Jetico Personal Firewall freeware asks way to many questions

AFAICS things are typically stated like "it just happens naturally".

Aside from the serious need for any actual vulnerability, which is truely hard to find, the avoidability is exactly the point that makes the qualification void. "Drive-by-downloads" are more or less a description of a seemingly natural, unavoidable phenomena to shift off responsibility.

BTW, what exactly differs a "drive-by-download" from a "webbrowser exploit" as we've called it since ever?

Things that aren't like they're categorized aren't real, though. Just like "tracking cookies", "phone home" or "phishing".

Reply to
Sebastian G.
Loading thread data ...

Aside from the added complexity and the inability of the user to judge the output of the mentioned program, what exactly is a shitload of false positives worth? Say it, f.e., claims that there's some oh-so-bad "tracking cookie", and as well a trojan horse in user32.dll (because it doesn't match the original one any more, probably due to a normal update). Now it deletes both, demands a shutdown, and the system doesn't boot up anymore.

Just try running it over a completely fresh install of Windows, or even over a well secured system with a lot of known-good third-party software, and the shame of its report. Same goes for almost any malware scanner under the sun.

Now then, if you weren't talking about BugHunter, as I clearly was, what the hell were you going off about?

Reply to
Dustin Cook

that could just as easily be an interpretation that is peculiar to you alone...

it is something that is likely to happen (or to have happened, as in 'thats the way the malware got in') to quite a few average users because it's not easy to avoid being vulnerable nor to avoid being exposed...

hard to find a vulnerability? on what planet?

i'm wondering what exactly you mean by avoidability here... do you mean it should be easy to avoid being exposed? you are aware that these types of exploits have been known to be injected into the ad rotation of legitimate, otherwise trustworthy sites, right?

well, consider the possibility that a web browser is not the only component on your system involved in rendering the content on a given web page... the browser renders the html, but what about scripts? what about multimedia? what about other document formats like pdf?

strange, most people would refer to that simply as hype rather than full non-reality...

you don't think phishing is real either? oh boy...

Reply to
kurt wismer

Sorry, but it's exactly what I see in real life.

Nonsense, it is really easy because almost every webbrowser is secury by default out-of-the-box.

On this planet. Show me an up-to-date webbrowser with an unpatched vulnerability and/or a bad security history (that is, there have been large non-negative delays between vulnerability and patch and no workarounds).

It's hard getting exposed at all.

Right. The exposure is measured by the security of the webbrowser, and nothing else.

ECMAScript is obviously interpreted by the webbrowser as well.

That's external. Do you let such things load by default or what?

Indeed, since the phenomena don't belong to the description.

Phishing is described as a problem of the webbrowser and/or the WWW, but it's solely a PEBKAC problem, thus it's a problem within the user and the phenomen only a result of this. For any minimally competent user phishing purely is a non-threat.

Reply to
Sebastian G.

No, maybe someone just doesn't want it to do things like phone home to look for an update and it has no option to set it that way. Maybe they want to block a game's adverver, some of them have that now, oh, they could use the hosts file to do that too but you are also against that. I bet you are a spyware programmer trying to mislead people to make your job easier. Why else would you hang out in a boring firewall group day after day?

Reply to
John Adams

Well, if you are not a spyware programmer you are definitely a script kiddy.

Reply to
John Adams

here's the thing, it's *still* presented in a way that's open to interpretation... your interpretation is that 'it just happens naturally' on hardened systems while other possible interpretations could easily include 'it just happens naturally' for most average users (who, by the way, don't have hardened systems)...

now you're just being absurd....

vulnerabilities exist in most non-trivial programs whether the good guys know about them or not so i will say *all* web browsers have unpatched vulnerabilities and time will bear me out...

and no, the bad guys don't depend on vulnerabilities already known to the good guys... they have their own black hat researchers and their own vulnerability black market...

no, it's not... it's quite easy because the exploits can be served through mainstream sites like cnn.com...

wrong... exposure has to do with whether you came in contact with it, not whether you got compromised by it...

aside from the fact that that is not the only script language out there...

of course it's external, that's the point... rendering web content normally involves external functionality in addition to what's built into the browser... even rendering images is 'external' (and has been a source of problems - see wmf and vml)...

and yes, people let those things load/run by default... when they click on a pdf link they expect to see the pdf in their browser.. when they visit a flash site they expect the flash to just work automagically...

it doesn't belong to the strawman you use as a description, no...

it seems dustin is correct, i'm wasting my time here... it's unreasonable to expect users to know that paypalsecurity.com is registered to a different entity than paypal.com is...

