The ones you've opened, like 135,137-139, and 445?
When you enable the ICF, it starts off with all ports closed. So no, they would be the ports that I deliberately opened. In this case, TCP 22.
...all relative ports open. The ICF doesn't do anything about these ports, unless explicitly instructed to, and these are the ones that matter.
I guess by "explicitly instructed" you mean "enabled" or "turned on".
NAT, or more accurately PAT (Port Address Translation), maintains the source and destination ports, just as a stateful firewall will, and makes the machine inaccessible to non-solicited ip/port combinations.
Thanks, but I'm pretty sure everyone who cares abou this conversation knows how NAT works.
In addition, there have been vulnerabilities in the ICF itself
I'd like to hear about them. I don't remember hearing about any such vulnerabilities, but if they're fairly old I probably would have forgotten about them already. At any rate, I'll agree with you here, neither a perimeter firewall nor a host-based firewall provides sufficient security on its own. My point is that, if you're that concerend about security for your home network, the POS linksys box isn't giving you much more functionality (NAT, stateful filtering, etc) than the Windows ICF.
If the submitter is planning on making other windows house calls, he should keep XP SP1, 2000 SP4, and the 2000 and XP patches for the DCOM vulnerabilites exploited by sasser and blaster on him. Either burn them to CD or get a decent flash drive.
If on the other hand we want to address how your average joe user can install a new computer without getting hosed, I'd have to say that, given the current state of Windows SEcurity, this is not a possibility wihtout additional training for the average user. XP SP2 will fix some of this, but that won't take effect until machines start shipping with SP2 preinstalled.
The ICF is no less useful than a linksys box running NAT. I frequently run portscans on machines running ICF, and the only ports that ever come up are the ones I've opened.
Considering that Microsoft hasn't been hit upside the head with the MD5 clue by four yet, I wouldn't recommend getting MS patches from a 3rd party. With no way to verify that the file you're downloading is the file you want, getting OS patches from anywhere but the vendor is a bad practice IMO.
and then the trusted nature of the VPN assured that the virus would spread to the inside.
I've never encountered an industry-grade VPN solution that didn't give you the option to specify what ports and IPs the VPN client could connect to. The only trusted nature involved with a VPN is the admin who set it up.
... to stop executing screensavers, executables, etc. when they appear in their mailbox? I guess it doesn't matter since it only takes the weakest link to compromise an entire corporate network.
First off, blaster wasn't spread through email attachments. But for the helluvit, here's my corresponding question: when will mail server admins learn to stop allowing attachments with.scr,.com,.exe, etc extensions?
Let's face it, the only technological advance the RIAA won't get pissed off about is the one that sets up a direct deposit music tax, paid in full by everyone who can hear. Excuse me whilst I go gouge out my ear drums...
And what would you do if Microsoft set up a booth outside a Linux conference?
Tell ya what, you work on getting Microsoft to set up a booth outside a Linux conference where they give away free (as in speech|beer, not 120 day eval) copies of their OS, and I'll work on deciding what my reaction will be.
I've never understood what Linux people are talking about when they say that Linux 'runs faster' than Windows.
I've always considered the speed claim to be based on the server side of things, ie sharing files or serving up web pages. While relatively slow desktop environments can be annoying, my take on such things has always been that it's a small price to pay for a machine that's more stable, more secure, and free as an beer|speech. But then again, at work I use a winXP workstation and SSH or VNC into linux servers as necessary. So if one machine's responding slow I can just multitask to another one to kill time... I guess that helps me be more patient than someone using a native linux environment.
at which point you could flash the unit with new firmware, extract the WEP or WPA key, or just mess up someone's configuration and change the password.
This sounds unlikely. I really want to meet the tool that's security-conscious enough to set a wep key, but not change the default password.
Sometime last year I set up a linux snort server at work. Certainly a low-end server, by most standards. Did Gartner take this into account? I certainly didn't tell them, and I doubt they monitored me as I downloaded the iso's.
If gartner's stats are strictly based on data from redhat, IBM, etc, how can they possibly account for all of the "other" installs? I certainly hope these stats won't be used to calculate market share...
How does SPF handle roaming users? For example, if I'm a salesman and am in company X's building (not my own), how do I send mail as myself to a technician? Won't my SMTP be coming from the wrong SMTP server?
