On the contrary.
Well didnt you agree that the need for outbound application filtering was a myth?
Perhaps its you that need the services of an optician (or an interpreter).I didnt claim any such thing. me
Ok I set myself up for that one I should have said "Chapter" per the OPs post instead of article (my bad).
However to your point. Yes a malicious piece of software "could" just use port 80 which is bound to be allowed by my egress rules, however malicious code writters aren't always "SMRT" (as Homer would say).
The assumption of stupid users and smart "attackers" is a mistake (myth), not the requirement for outbound filtering.
Yes. Where exactly does that imply any claim on my part that everyone will see through it?
So you didn't reply "you haven't ... have you" when I stated that lies may boost sales because of people falling for the lies?
cu
59cobalt[...]
I'll take that as an "I don't know any either".
cu
59cobalt
So what? A smart attacker is the worst case, which you have to take into consideration as well. Any measure can only count as a SECURITY measure if it will defeat the smart attacker as well as the stupid attacker.
You still fail to understand the points the article makes. With a smart attacker it's irrelevant whether the users are stupid or smart, they will never notice, because the malware bypasses the outbound traffic control so that no notification whatsoever is generated. And with the uneducated users not being able to understand what the personal firewall is telling them, they still are more likely to allow than to deny access when in doubt. So outbound filtering MAY work when you'll ALWAYS have DUMB attackers AND educated users. Which is a rather bold assumption from a security PoV.
What is so hard to understand about this?
cu
59cobalt
No.
But I will guarantee, that I don't need a product, which "phones home", and it's purpose is to prevent from "phoning home".
BTW: many people think, that of security software, one needs the source code to evaluate.
Ridiculous nonsense.
No. You may want to read RFC 791 and 792 (STD 5) to understand, why this never can work. It's just advertizing nonsense.
Yours, VB.
You need more arguments? Here they are:
----------------------------------------------------------------------
This is one practial problem of "outbound filtering". And one of the worst. It's idiotic to ask the user for protection relevant decisions, because the user is the person to be protected, not the person who should protect.
In most cases, she/he does not know the correct answer (if there is one), and this was the reason, why this user bought the "security product", to be protected without any deep knowledge about computer security.
---------------------
I showed some with my PoC code at
You can test, what your "Virus Scanner" says to
--------------------------------------------------------------------
Most "phoning home" is for online software updates of useful programs. Everybody should permit this, because online software updates protect you from being attacked by older malware (and there is enough of this kind in the wild).
Yours, VB.
The assumption of incurious users and smart attackers is the only assumption, which is valid for a scenario of protecting home users.
"Security systems", whose concepts are not based on this assumption, are of no value for home users.
Yours, VB.
"With a smart attacker it's irrelevant whether the users are stupid or smart, they will never notice, because the malware bypasses the outbound traffic control so that no notification whatsoever is generated."
So protection from the dumb attackers is pointless? I'm sorry but I disagree. My bandwidth, CPU cycles, memory usage, and storage are not pointless things to protect. I agree that outbound filtering won't protect everyone from smart attackers but it can protect you and your valuable resources fromt he dumb ones.
I'm not claiming that outbound filtering is a perfect solution by any means, however, I still maintain that it's ridiculous to call it's usefulness a myth.
No. Secure protection is a good thing. "Protection" like "does only work if the attacker is a muppet" is ridiculous.
It's not useful at all. If it ever could work, it's even counterproductive.
Yours, VB.
In some cases, that's simply not possible. Take the MS installer for example. Sometimes during installation of a program or driver, the installer itself (not related to said program or driver) tries to contact a microsoft server. Also, the "new hardware" wizard has an option to check with Windows Update for updated drivers, but even if you tell it NOT to do so, it sometimes still wants to make an outbound connection.
Just my two cents.
Sadly a lot of attackers = muppets = script kiddies
Think of it like phishing emails. Some are obvious to spot with spelling mistakes or old methods of hiding URLs from dumb users. Some are hard to spot with no typos, good gramar, and well hidden URLs. Just because some of them are good doesn't mean I don't want to be or should be interested in being protected from the bad (obvious) ones.