Reply to
kurt wismer

Then you're considering it as malicious. (does something you don't want without asking for permission)

Then you're considering it as malicious. Aside from that, that typically makes the software non-working and also typically violates the EULA.

Well, maybe because it doesn't work? Keyword: setsockopt(&socket, SOCKOPT_NO_HOSTS);

Reply to
Sebastian G.

You don't need a hardened system to be secure against the typical threats of connecting a machine to the internet. And on not especially hardened systems it's still true that such things really don't need to happen naturally.

Or correct. Just take a look at the major players Mozilla Firefox, Mozilla Seamonkey, Opera, Konqueror and w3m. Agreed, Mozilla Firefox is a bit obscure, but neithertheless still secure by default.

Thanks for stating the trivial exception that doesn't need to be discussed. Now, can you present some incidents showing any significant relevance?

Exposure is measures by the vulnerabilities, not by the websites serving them. Who the hell cares if cnn.com serves some third-party scripts with malicious intends as long as the intend can't materialize into an actual compromise?

In that case, exposure should be about 100% and every system would be compromised. Not. Without an unpatched vulnerability, that's a no-go.

Huh? It is, especially due to imply by the HTML standard. It's also that I have yet to see a webbrowser supporting any additional scripting language.

External ! embedded. And which webbrowser renders WMF and VML?

Sure it's reasonable, you just shouldn't expect people to be reasonable. Heck, when you don't know the URL syntax, then you should expect to run into security problems. Still it's the users fault, for intentionally ignoring minimum required knowledge.

Reply to
Sebastian G.

It works for game ad servers (it has been tested by me and many other gamers) and any EULA that says you can't block ads wouldn't have a legal leg to stand on. Just because an app phones home to check for updates doesn't make it malicious but I may want to block it anyway just because I can.

And you are wrong about drive by downloads (referring to another post of yours). Maybe you need to bone up on the latest bots that are out there in the wild.

Reply to
John Adams

You are a liar. Just in the past few days you tried to defend another one of your assumptive pontifications with the immortal logic "well, that's what other people are reporting".

It's pretty obvious from reading your posts, that you actually test very little if anything that you blubber about. Your only skill, if it can be called that, is wording things in such an ambiguous way that there's nothing to really dissect. And then insisting it's right.

Reply to
Nomen Nescio

We're talking about malicious applications here.

It has, fortunately for all the legitimate adware business.

We're not talking about updates. And indeed, if it was such an update functionality that could not be disabled by means of configuration, it should be considered as malicious.

Which are all due to PEBKAC, not hypothetical magic vulnerability fairies.

Reply to
Sebastian G.

Actually, most users I know believe that one cannot surf the web without at least an AV product in place because malware just magically installs itself.

Please name one that will infect a patched web browser of reasonable quality just like that.

Reply to
Straight Talk

[snip]

and the absurdity continues... apparently internet exploder (what most people use to browse the web with) doesn't exist in your world, and of the browsers that do exist firefox (of all things) is the one you consider obscure...

lets just be perfectly clear, here... you want me to list documented vulnerabilities in mainstream browsers for which there is no patch yet...

i just explained 2 things... the first was that the vulnerabilities that the would get documented in the fashion you're looking for are not necessarily the ones that are actually relevant to this discussion (it's the ones that the blackhats know about but the whitehats don't that are most relevant)...

the second was that we can take the assertion that most browsers contain unpatched vulnerabilities as axiomatically true and let time do the work of revealing the details of those vulnerabilities... in other words, if browsers and all the components that plug into them never need security updates ever again then you were right, otherwise not so much..

but, just to put the last nails in the coffin of the debate on how easy it is to find vulnerabilities, these articles are all from the past month and each one is about something different and has something related to web browsing...

formatting link
?p=652
formatting link

it's clear to me that you are equating exposure to compromise, in spite of the fact that (for example) you can be exposed to a biological contagion without getting sick...

the majority of web users still use ie, ie supports additional scripting languages, and ie's jscript interpreter is separate...

no browser does, the browser hands that job off to a different component...

oh it is reasonable? ok then i suppose i can reasonably expect you to a) list the primary domains of all the sites you visit regularly and b) list *every* *single* domain that is also registered to those entities...

that is essentially what you're expecting others to be able to do... so go ahead, list away...

