Would a firewall prevent Sasser worm?

Page 3 - Seeking answers? Join the Tom's Hardware community: where nearly two million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Thu, 06 May 2004 09:27:38 +0800, Bernd Felsche spoketh

>Lars M. Hansen <badnews@hansenonline.net> writes:
>
>>On Wed, 05 May 2004 14:11:14 +0100, Nigel Wade spoketh
>
>>>There is no sun-rpc package in RH8 or RH9· Are you sure you've really
>>>installed them?
>
>>>If you actually meant the portmap package then that is only
>>>required by fam. Since fam is monitoring local filesystems there
>>>is no need to open port 111 to anything other than the loopback
>>>interface. No vulnerability whatsoever.
>
>>>You should not equate Linux with Windows. Just because RPC on
>>>Windows is a security hole does not mean that RPC in Linux is
>>>also.
>
>>Cut from my /etc/services file on my RH8 box:
>
>>sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
>>sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP
>
>/etc/services is only for documentation and reference.
>
>No way are the 8000+ other services dosumented *running* on most
>Linux boxes.

I was arguing the name, not whether all services was running.

We seem to be getting way of track. The question was if a firewall would
prevent a Windows computer from being infected with the Sasser worm, and
the answer is yes.

As I have stated elsewhere, Windows does come with some services running
by default that probably shouldn't be, including the Server service...


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Leythos <void@nowhere.com> writes:

>In article <fo8mc.36781$Ik.2315088@attbi_s53>, newstome@comcast.net
>says...
>> On the other hand, if you do a Windows 2000 Server default install,
>> you're open to an untold number of vulnerabilities. Setting up
>> honeypots, I have never had a W2K server (default install) go longer
>> than 12 hours without being compromised. Maybe that's not a fair
>> statistic, since the default W2K server installs a buggy IIS, which is
>> exploited by zillions of script-kiddie tools,

>On the other hand, with a zillion articles on how to secure a Windows
>platform, including IIS, NT 4, Windows 2000, Windows XP, Windows 2003,
>it's almost negligent that they are not secured. As I've said before,
>there are a few fortune 100 companies that have run IIS as their web
>server platform for more than 5 years I that I've had contact with. I've
>had my own IIS servers and Exchange, and FTP, and etc... servers running
>on Windows platforms as well as Linux platforms (and AIX). Not one of
>those servers has been compromised when configured by anyone with half-
>a-clue.

Unfortunately; most admins of systems such as those don't have half
a clue. THAT is the main security problem.

>Anyone that would put any platform directly on the net, without some
>protection, without proper configuration, isn't doing a smart thing.

Preaching to the converted.

It is nevertherless feasible to ship systems that are "closed" so
that they are reasonably-safe to connect straight away. It then
places a greater load on the user/admin to learn how to open up the
required services, and have a chance of learning the risks
associated with that.

The wannabes will still install everything and turn it all on;
because they can. Over-enthusiasm cannot sometimes be tamed with a
clue-by-four.
--
/"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia
\ / ASCII ribbon campaign | I'm a .signature virus!
X against HTML mail | Copy me into your ~/.signature
/ \ and postings | to help me spread!
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In comp.security.misc Bernd Felsche <bernie@innovative.iinet.net.au> wrote:
> Leythos <void@nowhere.com> writes:
>
>>In article <fo8mc.36781$Ik.2315088@attbi_s53>, newstome@comcast.net
>>says...
>>> On the other hand, if you do a Windows 2000 Server default install,
>>> you're open to an untold number of vulnerabilities. Setting up
>>> honeypots, I have never had a W2K server (default install) go longer
>>> than 12 hours without being compromised. Maybe that's not a fair
>>> statistic, since the default W2K server installs a buggy IIS, which is
>>> exploited by zillions of script-kiddie tools,
>
>>On the other hand, with a zillion articles on how to secure a Windows
>>platform, including IIS, NT 4, Windows 2000, Windows XP, Windows 2003,
>>it's almost negligent that they are not secured. As I've said before,
>>there are a few fortune 100 companies that have run IIS as their web
>>server platform for more than 5 years I that I've had contact with. I've
>>had my own IIS servers and Exchange, and FTP, and etc... servers running
>>on Windows platforms as well as Linux platforms (and AIX). Not one of
>>those servers has been compromised when configured by anyone with half-
>>a-clue.
>
> Unfortunately; most admins of systems such as those don't have half
> a clue. THAT is the main security problem.

The bigger issue is that the vast majority of systems aren't run by
"admins" at all, nor should they be. They're run by end users.

