Interesting Conversation with a Hacker

Alternative link -https://webcache.googleusercontent.com/search?q=cache:http%3A//www.infoworld.com/d/security/why-you-dont-need-firewall-193153

 

Well to be honest, the device I was imagining would ideally include protections against third party ad servers, analytics, and various other privacy threats and thus it would ideally interfere with Google's and like business models. However, there are always trade-offs I suppose. At the very least, I'll use this as an excuse to put ChromeOS on my "read about it sometime" list. I've ignored it since day one because it is a Google product.

 

When I say he's an idiot I don't mean someone who literally knows nothing...I mean idiot as in a radical/extremist to a detrimentlal viewpoint.

He's making a rubbish argument basically that if something is imperfect you don't need it.

Ok...what's next? Why you don't need AV...well because hackers can get around it. Why you don't need a place to live...well because a tornado may destroy it.

I'll PayPal you $10 to remove that link because it seriously sucks!

@HungryMan: When you say "I wouldn't lop AE into that category"...are you implying AE is better than SRP or worse?

 

I'm sure I'll be dismissed as a fanboy but I think it the most secure operating system aimed at the average user.

For privacy you'd have to make use of extensions.

 

It's different. All things can be defeated. But some things drive up the cost of exploitation and some things don't.

If I run the JAva VM with 1 bit of entropy for ASLR I will stop millions of exploit pages from working. But bruteforcing it would be trivial, it would take no time at all. The cost of exploitation hasn't changed.

 

+1
I agree with u there!!!

 

SRP is pretty broad... it does a ton of things. Depends what you do with it.

 

Does that mean that the payment now totals $20?

 

Ok I read the article twice and as expected I still don't agree with all of it.

My golden rule is never sacrifice a layer of security just because of current trends, when that security layer has minimal impact on you.

He's full of sh*t when he says they cause problems.

I've had the Windows Vista/7 firewall with NO EXCEPTIONS and PUBLIC modes on for 2 years now and I've never had an issue....NOT ONCE! Same goes from my hardware routers.

And both are important. This is very logical. The hardware firewall is your perimeter shield, and then the software firewalls protect computers within your perimeter from worming each other.

Now outbound firewalls are more of personal preference/supplemental security layer. I used to hate them until I found Webroot SecureAnywhere's firewall which works alongside Windows Firewall to provide outbound protection and it hasn't given me any annoying, useless messages.

But that is unusual. Usually most outbound firewalls are noisy by nature and are probably (for most) more trouble than they are worth as long as you keep control of what's on your PC in the first place.

It's no wonder searching for "don't need firewall" yields only that guy talking about it. Is he like the Ron Paul of PC security? (And I don't mean that in a mean way)

 

-https://www.infoworld.com/d/security/why-you-dont-need-firewall-193153
-https://www.infoworld.com/d/security/why-you-dont-need-firewall-193153
-https://www.infoworld.com/d/security/why-you-dont-need-firewall-193153
-https://www.infoworld.com/d/security/why-you-dont-need-firewall-193153
lol jk. I actually find the article interesting, what he says was right. As Hungry Man says, even Ubuntu ships without it.

 

LOL

Yeah dude but that's because Ubunt works differently. It has all ports closed by default.

Windows has different services and background processes for additional functions on by default whereas with Linux it usually takes a stripped down then you add only what you want approach.

There is no logical advantage security-wise to exposing yourself to the Internet. Doing so I would feel almost as threatened as being in a prison shower.

 

@HungryMan: I'm mostly talking about SRP in the context of only things in Program Files can execute and it is set to Disallowed...so default deny.

 

If it's acting as an AE then... I consider it subject to all things I've said about AEs so far.

 

No offense, but it's your router that you "assume" has kept you safe. Not Webroot (LOL) or Windows Firewall. A must is that you have a decent router with NAT + Intrusion Prevention + AES Traffic Encryption then you will probably keep out 80% of bad guys.

But if someone wants to get you there is not much you can do. There are some very talented coders out there who sometimes just like to r00t you for the lulz.

 

Ok, today After a very very long time, I was attacked by virus and trojans.