Reply to
kurt wismer

It does, but it isn't a webbrowser and therefore counts as PEBKAC. It's futile to discuss it in any security content since it's well documented to not be supposed to provide security in a hostile environment.

Which becomes quite clear when looking at the internals of Mozilla Seamonkey. The developers of Firefox don't even bother exposing really important configuration options in the UI or not even at all, the coding style of the components is horrible and full of stupid ideas (with the firefoxurl: protocol handler being the most recent absurdity).

This is a principle attack vector that cannot be avoided unless you have superior software verification mechanisms (which simply aren't practical today). Since this is not within the decision of the vendor neither the users, it's irrelevant to discuss.

You're forgetting one important detail: configuration can protect against yet unknown vulnerabilities by reducing functional exposure.

That's not even a vulnerability.

formatting link

And they're all patched already, with very short response time.

formatting link

And these aren't even webbrowser exploits at all.

Now is it ignorance or incompetence why you came up with these non-issues?

Oh hello, Mr. Bad Analogy Guy. The analogue world has the funny property that you can always break a system with more brute force, whereas for digital systems the set of input is fully enumerable (and that very trivially).

Abusing it as a webbrowser doesn't make it one. Of course, you don't need any scripting, ActiveX or whatsoever to render MSIE insecure when used on the world wide web, just like a Telnet session is always unencrypted and not securely authenticated (which is a documented behaviour, that's why you can't expect any security in first place).

Ok, can anyone point me over to a WMF and/or VML viewer plugin for any decent webbrowser?

I don't need to. I just don't create any false positive, but it's fully secure to not trust a website belonging to an entity due to different domain. As for your example, paypalsecurity.com doesn't belong to paypal.com until proven otherwise, period.

Reply to
Sebastian G.

i see...

well, all i can say is that those things you disagree with regarding drive-by downloading apply to the world where IE *is* a web browser - the most popular one in fact, and firefox, rather than being the obscure one of the bunch, is probably the second most popular...

since this doesn't appear to be the world you live in i don't think i have anything more to say to you on the subject... i'm really not familiar enough with the properties of your world to comment on them...

Reply to
kurt wismer

Will you please shut up and read the documentation and/or look at the implementation? The security model is to provide confluent protection in a secure environment, but not in a hostile environment. And surely it doesn't even get SGML comment pasing right, how should it ever get HTML right?

So once again: Being commonly abused as a webbrowser still doesn't make it one. Telnet isn't a webbrowser either.

And despite your ranting, discussing security on IE is pointless, since in your scenario it's insecure by design.

Reply to
Sebastian G.

Regardless who is "right" in this discussion - one thing is for sure: The wording in your postings in this newsgroup is simply embarrassing, and it's more than obvious that you have a complete lack of social competence.

Poor Sebastian - you must have been the most hated child in kindergarten ...

Reply to
Thomas Ludwig

my aren't you pleasant...

you make an excellent argument for why it's a *bad* browser, but not for why it isn't a browser at all...

in the world most people operate in IE is a browser... i can appreciate trying to redefine things in order to promote a paradigm shift in the way people think about security - unfortunately it sucks for everyday practical matters when that paradigm shift hasn't happened yet, and that paradigm shift isn't likely to come as your behaviour doesn't encourage people to buy into the alternative view you're proposing...

Reply to
kurt wismer

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> how should it ever get HTML right?

First off, we're talking about *web*browsers.

I think it is a very strong argument against being a webbrowser. A broken SGML parser/lexer, as the absolutely simplest part of rendering a website, doesn't allow for getting it right at the higher layers. Thus it's fundamentally unsuitable.

Yes, a file browser. Not a webbrowser.

No, that's what you're trying to do. You're claiming that because a lot of people abuse the non-webbrowser IE as a webbrowser, it would actually become one. That's silly.

Reply to
Sebastian G.

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.