see which port it can make connections on.
Running a firewall to block outbound traffic only seems sane if it's a completely separate device since once the device running the firewall is in a position to send malicious data the security of the firewall should already be considered void. As far as I can tell, all it does it provides a false sense of security, which is a very bad thing.
I'd love to know what the point is in a "personal firewall" - seriously.
A computer does _not_ need a firewall - it is configured correctly, all those nasty services with security holes in aren't even listening to the internet-facing interface (because you've got it configured correctly). There's no advantage in having a firewall over having the services configured correctly.
The *only* reason to have a firewall is that if you make a mistake and accidentally open a service you didn't intend to, the firewall is there as a failsafe. If you link the firewall and service controls together so you only have to press one button to enable a service you remove this advantage and there is again no reason to ahve a firewall.
Rather than running hundreds of services you don't need and then blocking them, it would be far better to have a unified way of telling all services which interface to bind to - to the end user this would appear like a firewall configurator anyway.
And if you must insist on prompting the user each time Doom 3 opens a listening network port then tie it in with the IP stack properly and prompt the user when it actually opens the port.
To me, the concept of using a personal firewall as your primary method of security is a kludge - if you need one then your machine's configuration is fundamentally broken and that's where you should be applying security.
Yes it would be cool but not really practical. I'd much rather have a message on the screen telling me whats wrong instead of having to look up a color and see what it means.
I dunno about you but I don't have my monitor turned on all the time. It'd be pretty cool if it glowed blue or something when I have new email coz then I wouldn't have to actually turn the screen on the check.
It is a bit difficult to understand the role of money in taking decisions impacting national security. Surely, the US will have more control if the project is within it's own boundaries?
I guess (as usual) the US will be joining the pissing contest and demanding that ITER be built in the US...
the resulting singularity shouldn't cause massive gravitational changes since it will have the same mass as the moon and the same orbital velocity. Might even be sorta handy as a bottomless garbage pit.
Mmmm... and using it as a bottomless garbage pit won't have any effect on it's gravity at all will it... besides, if it's already a singularity before it swallows the moon it stands to reason it's probably already quite massive.
Getting rid of the moon would likely be pretty catestrophic too - we rely quite heavilly on the tidal forces.
I must admit, the idea is cool... but I'm not sure if it constitutes a non-obvious idea and I'm sure the case modders must've done this already.
:)
It would be kinda cool for your windows machine to turn red when you get a virus or have the computer go blue when you get new email though.
the systems will be connected to the internet. Even if they are heavily firewalled, they will have to get their information somehow, so some port will be open listening for incoming requests; so watch out for buffer overrun exploits and spoofed packets.
Yes, although the risk can be reduced through VPNs - if all the banks are connected through a big IPSEC VPN then the only services that need to be open to the internet at large are IPSEC itself and the key exchange protocol such as ISAKMP (if you use one). All other services will only be listening to the VPN so will be safe from direct attacks across the internet so long as the VPN remains safe.
targetted denial of service attacks
This is probably a rather more serious threat. I guess it can be reduced by having multiple redundent connections but if someone who "owns" a large number of zombies knows all the backup IPs then you have a problem (as we know, security through obscurity is bad)
the network simply going down or being slowed; slammer slowed down the internet, not just a few machines. If that means some transactions get delayed, some people will be losing money.
The internet at large being slowed down probably isn't a big deal - I'd guess the amount of traffic needed to make a bank transfer is reasonably small and so wouldn't be hit anywhere near as hard as stuff like web access. I'd guess they could fall back to ISDN dialup or something - they *must* have contingency plans for network outages (even now on their private network).
the traffic will be intercepted, and, if not decrypted, at least the volume of messages will be interesting information for corporate espionage
This problem can be reduced (admittedly at the expense of bandwidth) by sending regular fixed sized messages - if nothing's happening they are just blank (or contain garbage), otherwise they contain the data you want to transmit. If someone is capturing the encrypted traffic they will just see the same quantity of traffic nomatter what's happening.
targetted BGP spoofing, DNS poisoning attacks and the like resulting in loss of service
Exactly BGP spoofing is going to be the same problem as a DDoS on their IPs... and there's no reason to use internet-exposed DNS at all... You could always sign the DNS records with a public key to guarantee they're not spoofed though.
