AntiLeak racing insanity?

Plus..... there are probably a lot more people not behind a NAT router than may be realized by Wilders members. For a person with only one computer in the house, why would they buy a router? Unless they were savvy enough to know it was a good thing to do, or recommended by a influential friend. My brother is an example; single, one Vista box with cable connection. He would have trouble setting one up, so I'll have to do this next time I'm there which won't be soon (6 hours away). Hope his Vista firewall is doing something.

 

I found this on the Matousec site (my first time there was today actually):

From http://www.matousec.com/projects/firewall-challenge/.
"This project examines personal firewalls, Internet security suites and other similar products for Windows OS that implement process-based security. We call all such products personal firewalls. In our opinion, personal firewalls should prevent spying and data and identity theft. So, we require personal firewalls to include host protection features too. The list of personal firewalls we are aware of is available on the product list page. We know that our terminology may be in conflict with the common understanding of what the firewalls are. To distinguish between personal firewalls and firewalls in the common sense, we call the later packet filters. A typical example of a packet filter is WIPFW. Most of the personal firewalls include a packet filter component. Simple packet filters are not worse than personal firewalls, they are just different kind of software – for different kind of users. This project does not examine stand-alone packet filters."

Apart from one not agreeing with his philosophy, it would seem he is not being deceptive as to what he's doing. He could perhaps expand more on the different features of security apps like Hips, and that there are standalone apps that a person could use instead of the "suites" that he is testing. Also to be very clear if a tested app has no packet filtering component at all.

I haven't read more of the site yet to form any other opinions, but will do so to better understand all the controversy. Wilders has taught me so far to be cautious and critical of testing and interpreting the results. These discussions are good.

 

Hi Kencat,

as I already stated, I do not think that leaktests are useless. Neither I say that all the other tests (more than half of matousec's test suite) are not needed.

1. But firewalls is a device or group of devices that enforces an access control policy among networks. (permit, deny, encrypt, drop, etc. network traffic based on specific rules).

2. Personal firewalls must do all the above, plus use an application layer filter to allow,block or restrict the network traffic produced or received by a specific application.

The firewall challenge of matousec, does not test the first. As for the second, yes it is tested (partially) with the leaktests (a small part of his testbed). But the major part of the test bed has nothing to do with personal firewalls. It has to do with the security in general but not with the firewall component!

ps. I can call the firewalls as antiviruses if I like, but this does not change their nature and furthermore none would understand what I am talking about.
The name Firewall Challenge is deciving the users. He can name it as he likes security challenge, protection challenge, immunity challenge; but firewall challenge?

 

or as i said above a hips challenge
pandlouk , u know !! the funny thing is that the winners of the firewall challenge are not firewalls in fact

 

I would agree that those leaktests are not to be taken seriously in day to day use. I would also agree that they do expose a certain risk that will always be present, no matter what you use for protection. It is to say that you can put a rubber sheath on the outside, but the little baby computers still try to find a way out, and with enough use over time a small hole will develop somewhere and POW, out pops little Billy Jr. lol

Let us not only sneer at Matousec, but the father of this movement, Guru Gibson, sans GRC. Raw sockets and stealthed ports for me, or my data is going to be corrupt and my bank account drained dry! Holy port scans batman!

I have been and still am a proponent of safe computing. KNOWING what is on your computer is more than half the battle. KNOWING what you are about to put on is the other half of the battle. BLINDLY CLICKING is asking for the click of death, which is what, IMO, most peeps out there do. The ones that frequent a place like this are rather obviously either not prone to such actions, or are learning how not to be

I say an older firewall like Outpost v1 is where it is at. Simple monitoring of an application, set some rules, watch the logs. Nothing too grand was needed. But it did do two things. Made great logs, and let you know when an application was trying to connect. No hips, no bloat.