You sure wouldn't think about going out to buy a car that wasn't safe
as it was delivered --- would you accept the excuse that "any
competent mechanic could open the hood and adjust the right things to
make it safe!!!" -- I don't think so.

*That's* why safe default configurations are vital.

--

That's News To Me!
newstome@comcast.net
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,comp.lang.java.advocacy (More info?)

phn@icke-reklam.ipsec.nu wrote:

>The above is correct if the only OS tried is windows. If you ever tried
>anything else you might experience that there exists thinks like secure
>OS designed to be as safe as possible even in in-experienced users hands.
>
>The fact that "proffessional admins" has been running on MS-classes and
>has their machines infected while Linux admins is self-educated and has
>no such infectiions might give you a clue ?
>
>
>
>>Lars M. Hansen
>>http://www.hansenonline.net
>>(replace 'badnews' with 'news' in e-mail address)
>>
>>
>
>
>
1. Windows has far more security problems than Linux or other Unix
variants. Microsoft' defenders have about half a dozen excuses for this
and none of them impress me.

2. Linux and other Linux variants have many vulnerabilities. Fewer than
Microsoft's operating systems, but still too many.

3. The majority of Linux/Unix vulnerabilities have to do with buffer
overflows. So do a large chunk of Windows vulnerabilities. So there
are two problems here: Microsoft, and buffer overflows.

4. The solutions to both these problems, are simple, but not easy. The
solution to the Microsoft problem is to migrate to non-Microsoft
software. That's best done gradually. Start by running open source or
Java software on a WIndows OS, get comfortable with that, and only then
switch to a non-Windows OS. The solution to buffer overflows is avoid
running software that's been written in C or C++. C and C++ are what
enable buffer overflows. They're a pointer-based family of languages,
and stray pointers are behind all buffer overflows. The trouble is,
nearly all the high performance Internet software out there is in C.

The Microsoft monoculture has got to go. And C/C++ have got to go, or
at least be used for far fewer things.

Anyway, that's my opinion.

--
Spammers: arero68@hanmail.net business@99peak.com epschao@sogiant.twmail.net
gagq@gagq.com good_day@sendmailforyou.com imc911@netian.com kim@derek.nl
kingoffice@so-net.net.tw sogiant.service@msa.hinet.net succa@roofo.com yahoomelsww@yahoo.com

Check out my Java, SQL and Python samples at http://rowland.blcss.com/
For sale: Unique and energy efficient hobbit home in New Hampshire:
http://www.angelfire.com/ego/rowland/mm.index.html
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,comp.lang.java.advocacy (More info?)

On Thu, 06 May 2004 10:20:40 -0400, Rowland spoketh


>1. Windows has far more security problems than Linux or other Unix
>variants. Microsoft' defenders have about half a dozen excuses for this
>and none of them impress me.

Last time I counted, which is about 2 years ago, Red Hat 7.x had just
about as many security patches as Windows 2000, and that's only counting
the core components, not stuff like Exchange and sendmail, Apache and
IIS.

The Linux defenders seems to jump on the "Microsoft is worse" bandwagon
pretty fast as their main defense, and that doesn't impress me much
either. It simply shows a lack of understanding on how to properly
secure a Windows computer.

The biggest issue isn't Windows Network administrators, it's the home
user who just got his/her computer from Dell or Gateway, and just plugs
it in without knowing that things are not kosher. I admit (as both a MS
and Linux proponent) that there are default settings in Windows that are
plain and simply set wrong. Services are running that in most cases
shouldn't be and registry settings that could prevent some exploits are
not set correctly. The registry fix for the recent DCOM vulnerability
takes about 10 seconds to fix (plus reboot)...

>
>2. Linux and other Linux variants have many vulnerabilities. Fewer than
>Microsoft's operating systems, but still too many.

See above.

>
>3. The majority of Linux/Unix vulnerabilities have to do with buffer
>overflows. So do a large chunk of Windows vulnerabilities. So there
>are two problems here: Microsoft, and buffer overflows.

No, the problem is bad programming by everyone. Unless programmers
suddenly get perfect over night, we'll end up with buggy software on all
platforms.

>
>4. The solutions to both these problems, are simple, but not easy. The
>solution to the Microsoft problem is to migrate to non-Microsoft
>software. That's best done gradually. Start by running open source or
>Java software on a WIndows OS, get comfortable with that, and only then
>switch to a non-Windows OS. The solution to buffer overflows is avoid
>running software that's been written in C or C++. C and C++ are what
>enable buffer overflows. They're a pointer-based family of languages,
>and stray pointers are behind all buffer overflows. The trouble is,
>nearly all the high performance Internet software out there is in C.
>
>The Microsoft monoculture has got to go. And C/C++ have got to go, or
>at least be used for far fewer things.
>
>Anyway, that's my opinion.

