FW: Re: January 15 is Personal Firewall Day, he lp the cause

["Clairmont, Jan" <JMC13 () mail3 cs state ny us>]

Definintely, windows out of the box is the least secure system I know.  Even
with protections in place DHCP, remains totally vulnerable to a local IP
attack.  Plus any msdos prompt can lead to the int 20 int 21 and anykind of
corruption on the system disk.  I just don't know how to effectively lock
down 
a Windows systems without a firewall, and locally forget about it.  

I have been hacking(ooops computing) for over 20 years, I have yet to be 
challenged by a windows system for access. Some challenge for older UNIX
based systems.  A filtering router with a firewall pretty well negates 
any outside intrusion, though there are always trojans and fake logins etc.
They can always bite you if the firewall policy is not set up properly.

There are personal firewalls for PC's and getting them is a necessity if you
want to remain on the internet for any length of time.  Unless you have no
public e-mail and just browse sesame street sites.  Even then you'll
mis-type and bye, bye!

So without anit-virus, port blocking personal firewalls, adware destroyers,
you might as well hang-up DOS.  But I use(at home) Linux(Redat 9) as my
firewall and do most of my browsing with non-java browsers, its too easy to
hang a system with JAVA, CGI or any other pluggins that control a system.
It's too easy still to make a mistake, like the army site or any other
hacker controlled web environment.   And who wants to be totally on guard
all the time.  I just want to relax and compute.  It drives me insane to
surf the junk out there, I still feel like I'm playing on the edge.  I teach
security and
Administration and I find stuff all the time from students and my own
personal finds.  Even with this stuff in place I still feel like a security
sieve.  
Because I have to install new services etc all the time.

I have been fighting the security war for over 20 years and its getting
harder not easier.  Because the code gets bigger and less secure every year.
I can guarantee correctness on 20 lines of code maybe, but not 20,0000,000,
the vulnerabilities grow exponentially.  I have worked on Gauntlet, Pix,
Checkpoint, TIS, Alta Vista, NATO Seccurity, IDS'es, for NAI, IBM,
GE-Marconi, FTC, DOJ, CIA, DOC etc. etc. And it just keeps getting dicier.

Just compute smartly, I thnk safely impossible, something will run you over 
eventually.

Jan Clairmont, Paladin of Security

-----Original Message-----
From: David F. Skoll [mailto:dfs () roaringpenguin com] 
Sent: Thursday, January 15, 2004 3:13 PM
To: Exibar
Cc: tlarholm () pivx com; full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Re: January 15 is Personal Firewall Day, help
the cause


On Thu, 15 Jan 2004, Exibar wrote:

>    Sorry to disagree with you, but telling people to simply not use
> windows and not use Outlook is like telling people not to ride in a 
> car for the fear of getting into an accident.

No, it's telling them not to drive a Pinto when they could drive something
safer.

>    So you're telling me that if I don't run Windows and I don't run
> Outlook that I'm 100% safe?  Horsesh*t!

You are very much safer.  Our mail server receives on the average day 70
viruses from cracked Windows machines, and none from cracked Linux machines.
We still receive several Nimda hits a day, and none from cracked Linux
machines.

>  If I install Linux and not Windows XP (for
> example) I'm safe?  There isn't anything else that I have to do?

A default install of a modern Linux distro includes firewalling rules by
default, and is fairly safe.

>    Why not EDUCATE the end-user on how to use Windows and Outlook
> safely?

Because it is impossible to use Windows safely; the very design of the
operating system is flawed.  This is not just my opinion; it's also that of
Bruce Schneier and many other people, some of whom lost their jobs for
speaking out.

> BTW:  Not running Anti-virus software is just plain stupid (I will not
> respond to any flames on this point, so don't bother).

Why?  We have no machines that are susceptible to the viruses that are in
the wild.  We do, of course, drop .exe, .com, etc attachments on our mail
server, but that's just to save disk space and stop annoying messages from
filling our mailboxes.

> Plain and simple.
> I'm very surprised that any company is able to run that way.

We have since 1999, and haven't had any problem.  If you don't use Windows,
you don't need anti-virus software.

Regards,

David.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html