As more peeps do more with thier computers online, with bank accounts etc etc, it becomes more important that they stay safe. Likewise it becomes more important that a product can show how DEADLY the internet is, and how thier product is APPROVED by the likes of Matousec. Your data will be SAFE. Yeah, safe, as long as you know what you are doing. Safe until another little hole develops in your rubber shield. Better get a case of those rubber shields, SP3 just came out and don't expect much else for awhile. lol

I say damn the torpedos and spend 6 months on every MS OS with pop-ups asking about whether or not ANYTING and EVERYTHING is allowed. If you don't learn something that way, at least you will get used to clicking OK. Afterall, clicking OK is generally OK, is it not? Oh, and tick the 'Remember this answer' checkbox when clicking OK.

sul.

 

That means nothing, it could even create the most evil threat you can imagine, not your system becomes
rooted but your router only. This enemy you will never see with no antimalware tool, no firewall will help you.
Stealth by Design your router is owned and fully controlled.

Exactly, I wonder that firewallleaktest don´t stake out claims.

Probably they have spy potential and watched how some other test guys made some firewall leak tests just-for-fun and then thought: "Hey good idea, we create a professional firewall leak check insanity org." A CZ company that takes profit out of the work from others. The poorest thing is that they rely on firewalleaktester tools, they even are not able to make their own tools and make money out of the 26 test set from firewallleaktester, it is so poor.. they should give at least 50% of their income to firewallleaktester or strain themselve. Never seen something like that... but in internet everything might be possible.

 

What sci-fi movie are we talking about?
Flash the router, problem solved. Replace the router, problem solved.
Most routers run Linux kernel, only 8MB or so, minimal spartan configuration ... so, what exactly is going to get "owned?"
Mrk

 

Probably referring to the use of UPnP in routers via a former flash player vulnerability to redirect all routers calls (change of DNS, etc) even if the router has been password protected with a different password than the default. The wording is indeed a bit catastrophic but the risk (PoC) exist. Was discussed here sometime ago... I think.

Flashing/reset of router firmware/settings will be the solution, the problem is that the user will not realize so easily that the router is owned unless the hack is not devised properly.

Cheers,
Fax

 

Hello,
And if you disable upnp, wow ... problem solved.
BTW, the PoC still requires active self-defeat measures from the user.
Mrk

 

Yep , indeed... also enough to change default router address to a non-conventional one (depending on router models) or update flash player!

But, most users will just plug the router and go with default settings...

Cheers,
Fax

 

Hi,

Off course firewallleaktesting can't be considered as a standard methodology for testing firewalls.
It's a very restrictive methodology, quite similar by the attack angle to packers tests for antivirus (here bypassing methods/there evasion methods).

A standard methodology can be applied to any firewall and on any OS: by design, a firewall filters TCP/IP based OSI model, communication protocol, and bits are bits for any firwall and on any OS..."
Originally leaktests are just whitehat ("for fun without profit") demonstration tools tools designed to illustrate a bypassing method.
And as they became more and more trendy and numerous, they had been used as firewall test tools and methodology
And for marketing reasons, some editors had added behavioral detection features (hips/proactive module) on their products in order to get high results, and ipso facto, to become more and more popular and sell more and more licenses.
This evolution is only motivated by marketing goals, not by absolute technical need.

So what firewallleaktesting results tell me?

They just show me the level of efficiency and sophistication of the hips module.
Nothing more.

It does not demonstrate:

-if the firewall does its job or not regarding packet filtering (SMTP, FTP, malformed packets, SYN/ACK scan...),
-if the firewall is good or not (no serious conclusion and extrapolation can be done from a restrictive testing methodology).

So consider Matousec recommendations as HIPS recommendations, not as firewall recommendations: a firwall with bad results on firewallleaktesing does not mean bad firewall at all: many pure firewall (without behavioral detection) do their job: i can mention for instance Ciseware, Routix NetCom or NetCitadel Firewall Builder because tehy have not been reviewed on this board (unlike Injoy CH-X and co).
And a firewall with high results does not mean excellent and unbypassed firewalls: many bypassing methods have not been included in the methodology (tunneling for instance), and packet filtring abilities have not been tested in an exhaustive way.