The solution to a broken tailpipe is never to throw away the car, but to
seek out someone who knows how to fix it. For larger organizations to
migrate away from Windows is too expensive. The sheer cost of retraining
every one to use a new operating system and new software is not
something that many companies would be willing to eat.

There is nothing wrong with C or C++, only with how some people write
their code. Seems like too many people have gotten some bad habits with
regards to static vs dynamic buffer lengths...


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

<newstome@comcast.net> wrote in message
news:nfjmc.38027$kh4.2032372@attbi_s52...
> In comp.security.misc Leythos <void@nowhere.com> wrote:
> > In article <c7b546$1qgaa$1@ID-122774.news.uni-berlin.de>,
> > nospam@talk21.com says...
> >> If an ISP has a NAT router then (unless I am missing something) all the
> >> other customers (at least those served by your particular router) will
also
> >> be your side of the router, and able to port scan you anytime they
want.
> >>
> >> I think that most ISPs will have firewalls between their own customers
and
> >> the Internet - if only to protect their own machines and routers.
> >
> > I wasn't talking about the ISP doing a NAT for their network, I was
> > talking about the ISP enabling NAT on the Cable/DSL modem at each
> > customers location. Free, works great, blocks uninvited inbound.
>
> ???? What does this mean ????
>
> I'm not aware of any Cable modem with an IP stack, so they simply
> wouldn't be capable of doing NAT. I imagine DSL modems are the same.
>
> The ISP could provide a NAT-enabled router of some sort in addition to
> the Cable/DSL modem, but that would be an extra cost....

Wandering a bit now, but....

In the UK for (A)DSL you generally get:

(a) a USB DSL modem which plugs directly into your PC and leaves you
potentially exposed to the Internet.
This is the general base level install from an ISP and does leave you
exposed if you don't understand and deal with the security risks.
So I tend to agree that the base level install for DSL should be a
modem/router.
The most basic modem/router - DSL in, one Ethernet port out - costs little
more than a USB modem.
The main issue is where a PC has a USB port but no Ethernet port.

(b) a modem/router i.e. a DSL modem inside a router which provides NAT. The
most recent offerings give you a modem, router, SPI firewall, 4 port 10/100
switch, and an 802.11g wireless AP all in one box and under £100 UKP.
Generally you can get these as part of a package from the ISP, or get a
'wires only' install and buy your own.
IMHO the sensible way to go.


AFAIK in the UK for cable you usually get:

A cable modem which does cable in one end and Ethernet out the other and not
much else.

The thinking user gets a 'Cable/DSL router' (but for DSL see above) which is
essentially the same as the DSL modem/router but with an Ethernet WAN port
instead of the DSL modem.
The WAN side connects to the cable modem and the PCs sit on the LAN side via
UTP or 802.11x.
I have no idea why these are called 'cable/DSL' routers because it cause no
end of confusion for naive users who buy one thinking it can connect to DSL,
only to find they need a modem with an Ethernet port (which are as rare as
rocking horse droppings because single port modem/routers cost the same so
who would buy one??).

But I digress 🙂

Dave R

P.S. for increase security on a network with more than one PC, you can use a
cable/DSL router to build a true DMZ i.e. have your ADSL modem/router, into
your DMZ LAN, off which hangs your mail/web/whatever server and the cable
router, which fronts you 'green' LAN and uses NAT (and possibly SPI
firewall) to protect your PCs from any intruder who gets into your server.
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In article <nfjmc.38027$kh4.2032372@attbi_s52>, newstome@comcast.net
says...
> In comp.security.misc Leythos <void@nowhere.com> wrote:
> > In article <c7b546$1qgaa$1@ID-122774.news.uni-berlin.de>,
> > nospam@talk21.com says...
> >> If an ISP has a NAT router then (unless I am missing something) all the
> >> other customers (at least those served by your particular router) will also
> >> be your side of the router, and able to port scan you anytime they want.
> >>
> >> I think that most ISPs will have firewalls between their own customers and
> >> the Internet - if only to protect their own machines and routers.
> >
> > I wasn't talking about the ISP doing a NAT for their network, I was
> > talking about the ISP enabling NAT on the Cable/DSL modem at each
> > customers location. Free, works great, blocks uninvited inbound.
>
> ???? What does this mean ????
>
> I'm not aware of any Cable modem with an IP stack, so they simply
> wouldn't be capable of doing NAT. I imagine DSL modems are the same.
>
> The ISP could provide a NAT-enabled router of some sort in addition to
> the Cable/DSL modem, but that would be an extra cost....