But noone who is providing you with a service is benefiting. If the Mozilla Foundation were getting the money from the advertising then I would consider it.
I am all in favor of Google's ads - they're nonintrusive and targetted (Hell, I use them on my website... I wish they would pay in sterling instead of sending 'checks' in dollars though). And I am in favor of the free websites using them (afterall, the ads are paying for the site instead of me). Whilest Google's ads are often useful, if they're not paying for something I'm using I would far prefer to have a list of related websites displayed rather than related adverts.
I'd also argue that this is spyware in a way - I don't have a problem with it, but google will know where you're going since it _has_ to ask google for ads relevent to the current page. The difference between this "spyware" and true spyware is that the authors of the adbar aren't getting the data, Google is (and I would doubt that Google would ever use the information they can collect since it would be exceptionally bad publicity).
What might be cool would be for the adbar to provide a list of projects to support and you could tick the ones you want your money going to (I would be much happier installing it if I could choose for the money generated by my clicks to go to the Mozilla foundation and various opensource projects that I use). This could quite easilly be done using the Google's AdSense categories to identify which project to pay a click to.
The whole point of the firewall is so that bad applications (like the ones that would turn a firewall off) don't get installed in the first place.
Yes - once a bad application is running with the right privalidges then it can do anything it wants, including turning off the firewall (didn't some virus automagically disable ZoneAlarm?).
The concept of a personal firewall doing outbound filtering seems broken to me as well - what's stopping some bad software looking at the firewall to see what ports it's actually allowed to use to talk to the outside world? Usualy you have a small number of services that you want prople from the outside to connect to, and maybe you have to punch the odd extra inbound hole for your latest P2P software, but you generally use a _lot_ more random outbound protocols from a workstation - that's a lot of random holes to punch in the outbound filtering.
Popping up a message asking if it's ok for each and every application to scratch it's arse is silly - windows users already get enough popup messages, chucking a bunch more at them to train them into just pressing "yes" without reading the error is a really bad idea. It also opens up the possibility for virus writers to trick people into OKing the firewall change - "WindowsUpdate is trying to make a connection, is this ok [yes] [no]?" - how do you know WindowsUpdate is actually Windows Update and not some worm going by the same name?
Since I moved to the US I have 20 times as many channels, and the best thing on is still British comedy reruns on public access TV.
The only stuff in the UK worth watching these days are the British comedy reruns...
This guy is pure cracker.
Nope, he's pure script kiddie - a cracker understands how an exploit works and spends a lot of time working out how to use it. This kid just modified someone else's code and almost certainly has no clue how the exploit works.
"he is forever be known as a script kiddy" (which begs the question, Why? Modifying a virus isn't a good way to make yourself popular).
Script kiddies aren't popular (at least outside script kiddie circles) - they are usually considered the lowest form of life.
* Virus writer: understands how stuff works, spends a long time putting together viruses (this is not right but he's put some effort into it)
* Cracker: again, like the virus writer, understands how exploits work, spends lots of time writing the exploit (again, not right but some effort has gone into it and in the long run it _does_ uncover bugs in software, which might be a good thing)
* Script kiddie: Can't type properly, inserts numbers in everything because he thinks it looks "cool" (actually it make him look like a 12 year old tosser). Uses someone else's virus/exploit code and either uses it as-is or makes some minor modifications. This guy has done absolutely no work in writing the code he's using and almost certaionly doesn't havea clue how it works.
Virus writers and crackers deserve some respect because they understand stuff and work for it, even if it is wrong. Script kiddies don't deserve respect because they don't understand anything, just rip off someone else's code and then think it's cool to compromise a few thousand/million machines.