I lend my pendrive to a friend and when I plugged it in, I got 20+ USB virus attacking me. Despite however cautious you are on the internet, you cannot escape situation like these ( since it was my pendrive, I forgot that it could be infectious)

My AV came to the rescue. The virus was strong since I am reading the details of some of the virus on the net.

Hence, AV are not completely useless .... You cannot be 100% cautious everytime.

 

completely agree with you and no link or article will change my mind. personal experience is all i need

 

It was an interesting read, once you got past most of the comments. Most of what he said is accurate as well. As for taking advice from a hacker, there's too much emphasis on the source as opposed to the advice itself. Nothing taints advice worse than financial motives. The motives of a software vendor are obvious, profit. What would a hacker have to gain from giving you advice? Little to nothing? Targeting the security conscious/paranoid isn't profitable at all.

The only thing in his advice that I don't agree with is the value of a software firewall, not because software firewalls are worthless, but because most don't know how to configure them to be secure, and don't know when to say no to a prompt. It's no different with HIPS, software restriction policies, etc. They're only as good as the rules and policies they enforce. That's what I've tried to tell people for almost forever. Start with the security policy, then select and configure to enforce it.

 

ChromeOS is secure like a typewriter is secure

 

2. If you're that worried about it why are you advertising your security setup as your sig?

The whole rational behind the Hacking Exposed series of books is to educate you on how an exploit is carried out so that you are better suited to defend against it.

Linux... They might as well rename the All Things UNIX forum to All Things Linux as it seems no one here uses BSD but me.

Pride goes before destruction, and a haughty spirit before a fall. Proverbs 16:18

 

His argument about firewalls being useless applies to simple incoming firewalls such as Windows own when you're already behind a router, the software firewall adds nothing to protection from internet threats. It doesn't apply to more configurable firewalls that add process monitoring for example. Although strictly speaking he's right it is in my opinion a bad message to send out as there will be times when many users won't be connected to a router or (less likely but still happens) could become subject to a threat from the intranet or wireless interception, and if the average user has just been told to remove their firewalls it's a disaster waiting to happen. Especially as with Vista type firewalls there's no noticable performance cost so better for everyone to just leave them on. With regards to outbound protection the idea is that malware will be unable to connect out rendering much of it inert; the trouble is that malware can be using allowed processes that they've hijacked. Considering that they're often a nuisance to set up or reduce system performance it's a very different cost/benefit calculation when they can be so easily bypassed.

 

This is a complete contradiction. How does trying to create or provoke a potential adversary qualify as being a safe user? It's definitely not a show of common sense.

As it should be. The number one rule for common sense is not to be a target in the first place, to avoid trouble, not try to create it.

 

So true. Well pointed out.

 

Which isn't saying much about his credentials as far as being a "security professional."

I've got a dedicated pfSense firewall box, check the logs once a day, don't have a problem understanding what they mean, and don't consider myself a security professional either.

And it doesn't put out thousands of warning messages a day, much less an hour.

 

Most any decent firewall can be configured in regards to what it does and doesn't log. For most users, logs that record every port scan and every connection attempt are worthless, about as useful as a car alarm that records every time your car is touched in a busy parking lot.

Software firewalls themselves seldom fail. The primary weakness of software firewalls is the OS it runs on, which gets compromised by other means, most often the user themselves. Software firewalls are best for controlling allowed traffic, especially when the user needs to allow inbound for a specific purpose.

"Professional" being someone who gets paid for that job, whether they're any good at it or not.

 

Online banking is a lesser concern to me at least given improving security measures: my bank for example requires you to select characters from your second password using drop down menus. Anyway if they really want my overdraft they're welcome to it. There are also these extra measures like using a clean sandbox or limited browser for banking. Where all this fails is our other online passwords. Say you sign into your Google account (assuming you HAVE a Google account): using their services requires allowing scripts so that's your first security boundary gone, then some mercenary replaces the governing structures of your browser within the sandbox allowing shadowy external forces to control a puppet masquerading as the legitimate process and waits patiently for you to enter further passwords it seems to me that you're pretty much toast. Process restriction and outbound connection blocking don't even come into play.