All of the routers that RR uses in our region provide for the ability to
provide private address ranges on the internal side through means of
NAT. It's free to the ISP since it's already a feature in the modems.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,comp.lang.java.advocacy (More info?)

1. So security patches are a bad thing? In that case, don't install any!

The Linux community is more proactive that Microsoft in patching the
slightest potential problem, hence lots of patches offered for trivial
matters. I see that as an asset, not a liabilty.

3. No, the problem is computers. If there weren't any computers, we
wouldn't have any buffer overflows. But seriously, now. If we're going
to attack this problem with anything other than rhetoric, the way to
attack it is to phase out use of C and C++.

/I've programmed in C and C++ for years, and there's plenty wrong with
it. A good programmer will try to work around the many problems. A
better programmer will try to use another language in most cases.

C/C++ is for when you need to get close to the metal, or for when speed
is critical, or for when you need to write a bytecode interpreter for
Java. In other words, use C/C++ when you haven't got a choice, and only
then.
/

Lars M. Hansen wrote:

>On Thu, 06 May 2004 10:20:40 -0400, Rowland spoketh
>
>
>
>
>>1. Windows has far more security problems than Linux or other Unix
>>variants. Microsoft' defenders have about half a dozen excuses for this
>>and none of them impress me.
>>
>>
>
>Last time I counted, which is about 2 years ago, Red Hat 7.x had just
>about as many security patches as Windows 2000, and that's only counting
>the core components, not stuff like Exchange and sendmail, Apache and
>IIS.
>
>The Linux defenders seems to jump on the "Microsoft is worse" bandwagon
>pretty fast as their main defense, and that doesn't impress me much
>either. It simply shows a lack of understanding on how to properly
>secure a Windows computer.
>
>The biggest issue isn't Windows Network administrators, it's the home
>user who just got his/her computer from Dell or Gateway, and just plugs
>it in without knowing that things are not kosher. I admit (as both a MS
>and Linux proponent) that there are default settings in Windows that are
>plain and simply set wrong. Services are running that in most cases
>shouldn't be and registry settings that could prevent some exploits are
>not set correctly. The registry fix for the recent DCOM vulnerability
>takes about 10 seconds to fix (plus reboot)...
>
>
>
>>2. Linux and other Linux variants have many vulnerabilities. Fewer than
>>Microsoft's operating systems, but still too many.
>>
>>
>
>See above.
>
>
>
>>3. The majority of Linux/Unix vulnerabilities have to do with buffer
>>overflows. So do a large chunk of Windows vulnerabilities. So there
>>are two problems here: Microsoft, and buffer overflows.
>>
>>
>
>No, the problem is bad programming by everyone. Unless programmers
>suddenly get perfect over night, we'll end up with buggy software on all
>platforms.
>
>
>
>>4. The solutions to both these problems, are simple, but not easy. The
>>solution to the Microsoft problem is to migrate to non-Microsoft
>>software. That's best done gradually. Start by running open source or
>>Java software on a WIndows OS, get comfortable with that, and only then
>>switch to a non-Windows OS. The solution to buffer overflows is avoid
>>running software that's been written in C or C++. C and C++ are what
>>enable buffer overflows. They're a pointer-based family of languages,
>>and stray pointers are behind all buffer overflows. The trouble is,
>>nearly all the high performance Internet software out there is in C.
>>
>>The Microsoft monoculture has got to go. And C/C++ have got to go, or
>>at least be used for far fewer things.
>>
>>Anyway, that's my opinion.
>>
>>
>
>The solution to a broken tailpipe is never to throw away the car, but to
>seek out someone who knows how to fix it. For larger organizations to
>migrate away from Windows is too expensive. The sheer cost of retraining
>every one to use a new operating system and new software is not
>something that many companies would be willing to eat.
>
>There is nothing wrong with C or C++, only with how some people write
>their code. Seems like too many people have gotten some bad habits with
>regards to static vs dynamic buffer lengths...
>
>
>Lars M. Hansen
>http://www.hansenonline.net
>(replace 'badnews' with 'news' in e-mail address)
>
>


--
Spammers: arero68@hanmail.net business@99peak.com epschao@sogiant.twmail.net
gagq@gagq.com good_day@sendmailforyou.com imc911@netian.com kim@derek.nl
kingoffice@so-net.net.tw sogiant.service@msa.hinet.net succa@roofo.com yahoomelsww@yahoo.com

Check out my Java, SQL and Python samples at http://rowland.blcss.com/
For sale: Unique and energy efficient hobbit home in New Hampshire:
http://www.angelfire.com/ego/rowland/mm.index.html
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Lars M. Hansen wrote:
> On Wed, 05 May 2004 14:11:14 +0100, Nigel Wade spoketh
>
>
>>There is no sun-rpc package in RH8 or RH9· Are you sure you've really
>>installed them?
>>
>>If you actually meant the portmap package then that is only required by fam.
>>Since fam is monitoring local filesystems there is no need to open port 111
>>to anything other than the loopback interface. No vulnerability whatsoever.
>>
>>You should not equate Linux with Windows. Just because RPC on Windows is a
>>security hole does not mean that RPC in Linux is also.
>
>
> Cut from my /etc/services file on my RH8 box:
>
> sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
> sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP
>
> You were saying?