Maybe we'll have to agree to disagree ;)
I'd say Sygate 5.x does a pretty good job. Whenever an untrusted program starts a trusted program to make an outbound connection on its behalf, Sygate blocks the connection and informs the user.
This can be reproduced by simply clicking a URL in an email message. Sygate will inform the user that the default browser wants to connect to a server, and that this was initiated by the default mailclient. Even if there already are "allow" rules for both programs seperately. Of course, another rule for this particular combination of programs can be created, so you're not confronted with these popups in the future.
Sygate failed on both of my leak tests.
Yours, VB.
Yes. And the scripts (aka tool"z") they're using, are not ridiculous at all, sadly.
If "outbound filtering" would not be counterproductive, maybe we could agree. If it would be harmless, then it would get a "why not, does not matter" from me.
Unfortunately, the opposite is true; maybe you will comment the "online software update" problem, before we agree to disagree.
And even if this problem would not exist, most "Personal Firewalls" would get a "don't use them", since I had a look on a bunch of such tools - most of them are endangering their users.
Yours, VB.
I sitll don't agree with this, yes some are not ridiculous, but definately not all. I could probably even be convinced that the majority "are not ridiculous" but that still doesn't mean that I don't want to be protected from those that are.
I don't see the issue here, yes software must be able to update. The majority of updates are accomplished on standard ports. It's obvious to even dumb users to click yes here. "Your AV wants to access the internet" (if they even get prompted).
Goto Windows Update website, it wants to install an activeX control, do the majority of users say "No" and end up without updates? Even most dumb grandmothers that like "sexy dancing pigs" know that when they go for updates, YES they actually want them.
I can agree that currently available software firewalls "are endangering their users" in the majority of cases.
Yes, several attacks may be detected by outbound control. However, since you have to depend on luck for not getting hit by a smart one this has nothing to do with security.
Most users are not able to distinguish between "good" (e.g. automatic software updates) and "bad" (malware) outbound connections. So they'll either allow everything (which is bad because malware will be able to communicate outbound) or deny everything (which is bad because their software will remain vulnerable).
It's obvious that jusched.exe will update the Java Virtual Machine that they don't even know they had installed in the first place? IBTD.
Volker was talking about automatic updates, not about manual updates.
cu
59cobalt"Yes, several attacks may be detected by outbound control. However, since you have to depend on luck for not getting hit by a smart one this has nothing to do with security."
So you're saying that because something might get through I shouldn't care about any of it? I should be completely willing to sacrifice any and all CPU cycles, bandwidth, storage etc?
My AV software is completely pointless because while it stops known attacks it can't/won't stop unknown attacks. (Smart/Dumb, New/Old same thing).
I'm not talking about "Anti Virus" programs. I'm talking about people preventing their PDF viewer, their wordprocessor, their video player, their MP3 player, their %WHATEVER_USER_PROGRAM% from "phoning home", which in reality only prevents them from getting online software updates, and so prevents the user from being protected.
Interesting. This is exactly the point, why "preventing from phoning home" by offering popups never will work: because every user will chose "Yes", at least at the second time she/he tries to use %FEATURE%.
Yours, VB.
You should not try to "outbound filter phoning home" then. You should flatten and rebuild.
AV software for sure finds every virus it knows (if it's well implemented), *BEFORE* the malware can do harm.
"Outbound filtering" is too late - it should work, when malware already broke every security provision you have taken, and your box is already
0wned.The first is useful. The latter is b0rken by concept.
I don't know, why people don't see the one and only advantage of most common "Personal Firewalls": to work as a little IDS. OK, maybe IDSes should be implemented in better ways, but this is the only point I can see, where one could use a "Personal Firewall" in theory.
Unfortunately, for home users this is not suitable at all in practice, because all "Personal Firewalls" I know have really terrible false positives, and are flooding users with useless popups, so nobody will notice the real important popups any more.
Yours, VB.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.