Full Disclosure mailing list archives
FW: Re: January 15 is Personal Firewall Day, he lp the cause
From: "Clairmont, Jan" <JMC13 () mail3 cs state ny us>
Date: Fri, 16 Jan 2004 10:09:25 -0500
Definintely, windows out of the box is the least secure system I know. Even with protections in place DHCP, remains totally vulnerable to a local IP attack. Plus any msdos prompt can lead to the int 20 int 21 and anykind of corruption on the system disk. I just don't know how to effectively lock down a Windows systems without a firewall, and locally forget about it. I have been hacking(ooops computing) for over 20 years, I have yet to be challenged by a windows system for access. Some challenge for older UNIX based systems. A filtering router with a firewall pretty well negates any outside intrusion, though there are always trojans and fake logins etc. They can always bite you if the firewall policy is not set up properly. There are personal firewalls for PC's and getting them is a necessity if you want to remain on the internet for any length of time. Unless you have no public e-mail and just browse sesame street sites. Even then you'll mis-type and bye, bye! So without anit-virus, port blocking personal firewalls, adware destroyers, you might as well hang-up DOS. But I use(at home) Linux(Redat 9) as my firewall and do most of my browsing with non-java browsers, its too easy to hang a system with JAVA, CGI or any other pluggins that control a system. It's too easy still to make a mistake, like the army site or any other hacker controlled web environment. And who wants to be totally on guard all the time. I just want to relax and compute. It drives me insane to surf the junk out there, I still feel like I'm playing on the edge. I teach security and Administration and I find stuff all the time from students and my own personal finds. Even with this stuff in place I still feel like a security sieve. Because I have to install new services etc all the time. I have been fighting the security war for over 20 years and its getting harder not easier. Because the code gets bigger and less secure every year. I can guarantee correctness on 20 lines of code maybe, but not 20,0000,000, the vulnerabilities grow exponentially. I have worked on Gauntlet, Pix, Checkpoint, TIS, Alta Vista, NATO Seccurity, IDS'es, for NAI, IBM, GE-Marconi, FTC, DOJ, CIA, DOC etc. etc. And it just keeps getting dicier. Just compute smartly, I thnk safely impossible, something will run you over eventually. Jan Clairmont, Paladin of Security -----Original Message----- From: David F. Skoll [mailto:dfs () roaringpenguin com] Sent: Thursday, January 15, 2004 3:13 PM To: Exibar Cc: tlarholm () pivx com; full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Re: January 15 is Personal Firewall Day, help the cause On Thu, 15 Jan 2004, Exibar wrote:
Sorry to disagree with you, but telling people to simply not use windows and not use Outlook is like telling people not to ride in a car for the fear of getting into an accident.
No, it's telling them not to drive a Pinto when they could drive something safer.
So you're telling me that if I don't run Windows and I don't run Outlook that I'm 100% safe? Horsesh*t!
You are very much safer. Our mail server receives on the average day 70 viruses from cracked Windows machines, and none from cracked Linux machines. We still receive several Nimda hits a day, and none from cracked Linux machines.
If I install Linux and not Windows XP (for example) I'm safe? There isn't anything else that I have to do?
A default install of a modern Linux distro includes firewalling rules by default, and is fairly safe.
Why not EDUCATE the end-user on how to use Windows and Outlook safely?
Because it is impossible to use Windows safely; the very design of the operating system is flawed. This is not just my opinion; it's also that of Bruce Schneier and many other people, some of whom lost their jobs for speaking out.
BTW: Not running Anti-virus software is just plain stupid (I will not respond to any flames on this point, so don't bother).
Why? We have no machines that are susceptible to the viruses that are in the wild. We do, of course, drop .exe, .com, etc attachments on our mail server, but that's just to save disk space and stop annoying messages from filling our mailboxes.
Plain and simple. I'm very surprised that any company is able to run that way.
We have since 1999, and haven't had any problem. If you don't use Windows, you don't need anti-virus software. Regards, David. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Re: January 15 is Personal Firewall Day, he lp the cause Justin Bajko (Jan 15)
- Re: Re: January 15 is Personal Firewall Day, he lp the cause vb (Jan 16)
- RE: Re: January 15 is Personal Firewall Day, he lp the cause Wes Noonan (Jan 16)
- RE: Re: January 15 is Personal Firewall Day, he lp the cause Tobias Weisserth (Jan 16)
- RE: Re: January 15 is Personal Firewall Day, help the cause Wes Noonan (Jan 16)
- Re: Re: January 15 is Personal Firewall Day, he lp the cause vb (Jan 16)
- RE: Re: January 15 is Personal Firewall Day, he lp the cause Wes Noonan (Jan 16)
- Re: Re: January 15 is Personal Firewall Day, he lp the cause vb (Jan 16)
- <Possible follow-ups>
- FW: Re: January 15 is Personal Firewall Day, he lp the cause Clairmont, Jan (Jan 16)
- RE: Re: January 15 is Personal Firewall Day, he lp the cause John . Airey (Jan 21)
- RE: Re: January 15 is Personal Firewall Day, he lp the cause Ron DuFresne (Jan 21)