I was saying, and am still saying, that there is no sun-rpc package in
RH8/9. I asked if you meant portmap, and portmap is in the portmap package.
sunrpc is a service, not a package.

>
> As for RPC being an issue on Linux, well, there may not be any known
> issues at this time, but there has been in the past, and who knows
> what's around the corner...

How do you know what future issues there might be with your firewalling
software, or your routers or... everything? If you are not going to use
something because of concerns about what future issues there *might* be,
your only recourse is to remove yourself from the Internet.


--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Thu, 06 May 2004 13:22:58 +0100, Nigel Wade spoketh

>
>How do you know what future issues there might be with your firewalling
>software, or your routers or... everything? If you are not going to use
>something because of concerns about what future issues there *might* be,
>your only recourse is to remove yourself from the Internet.

I'm not overly concerned with anything. I have the necessary software,
hardware and common sense to keep my Windows and Linux boxes out of
harms way.

And, yes, it's not called "sunrpc package", it is the portmapper
package, which is the service I was attempting to avoid having
installed...

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In article <c7b546$1qgaa$1@ID-122774.news.uni-berlin.de>,
David W.E. Roberts <nospam@talk21.com> wrote:

>NAT by itself doesn't do much for you - because safety depends on who is on
>your side of the router.
>
>In a SOHO environment then NAT is pretty damn good - because you know all
>the people behind the NAT router and you don't expect them to hack you
>(although one PC with a worm behind your NAT router can gut all the other
>local PCs). Safest is one PC behind a NAT router - nobody else to compromise
>you.

At home I connect two PCs to the Internet through a Linksys BEFSX41,
which has a built in "Stateful Packet Inspection firewall". In
terms of security from external attacks what advantages (if any)
does this have over a vanilla NAT router, like the BEFSR41? (Note
that I am the only user of the two PCs).

Also, if I were to turn off the BEFSX41 firewall would I still have
the same level of protection that I would have with any NAT router?
--
John Brock
jbrock@panix.com
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Lars M. Hansen wrote:
> On Thu, 06 May 2004 09:27:38 +0800, Bernd Felsche spoketh
>
>
>>Lars M. Hansen <badnews@hansenonline.net> writes:
>>
>>
>>>On Wed, 05 May 2004 14:11:14 +0100, Nigel Wade spoketh
>>
>>>>There is no sun-rpc package in RH8 or RH9· Are you sure you've really
>>>>installed them?
>>
>>>>If you actually meant the portmap package then that is only
>>>>required by fam. Since fam is monitoring local filesystems there
>>>>is no need to open port 111 to anything other than the loopback
>>>>interface. No vulnerability whatsoever.
>>
>>>>You should not equate Linux with Windows. Just because RPC on
>>>>Windows is a security hole does not mean that RPC in Linux is
>>>>also.
>>
>>>Cut from my /etc/services file on my RH8 box:
>>
>>>sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
>>>sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP
>>
>>/etc/services is only for documentation and reference.
>>
>>No way are the 8000+ other services dosumented *running* on most
>>Linux boxes.
>
>
> I was arguing the name, not whether all services was running.
>
> We seem to be getting way of track. The question was if a firewall would
> prevent a Windows computer from being infected with the Sasser worm, and
> the answer is yes.
>
> As I have stated elsewhere, Windows does come with some services running
> by default that probably shouldn't be, including the Server service...
>

What it really needs is a firewall running by default to restrict access to
those services. Then sasser couldn't have got in at all. It looks like XP
SP2 will do this.

Although I'm not sure what this phrase from the Microsoft docs. means in
regard to the new firewall "The enhancements include ... closing ports
except when they are in use". Does it mean that if a port *is* in use the
firewall automatically opens it? Surely it can't mean that? But, then again,
this is Microsoft...


--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,comp.lang.java.advocacy (More info?)

