RE: [OFFTOPIC] Zone Alarm

["Robert J. Liebsch" <rliebsch () stoneyamashita com>]

I have on asbestos underwear, so I am prepared for your flames...

However, 

Because security is inconvenient does not make it irrelevant. You do have
your car serviced? You do
go see a doctor regularly? You do perform maintenance to your home?
....don't you?

How can you expect the right thing to be easy? You must have at least NAT
running on a fairly safe box.
Everything, software/hardware/firmware/you/me/the damed dog have security
vulnerabilities. Safe sex is 
everyone's responsibility isn't it? Safe driveing is everyone's
responsibility. Safe gun handling. And we all
know what happens.

Come on. If we don't make demands that people wake the hell up and be
responsible human beings, and
responsible computer users... Give up and get a different career on a
different planet. I have a VERY small
office. Only 30 users. But EVERY one of them has DSL at home. Every one of
them has hardware providing
NAT, every one of them has system monitoring utilities and antivirus
utilities, every one of them has much 
more than the basic precautions taken. But now, two years later, they take it
as a given. As a requisit for 
computing in this information age.

My users, my lame ass users who forget how to print, who can seldom remember
how to zip a file, or any
number of other things users don't  know how to do because they weren't
practiced.... They laugh at people
who don't concider some security issues.

Take your stance a little bit further...

How many sysadmins, netadmins, secadmins don't follow policy? How many skip
security because its too hard.
Because its too complicated, because it takes too long? I know how many. Look
at the penetrations, look at 
the defacements. This is everyones issue. This is not offtopic.

Lets take this further still...

Suppose you don't expect users to do this. Suppose I plant a zombie on your
users machine because all they
had was Zone Alarm, or better yet, Nothing at all. Now your user comes to
work. My zombie says "hey, this address
is an RFC1918 address, Time to wake up and go to work." Then I can weasle my
way in to your very well
maintained network. 

This isn't easy. Neither was getting people to take a bath during the
plagues. Neither is carrying herpes because
you didnt wear a condom, Netiher is burying family because you didn't put
your gun away, or put on a saftey
belt...

off topic? How?


> ----------
> From:         Kurt Seifried
> Reply To:     Kurt Seifried
> Sent:         Wednesday, June 4, 2003 4:21 PM
> To:   Michael Reilly; Schmehl, Paul L
> Cc:   Ben Tyson-Norrman; full-disclosure () lists netsys com
> Subject:      [Full-disclosure] [OFFTOPIC] Zone Alarm
>
> Increased complexity is not a good thing. Think about it folks:
>
> Solution A) PC with zonealarm, relatively easy to configure (it's what I
> reccomend to most users).
>
> Solution B) Hardware firewall with potential security flaws such as web
> interface, firmware flaws, etc. Difficult for user to update, if firmware
> update fails product is largely "Dead". None of these systems I have seen
> have automated updates or even prompt the user to check for new software
> versions/etc. Result: firmware falls out of date, web interface/etc
> possibly
> exposed, increased exposure for user.
>
> Solution C) a PC with some form of UNIX installed to act as a firewall.
> User
> needs to learn to become UNIX administrator, configure and update system.
> You are kidding right? This opens up a HUGE number of potential
> vulnerabilities, increases complexity hugely, and costs quite a bit as
> well.
>
> This is insane.
>
> NOW PLEASE LET'S KILL THIS THREAD.  DO NOT REPLY TO THIS PUBLICLY.
>
> Kurt Seifried, kurt () seifried org
> A15B BEE5 B391 B9AD B0EF
> AEB0 AD63 0B4E AD56 E574
> http://seifried.org/security/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html