[Dshield] Re: "Personal Firewalls" are mostly snake-oil?

Evans, TJ tjevans at kpmg.com
Thu Jul 25 23:57:49 GMT 2002

I would say that the following statement:
"The job of O/S manufacturers is just that -- make it easy.  Harness the 
absolute power with the minimal amount of difficulty, and make it 
functional.  "

would/should include providing an environment that is also safe for the
user.  If your machine gets crashed, is used to perform illegal activities,
or even if you 'just' lose processor cycles to unauthorized processes you
are being affected.  Easy and functional are both _very_ relative terms,
subject to interpretation (or innovation!).  Additionally, I fully think
that a user should be permitted to make their machine insecure if they so
desire and know how ... but the _default_ should not be so.

Also - given that currently people <self included> spend a very large
portion, if not all, of their time just keeping up to date on security
issues for one or two OS'es, it is not reasonable to expect ANYONE who has a
non-security-related job to be an 'expert'.  I think everyone who uses a
computer at all, for anything, is doing themselves a disservice by not
bothering to know a) how to use it as proficiently as is reasonable and b)
how certain security issues impact their day to day duties and how to
mitigate them.  With the widespread deployment of VPN's, extranets,
third-party email (yahoo, etc), and browsers/plugins/reverse-acting-clients
that can control your system, etc. we do not have the ability (as if we ever
really do :) ) to forcibly centralize all security issues; unless we call
our ISP and cancel our circuits, cut all modem lines, disable all
usb/firewire/serial/floppy/cd/Bluetooth/802.11* etc. etc. ... so, it is in
all of our best interests to make the best effort possible to get the
end-users to understand what this whole security thing is ... Like all
security measures, you are best served with a defense-in-depth / layered
approach, in this case - layers of knowledge.

Oh yeah - and as for "Let them (the PF-users) die dumb. Let's go back to
work." ... I cannot in any way agree with that; it is all of these "dumb
users" that get ignored and in turn, for example, bring down amazon.com ...

As always ... just my take on the world.

-----Original Message-----
From: IT Department - CI Holding Group, Inc. [mailto:it at ciholding.com] 
Sent: Thursday, July 25, 2002 12:55 PM
To: list at dshield.org
Subject: [Dshield] Re: "Personal Firewalls" are mostly snake-oil?

Comments in line...

At 07:48 PM 7/24/2002 +0200, Jan Wildeboer wrote:
>The real(tm) problem is that many OSes tend to make the user think it is 
>all uncomplicated stuff. It is like saying "Flying an helicopter is easy! 
>Just sit down and fly!"

I think you need to see the implicit value of using an O/S -- it's a 
tool.  A tool to allow a WIDE variety of users the ability to function and 
utilize the functionality of a system -- let alone an interconnected 
network of systems.

The job of O/S manufacturers is just that -- make it easy.  Harness the 
absolute power with the minimal amount of difficulty, and make it 
functional.  Who, today, could code an entire GUI to be used as a front end 
for DOS based systems?  Very few.  So, if you think you could jump behind a 
DOS 5 CLI, tool it to crank out a front-end for CAD, more power to you.  If 
not, pipe down.

>This discussion is based on false assumptions. Security is something that 
>must be learned. TCP/IP is something that is too complicated to be 
>considered common knowledge.
>One cannot - I repeat - cannot judge a firewall software without knowing a 
>lot - I repeat - a lot about the TCP/IP stack. The ZD-Net rating is based 
>on "this looks good". Tiny doesnt look good. But it works better.

But the ULTIMATE end to implementing a "firewall", personal or not, is to 
make security paramount.  Whether they begin elementary school classes on 
TCP/IP stack basics or not isn't the point.  The point is that everyone CAN 
learn, if they NEED to learn.  As stated above, software vendors are TRYING 
to make it all easier on the END USER.  Hopefully not compromising the 
systems along the way (with bug ridden code).

>Let them (the PF-users) die dumb. Let's go back to work.

Ignorance is bliss.  It is that very elitist attitude that caused other 
compromising world events.


Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.         

More information about the list mailing list