In article <FeqdnRwGqovN1wfdRVn-ig@comcast.com>,
arero68.IS.A.SPAMMER@hanmail.net says...
> 4. The solutions to both these problems, are simple, but not easy. The
> solution to the Microsoft problem is to migrate to non-Microsoft
> software.

What utter BS! The solution, while difficult, is to educate the users
that operate systems without understanding them. Once the Nix systems
and apps hit the desktop with as many installs as Windows you'll see
weekly exploits about them too.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,comp.lang.java.advocacy (More info?)

Leythos wrote:

>In article <FeqdnRwGqovN1wfdRVn-ig@comcast.com>,
>arero68.IS.A.SPAMMER@hanmail.net says...
>
>
>>4. The solutions to both these problems, are simple, but not easy. The
>>solution to the Microsoft problem is to migrate to non-Microsoft
>>software.
>>
>>
>
>What utter BS! The solution, while difficult, is to educate the users
>that operate systems without understanding them. Once the Nix systems
>and apps hit the desktop with as many installs as Windows you'll see
>weekly exploits about them too.
>
>
>
>
I believe I covered that under item 1. That's one of the excuses that
don't impress me.

Having some 20 years of experience with Microsoft operating systems, and
five with Linux, I think I'm qualified to say that the number of
installed seats is not the real problem.

And how is anyone supposed to understand Windows, when the code is kept
secret, except by reverse engineering it? Windows isn't meant to be
understood. It's meant to be run in blind faith. This new shared
source stuff is too little too late, and a transparent reaction to the
open source threat.

--
Spammers: arero68@hanmail.net business@99peak.com epschao@sogiant.twmail.net
gagq@gagq.com good_day@sendmailforyou.com imc911@netian.com kim@derek.nl
kingoffice@so-net.net.tw sogiant.service@msa.hinet.net succa@roofo.com yahoomelsww@yahoo.com

Check out my Java, SQL and Python samples at http://rowland.blcss.com/
For sale: Unique and energy efficient hobbit home in New Hampshire:
http://www.angelfire.com/ego/rowland/mm.index.html
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,comp.lang.java.advocacy (More info?)

Leythos wrote:
>... Once the Nix systems
> and apps hit the desktop with as many installs as Windows you'll see
> weekly exploits about them too.

Not likely. Unix has been hacked (and attacked) many years longer than
Windows. And Unix architecture is far better than Windows, in the sense
that software modules can be isolated from each other.

-- Lassi
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,comp.lang.java.advocacy (More info?)

In article <dMqdnej7tMYBzgfdRVn-jw@comcast.com>,
arero68.IS.A.SPAMMER@hanmail.net says...
> And how is anyone supposed to understand Windows, when the code is kept
> secret, except by reverse engineering it? Windows isn't meant to be
> understood. It's meant to be run in blind faith. This new shared
> source stuff is too little too late, and a transparent reaction to the
> open source threat.

This is more Linux BS, you don't need to understand the coding of the OS
to understand how to secure it at your office or home - sure, security
guru's who are looking for flaws/holes should see the code, but there is
no reason for an Administrator to see the code in order to know how to
secure it - heck, most administrators and home users don't even have a
clue as to how to read machine language, C, C++, etc....

I've run NIX boxes for almost a decade, and Windows PC's for more than
20 years, mainframes too - there is no difference in securing any
platform, you just need to know how, you don't need to see the code.

What's really funny is how many Linux zealots scream that they can see
the code and how many of those have never even looked at the first line
of a kernel or even know how to read code.

I've never had a personal or corporate network compromised while it was
under my control, not in 20+ years. Most of those networks had MS
OS/Apps and also had AIX or another flavor of Nix and some even had
Novel (god, I hated Novel).

I could give an analogy about you and driving, but it's better to stick
with just facts - You don't need to read/see the code to secure it, your
standard basics of securing ANY platform will protect the systems.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,comp.lang.java.advocacy (More info?)

On Thu, 06 May 2004 12:10:53 -0400, Rowland spoketh

>1. So security patches are a bad thing? In that case, don't install any!

No, the patches are not bad, but there's a correlation between
vulnerabilities and patches that you're missing. Usually, there's a
patch for a vulnerability, thus by counting patches one can approximate
the number of vulnerabilities.



Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,comp.lang.java.advocacy (More info?)

On Thu, 06 May 2004 18:57:33 GMT, Leythos <void@nowhere.com> wrote or
quoted :

>
>I've run NIX boxes for almost a decade, and Windows PC's for more than
>20 years, mainframes too - there is no difference in securing any
>platform, you just need to know how, you don't need to see the code.

YOU don't need to see the code, but you want EXPERTS to see the code.

It gets a more severe lookover if the source is open.

--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,comp.lang.java.advocacy (More info?)