Firewallleaktesting is just firewall testing for the mass.
It's not scandalous at all...since the average users, unknowledgeable by default is not the victim of tests ethically corrupted (financial partnerrships) that might influnece his choice in a wrong way: in this case, it's necessary to denounce some inexact statements and conclusions...
Or the end user will just be a kind of "cash machine marionettes" under testers and editors hands...
And by this way, the defense of leaktest by Kaspersky, respected AV company, but not a company specialized in intrusion/detection, or DMenace from Zerodaysoftware (for information, taking advantage of shutdown vulnerable phase is not knew: i've used with NickM similar method 2 years ago with a french tool called "RunatExit") does not appear neutral and objective: as usual and again and again: interest conflict are not compatible with truth and independence.

Leaktest and firewallleaktesting? as said a french singer, "do not take them for what they're not, and let them for what they are"...

Regards

 

Nice topic.

This is exactly why i am using Sphinx Vista Firewall control.
Easy to use back to basics firewall control.

 

I can see your logic in general. But sorry, do you really need firewall at all ?

I mean what profit can be taken from a firewall that can be easily tricked ? I think in this case built-in one is quite enough.

 

i wonder how many of these who posted there 'about disagree' sent note to Matousec to improve/adjust/change his tests (e.g. ratio of AL vs SPI tests etc)

 

Some of us, including myself, consider Matousec to be a hopeless case, so I doubt any from the group of skeptics sent him a note.

There are a lot of threads discussing the value of preventing firewall leaks, so I won't go into that here, other than to say their value is not universally accepted.

In all honesty, I can't really think of a meaningful way to test HIPS, and for the most part these programs are only useful for hobbyists. The whole idea of using HIPS to monitor program installation and the user making decisions to proceed based on interpreting the pop ups loses site of the concept that if the program is not trusted you should not be running it (especially with administrative rights) in the first place.

I would rather see a foolproof way of detecting keyloggers solely with an on demand scan, so that no resources are consumed when the scan is not running. Something like a Gmer for keyloggers would be more valuable than nearly all of the HIPS, leakproof firewalls and behavior based detection systems combined. Lets face it, if my system is sending out spam and it takes me a while to realize that, its no big deal. But, if a keylogger grabs a banking log in, that is a big problem.

The focus of Wilders is security software. However, security is a process, not a program. The programs help with the process, but do not replace it.

 

I can't speak for the others, but I had contacted matousec on dicember; asking to include some info about the logging abilities of each firewall.

His answer was that it would be difficult to test the log ability of each firewall, and that most of the higher rated firewalls provide good logging. (I guess we have different views of what is good logging. )

 

@Pandlouk,

I agree about the leak insanity. But i am also curious. Are you still a Comodo moderator? (I vaguely remember your name in Comodo's forum).

Thank you.

 

Hi Fuzzfas,

Yes, I still am; but CFP3+ on my system conflicts with my lifecam VX7000 driver and it gives me bsods. This happens from the first stable release of cfp 3 and neither comodo nor microsoft have resolved. Microsoft blames comodo and Egemen blames lifecams driver.

I got tired to dualboot the system, or deactivate defence+ everytime I wanted to videochat. So I unistalled comodo and this means that I cannot help the others. This is the reason why I am not active in comodo forums.

Panagiotis

 

Thank you Panagiotis for satisfying my curiocity. I am sorry for your incompatibility. It must have sucked to dual boot! It must be irritating being a mod while having such a problem that nobody seems willing to address.

 

Are you sure this is the case? Even if the default password is changed, the PoC exploit could still work?

 

He gave us the utorrent rule(the most important if u ask me .Thanks for that .
I supported and liked with all it's bugs v3 but not with the toolbar.It may be optional ,but their idea of security went to a different road than mine.

 

No sense in using a firewall that can be deactivated easily, so hip is essential
part of modern firewall.

kvonic this is too naive... really:

One of my early routers was f*cked up by a guy who calls himself ruDJ. Probably we all know
this person who is responsible for a widerange spam attack in 2007.
I did all that... but the router was lost... reflashing resulted in freezing.

 

Hi!
yes, indeed... only by properly using 'UPnP' functionality of the router...
UPnP does not only provide for port-forwarding. DNS can also be forged...

See here: http://www.gnucitizen.org/blog/hacking-the-interwebs/

Fax

 

Hello,
Please ... gimme a break ... Neo and I are going for a coffee.
Mrk