Not if you log into your corporate network through an SSL-based VPN or web based mail server interface.
Because, as we learned about the Blaster patch, you needed SP2 or later to fix it in 2000.
Exactly. Plus, you also have different patches for XP vs 2000, and in some cases a different patch for 2000 SP2 vs SP3 or 4. Just like the hardest thing for a worm writer to do is come up with code that will work on multiple OS/SP levels, writing one set of code that would patch multiple operating systems would be a near herculean task.
You're confusing who is controlling what is on the screen. I, the user, have chosen to have Gator on my screen (assuming I choose to download and install Gator).
Odds are, you (being a typical user) didn't know what you were getting yourself into when you clicked "Yes" in the IE Install-in-demand window. You never chose to install a program that would assault you with popups based on your web usage habits, and I'm willing to bet that if Gator billed itself as "a program that will give you even more popups" then it wouldn't have as large of an install base.
LLBean is suing a company that's using dishonest and deceptive software in a directed attempt to undermine their business.
Unfortunately, you may be creating a precedent so that method cannot be used to distribute any content.
You mean valuable communication methods such as glaring popup ads, tracking cookies, and browser redirection could go the way of the dodo if such a precedent were established? That would be a loss.
"First they came for the spyware companies, but I didn't say anything, because I didn't run spyware (that I knew of)..."
Has anyone actually done this? I'm interested in it for the novelty of it. That would make a good ad for the anti-M$ movement. Get a camcorder and tape it, try to go for a record. And have a Linux box on the side running tcpdump, make the dump available for download.
That would be fun to document. The conditions under which I've known this to happen were a windows xp machine, out of the box, plugged into a cable connection. Before the Windows Automatic Updater could download all of the patches, the box was rebooting because of either sasser or blaster. How did I find out? When a coworker said "I can't belive it, I got a new computer and it already had blaster on it!"
Which makes me wonder, if it were a wild west situation where anything goes, and anti-spammers were allows to break the law in the same manner, would these spammers still be in business, or would there basically be a bounty on the heads of spammers.
The first thought that comes to mind is, take the source code for phatbot (it is GPL'd after all), strip out the bits about exploiting microsoft vulnerabilities, but leave in the code that exploits machines listening on the backdoors left by bagel, netsky, and mydoom, and give it a payload that shuts the machine down.
No, it's not very nice, and yes, it would piss people off. But this is the anything goes solution.
Locking doors hasn't been all that effective at keeping people from breaking into houses either. Does that mean we should just stop locking our doors?
One major difference: there's not an overwhelming majority of people who feel that breaking and entering should be legal. Unless I'm severely out of touch, most consumers are of the opinion that we should be able to do whatever the hell we want with something once we've bought it.
The things you can do with CD's and tapes are a good comparison. If I have a CD that I like, I can listen to it in my stereo at home, and I can even carry it around with me and listen to it on my walkman/discman. If I want, I Can let you borrow it, and you can listen to it on your stereo. You can even tote it around and listen to it on your walkman. Onceyou're done you can return it to me, and as I walk away I can plunk it back into my walkman.
Now take the above scenario and replace the CD with a DRM protected.wma file, and that gets to be a horrible pain in the arse. While it's true that with the.wma file you don't have to give it back, what the RIAA doesn't understand is that if it wasn't for me you wouldn't have listened to the damn song in the first place.
...it is quite time someone questions the exact origin of SSL, SSH, NTP and a few other items in IOS which are known to be bug for bug compatible with OSS code and do not have stated copyrights in the IOS release notes.
Parent raises a very good point. While Cisco has acknowledged other use of open source code in the past, I've wondered if there was a use of the same source or maybe just shared libraries that caused vulnerabilities in openssh to affect the IOS, and the same with openssl. Cisco developers have also made open source contributions, so it's not like nobody there gets the GPL.
I have to wonder what Novell's long term strategy is here. This is either A, a clever grab for better karma, or B, a move to provide a gradual upgrade path from Windows/Office/Exchange to Suse/Evolution/Groupwise.
I actually don't expect Microsoft to get too bitchy about this. It seems to me like they're putting their money on virtual office integration. While Novell has a product in this space too, Microsoft's product will probably end up being more polished, easier for the average end-user to use, less secure, but effectively less expensive for clients with enterprise license agreements.
As a 26 year old, what up-and-coming trend/technology/pastime am I going to want to legislate out of existence when I'm a crotchety old bastard? At what point will we collectively quit being intimidated by that which we don't understand?
Only users who engage in illegal activities really have anything to worry about.
I disagree. What if someone makes an off-by-one error when recording an IP address? What if I get an IP assigned via DHCP that was previously leased by someone who was up to all manner of nastiness? Everyone wit an IP address has something to worry about with this gestapo crap.
Rights? The right to trade a copy of "Walking Tall" recorded in theater with a camera (judging by the filename)?
Horseshit. Try the right to not get drug through the court system by a plaintiff with exponentially more money to spend on legal fees than me based solely on substantial and frequently erroneous evidence.
Hollywood would do well to pull its head out of its ass and realize that few of their movies are worth the space they'd take up on my hard drive, let alone the time it would take to sit through them.
Slashdot Mirror
Good point. If Autopatcher's software checks those signatures then I don't see an issue.
If the submitter is planning on making other windows house calls, he should keep XP SP1, 2000 SP4, and the 2000 and XP patches for the DCOM vulnerabilites exploited by sasser and blaster on him. Either burn them to CD or get a decent flash drive.
If on the other hand we want to address how your average joe user can install a new computer without getting hosed, I'd have to say that, given the current state of Windows SEcurity, this is not a possibility wihtout additional training for the average user. XP SP2 will fix some of this, but that won't take effect until machines start shipping with SP2 preinstalled.
The ICF is no less useful than a linksys box running NAT. I frequently run portscans on machines running ICF, and the only ports that ever come up are the ones I've opened.
Considering that Microsoft hasn't been hit upside the head with the MD5 clue by four yet, I wouldn't recommend getting MS patches from a 3rd party. With no way to verify that the file you're downloading is the file you want, getting OS patches from anywhere but the vendor is a bad practice IMO.
Let's face it, the only technological advance the RIAA won't get pissed off about is the one that sets up a direct deposit music tax, paid in full by everyone who can hear. Excuse me whilst I go gouge out my ear drums...
Sometime last year I set up a linux snort server at work. Certainly a low-end server, by most standards. Did Gartner take this into account? I certainly didn't tell them, and I doubt they monitored me as I downloaded the iso's.
If gartner's stats are strictly based on data from redhat, IBM, etc, how can they possibly account for all of the "other" installs? I certainly hope these stats won't be used to calculate market share...
LLBean is suing a company that's using dishonest and deceptive software in a directed attempt to undermine their business.
"First they came for the spyware companies, but I didn't say anything, because I didn't run spyware (that I knew of)..."
No, it's not very nice, and yes, it would piss people off. But this is the anything goes solution.
The things you can do with CD's and tapes are a good comparison. If I have a CD that I like, I can listen to it in my stereo at home, and I can even carry it around with me and listen to it on my walkman/discman. If I want, I Can let you borrow it, and you can listen to it on your stereo. You can even tote it around and listen to it on your walkman. Onceyou're done you can return it to me, and as I walk away I can plunk it back into my walkman.
Now take the above scenario and replace the CD with a DRM protected
I have to wonder what Novell's long term strategy is here. This is either A, a clever grab for better karma, or B, a move to provide a gradual upgrade path from Windows/Office/Exchange to Suse/Evolution/Groupwise.
I actually don't expect Microsoft to get too bitchy about this. It seems to me like they're putting their money on virtual office integration. While Novell has a product in this space too, Microsoft's product will probably end up being more polished, easier for the average end-user to use, less secure, but effectively less expensive for clients with enterprise license agreements.
As a 26 year old, what up-and-coming trend/technology/pastime am I going to want to legislate out of existence when I'm a crotchety old bastard? At what point will we collectively quit being intimidated by that which we don't understand?
Keep in mind though, Ironport has been playing both sides.
Consider also that Ironport was founded by Microsoft / Hotmail execs, and it all looks a little fishy.
Hollywood would do well to pull its head out of its ass and realize that few of their movies are worth the space they'd take up on my hard drive, let alone the time it would take to sit through them.