In article <m2cl901nrf75ijlplggqcjqopbc17vrcm7@4ax.com>, roedy-look-on-
the-website@mindprod.com.invalid says...
> On Thu, 06 May 2004 18:57:33 GMT, Leythos <void@nowhere.com> wrote or
> quoted :
>
> >
> >I've run NIX boxes for almost a decade, and Windows PC's for more than
> >20 years, mainframes too - there is no difference in securing any
> >platform, you just need to know how, you don't need to see the code.
>
> YOU don't need to see the code, but you want EXPERTS to see the code.
>
> It gets a more severe lookover if the source is open.

And from what I've seen all these years, it hasn't made a difference in
the OS's that have come out. Windows was designed to be "easy" for all
users, mostly the home users where it was targeted early. It takes a
massive shift to move it to being secure first and easy last. If the
home user versions of Unix (Linux) had been designed to be easy for the
users to install/use, it would be the same as windows.

When I can give my mother-inlaw a CD with Linux and Star Office and have
her install it from scratch in one evening I'll be happy, till then
she's on XP prof with Office 2003 and sitting behind a Linksys router
with Norton AV 2004 running.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,comp.lang.java.advocacy (More info?)

Leythos wrote:
[snip]
> When I can give my mother-inlaw a CD with Linux and Star Office and have
> her install it from scratch in one evening I'll be happy, till then
> she's on XP prof with Office 2003 and sitting behind a Linksys router
> with Norton AV 2004 running.

have you tried giving her mandrake 10? it even has openoffice on it, i guess
it won't get any simpler than that.

well, perhaps knoppix (or mandrake move). that one she does not even *need*
to install (although she could, naturally), it runs off of a cd. and, of
course, it's also with open office it.

if you make the experiment, i'd be interested to know where the lady ran
into trouble.

-- j
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,comp.lang.java.advocacy (More info?)

Lassi =?iso-8859-1?Q?Hippel=E4inen?= (lahippel@ieee.orgies.invalid) wrote:
: Leythos wrote:
: >... Once the Nix systems
: > and apps hit the desktop with as many installs as Windows you'll see
: > weekly exploits about them too.

: Not likely. Unix has been hacked (and attacked) many years longer than
: Windows. And Unix architecture is far better than Windows, in the sense
: that software modules can be isolated from each other.

: -- Lassi

This is not correct

1) If you are talking about the kernels of the two systems, the NT OS has
a more secure design. The ability to implement security is part of the
kernel [This is based on previous disclosures by Microsoft and knowledge
of the ancestors of NT]. Security is part of the kernel design. You can
design isolation into the software.

Security in Unix is a bolt-on. It has not been integrated into the kernel
but is an add-on. Module isolation is not part of the design of the kernel
and many of the exploits rebut the concept of module isolation.

You can implement a more secure platform using the NT kernel than a Unix
kernel. [Bear in mind that you can also design even more secure systems
if there are hardware assists for security. The Unisys 1100/2200/[whatever
it is now] actually contains hardware elements that aid security]

2) As far as implementation is concerned, you are correct. The implementation
of security in Unix is more mature and does provide a secure system in many
cases. However, Unix implementations have provided insucre default systems in
the past. The susceptibility of Unix and many of its derivitives even today to
things like buffer overflows point to the limitations of the security of the
system.

Microsoft has chosen to implement a platform that is much more difficult to secure and
they have chosen to ignore the security built into their kernel and have made
certains choices to make it easier for the consumer and attempt to provide
upward compatibility with older code lines.


[I use both platforms where I work;I attempt to deploy the appropriate platform for
the job. I will use a W2k or W3K server if required. I also will use Solaris or Linux
if required.]


Richard H. Miller, MCSE, CCSE+
Information Security Manager
Information Technology Security and Compliance
Information Technology - Baylor College of Medicine
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,comp.lang.java.advocacy (More info?)

On Thu, 06 May 2004 21:44:32 GMT, Leythos <void@nowhere.com> wrote or
quoted :

>When I can give my mother-inlaw a CD with Linux and Star Office and have
>her install it from scratch in one evening I'll be happy, till then
>she's on XP prof with Office 2003 and sitting behind a Linksys router
>with Norton AV 2004 running.

When I looked at Linux in the late 1990s I could not believe how
difficult it was. I had to scour the net for drivers, configure PPP
with all manner of obscure trivia. I documented my bruises at
http://mindprod.com/jgloss/linux.html

Configuring the windowing system was a nightmare, I giant text file
and only geek docs.

However, every time I go back, it has improved drastically in end-user
friendliness and ease of installation.

