Comodo Personal Firewall

Including my two PoC codes? Must I add a third one now? ;-)

Yours, VB.

:-) But i think its important that a Personal Firewall (paid or free) covers as many holes as possible. Other companies sell Personal Firewalls (from McAfee to Zone Alarm) and they don't pass all the tests at all! PC is very insecure, the whole PC (CPU)architecture is designed to allow programmes easy access to almost everything so that they can debug easily, which causes inherent weaknesses for all software run on it. So we try to secure as much of that as possible. I haven't seen any other firewall paid or free that has the capabilities of what we have (as far leak tests are concerned). We are trying to secure the desktop in best possible way.

thanks Melih Comodo

This doesn't answer my question. I'm repeating:

| > I would like to announce that v.2 of Comodo personal firewall is now | > live. The newsworthy item here is that CPF v2 is the only firewall that | > has passed all the known leak tests. | Including my two PoC codes?

Why do you think so?

Most people are working with Administrator's rights, and there to secure with a "Personal Firewall" is futile anyways.

Have you implemented a security system for Windows messages and a security system for local COM in kernel space now? If so, are you using ACLs for it? Is your "Personal Firewall" enforcing the user not to work with admin rights?

That's not true. While PCs are using CPUs which are von Neumann style, and don't have two types of memory for separating code and data (like i.e. CPUs with Harvard architecture), PC hardware is not more insecure than other comparable hardware. The problem is with Microsoft Windows.

Yours, VB.

I just read your page about your "Personal Firewall". You're showing popups for users. Do you realize, that users cannot decide anything sensible for IT security, because they don't have a clue what's going on? Why are you showing popups then? What's on them?

Yours, VB.

Yes, you must add one that actually works - as neither of your PoC codes work on any of our computers in our network.

What holes are those may I ask?

What tests?

Programs run with the O/S. Without the O/S, a program cannot run on the PC. It's the O/S that's running on the machine and programs must adhere to what the O/S allows. It's the O/S that is the weak link and a program that runs with the O/S is only as secure as the O/S itself.

To allow programmes easy access to almost everything so that they can debug easily? So what are you talking about, as I am a programmer?

Where one should go is secure the O/S as much as possible and the applications running on said O/S.

The host based packet filter running at the machine level that's not a FW, as it doesn't separate two networks the one it's protecting from the WAN and the one it's protection the LAN, have too much bloat crap in them.

The buck stops at the O/S and not some PFW solution. If the O/S is not secure, than neither is the PFW solution running with it.

Duane :)

This is not true. While it's comfortable to have an operating system, it's possible to run programs without having one.

I'd like to know that, too.

Yours, VB.

We're talking the Windows platform -- nothing runs without it. And yes you can write a program that does it all like, I/O parphieal access and the whole nine yards, like back in 1971. :)

:)

Duane :)

snipped-for-privacy@COMODOGROUP.COM wrote in news:1143896945.608724.172650 @z34g2000cwc.googlegroups.com:

Anything named after a commode has to be crap.

Not true at all VB, in the sense of the Programs people are talking about here, you need some form of OS to run them. Yes, there are embedded systems that can run instruction sets or commands based on their capabilities, but they would not be anything like FireFox, Word, Notepad, etc...

I would love to see you get MS Word to run on a PLC-5 controller - hint, you can't.

"That's not true. While PCs are using CPUs which are von Neumann style, and don't have two types of memory for separating code and data (like i.e. CPUs with Harvard architecture), PC hardware is not more insecure than other

comparable hardware. The problem is with Microsoft Windows. "

VB, my statement is not about PC Hardware as such but the CPU architecture..Let me try to explain what I mean: (First of all, I, in the good old days did device driver development, I am an electronic engineer and have got involved in the design of many security hardware and 2 security Chips ). In my younger years, they could not build a dongle that we couldn't get into with a decent debugger (like softice). The issue is you can watch every instruction and its data by looking at the CPU registers. Thats where the inherent weakness is. So everything else that relies on that infrastructure is, to a level, flawed. Of course for one to claim insecurity, one must define the threat model, otherwise we could be talking about totally different scenerios and without proper defintion of a threat model we can't possibly say the security is reasonable or not. Anyway, my statement was based upon the structure of almost every single CPU (or microcontroller) I worked with (from 8086 based CPUs to Z80 to PICs) (Yes we did build a security chip using a Z80 core and worked nicely :-) and guess what we could not debug it cos the chip was built in a way it did not allow you to debug it! (the only way was for you to use a special acid to take the packaging of the chip off to expose the silicon and its connections to the pins and somehow try to connect it so that u could have access to its registers ) If you have access to the PC you have access to anything software on that machine cos you can have access to registers and with time you can figure out whatever it is you want to figure out. There used to a be good website with lots of useful info in reverse engineering called Fravia (check google for "Fravia reverse engineering", there still might be some people carrying the tradition forward :-) ). I understand your answer about the data and code protection but thats not what i was referring to.

just read your page about your "Personal Firewall". You're showing popups for users. Do you realize, that users cannot decide anything sensible for IT security, because they don't have a clue what's going on? Why are you showing popups then? What's on them?

Yours, VB.

VB, you are 100% right! Thats the biggest problem with firewalls. they say:

abc.exe is trying to connect to internet: do you want to allow or deny. and 99.9% of people don't have a clue about what that application is! That is why we introduced the following

Application Recognition Database Comodo Personal Firewall 2.0 can recognize over 10000 applications and determine their security risks. This database allows users to quickly ascertain whether activity is coming from a safe program or a malicious virus, trojan or spyware.

Of course 10,000 is only a small starting point. We have a team of people who continually update this and looking for help from our users to keep giving us a hand to increase this db so that CPF can intelligently inform you about the application that is trying to make connection.

Thanks Melih

Duane

I fully agree with you. We support the current efforts of the TCG (Trusted Computing Group) in coming up with a more secure PC Hardware architecture that would allow OS to be more secure. Pls check out how the next level of OS from MS will work. You will see that the trend towards more secure OS has started (no where near where it should be but its the first step). OS will have two sections: secure execution environment and non secure. It will use the TPM chip (Trusted Platform Module Chip) that is standardised by the TCG and already has gained recognition as the standards setting body from all the respected players in the market place from intel to AMD to Sony, fujitsu, seagate etc etc.

So yes I agree, need to secure OS, to do that, you have to have a secure hardware and that is under way.

thanks Melih Comodo

Duane

The tests are:

and a new one Comodo has discovered

These tests are designed in such way to "bypass" the firewall you have and connect to the internet without your personal firewall being aware or alerting you to it. So the idea is for a spyware or trojan to communicate over internet from your machine without your personal firewall being aware of.

thanks Melih Comodo

snipped-for-privacy@comodogroup.com wrote: [something]

Unfortunately, you did not answer my questions a second time. Will I get an answer?

Thanx, VB.

When you think that I'm right, why are you still holding the home user responsible for deciding security related questions?

Yours, VB.

Do you understand the concept of an operating system with classical architecture, separating kernel space and userland?

Yours, VB.

You mean TCPA, or now TPM:

Yes. In 1964:

And then in 1966:

Yours, VB.

I still have a major problem with a security design that is based on letting you know you're owned, after you're owned. What is the difference between iexplore.exe and iexplore.exe? E.