I would hazard a guess it is much easier to put a friendly face on a
secure system that to transplant a secure heart into a friendly
system.

--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In comp.security.misc Leythos <void@nowhere.com> wrote:
> In article <nfjmc.38027$kh4.2032372@attbi_s52>, newstome@comcast.net
> says...
>> In comp.security.misc Leythos <void@nowhere.com> wrote:
>> > In article <c7b546$1qgaa$1@ID-122774.news.uni-berlin.de>,
>> > nospam@talk21.com says...
>> >> If an ISP has a NAT router then (unless I am missing something) all the
>> >> other customers (at least those served by your particular router) will also
>> >> be your side of the router, and able to port scan you anytime they want.
>> >>
>> >> I think that most ISPs will have firewalls between their own customers and
>> >> the Internet - if only to protect their own machines and routers.
>> >
>> > I wasn't talking about the ISP doing a NAT for their network, I was
>> > talking about the ISP enabling NAT on the Cable/DSL modem at each
>> > customers location. Free, works great, blocks uninvited inbound.
>>
>> ???? What does this mean ????
>>
>> I'm not aware of any Cable modem with an IP stack, so they simply
>> wouldn't be capable of doing NAT. I imagine DSL modems are the same.
>>
>> The ISP could provide a NAT-enabled router of some sort in addition to
>> the Cable/DSL modem, but that would be an extra cost....
>
> All of the routers that RR uses in our region provide for the ability to
> provide private address ranges on the internal side through means of
> NAT. It's free to the ISP since it's already a feature in the modems.

There's a huge difference between a router and a modem though. What I
have is a cable modem. It's not a router. My ISP doesn't provide a
router at all -- in fact it supplies nothing that understands IP at
all, so nothing they supply could possibly do NAT.

If the capability is there from your ISP, then you'd really have to
ask if the ISP would want to turn on NAT by default. Think about it:
how many people hook up to the net and want to run a peer-to-peer
program? I think I saw a survey recently that said something like 30%
of users have used Kazaa or a variant at some point. Guess what? It
won't work behind a NAT, without configuring the NAT specifically to
deal with this.... How many calls to customer service would that be?

--

That's News To Me!
newstome@comcast.net
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,comp.lang.java.advocacy (More info?)

Richard H Miller wrote:
>
> Lassi =?iso-8859-1?Q?Hippel=E4inen?= (lahippel@ieee.orgies.invalid) wrote:
> : Leythos wrote:
> : >... Once the Nix systems
> : > and apps hit the desktop with as many installs as Windows you'll see
> : > weekly exploits about them too.
>
> : Not likely. Unix has been hacked (and attacked) many years longer than
> : Windows. And Unix architecture is far better than Windows, in the sense
> : that software modules can be isolated from each other.
>
> : -- Lassi
>
> This is not correct
>
> 1) If you are talking about the kernels of the two systems, the NT OS has
> a more secure design. The ability to implement security is part of the
> kernel [This is based on previous disclosures by Microsoft and knowledge
> of the ancestors of NT]. Security is part of the kernel design. You can
> design isolation into the software.

I haven't analyzed it, and I don't believe blindly what Microsoft
claims. Real life tests show that even if security is available, it
isn't being used much.

> Security in Unix is a bolt-on. It has not been integrated into the kernel
> but is an add-on. Module isolation is not part of the design of the kernel
> and many of the exploits rebut the concept of module isolation.

There are sandbox versions of Linux. Using them is as fair as calling
both 9x and NT with the same name...

> You can implement a more secure platform using the NT kernel than a Unix
> kernel. [Bear in mind that you can also design even more secure systems
> if there are hardware assists for security. The Unisys 1100/2200/[whatever
> it is now] actually contains hardware elements that aid security]

If you mean 'rings' in memory protection, the idea goes back to Multics
(at least). And Unix inherited the basics of memory management from it.
Also IBM had its own tricks.

Intel supported hardware memory protection already in 80286, but Windows
completely ignored it. 80386 had even better memory management features.
That is why Linus Torvalds started porting Unix to it, which lead to
Linux.

-- Lassi
 
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,comp.lang.java.advocacy (More info?)

Leythos <void@nowhere.com> writes:

>When I can give my mother-inlaw a CD with Linux and Star Office and have
>her install it from scratch in one evening I'll be happy, till then
>she's on XP prof with Office 2003 and sitting behind a Linksys router
>with Norton AV 2004 running.

You must *really* hate your mother-in-law.
--
/"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia
\ / ASCII ribbon campaign | I'm a .signature virus!
X against HTML mail | Copy me into your ~/.signature
/ \ and postings | to help me spread!
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom