Chris Pirillo's annoyed by the Windows Firewall prompt
Yesterday, Chris Pirillo made a comment in one of his posts:
And if you think you’re already completely protected in Windows with its default tools, think again. This morning, after months of regular Firefox use, I get this security warning from the Windows Vista Firewall. Again, this was far from the first time I had used Firefox on this installation of Windows. Not only is the dialog ambiguous, it’s here too late.
I replied in a comment on his blog:
The reason that the Windows firewall hasn’t warned you about FF’s accessing the net is that up until this morning, all of it’s attempts have been outbound. But for some reason, this morning, it decided that it wanted to receive data from the internet.
The firewall is doing exactly what it’s supposed to do - it’s stopping FF from listening for an inbound connection (which a web browser probably shouldn’t do) and it’s asking you if it’s ok.
Why has your copy of firefox suddenly decided to start receiving data over the net when you didn’t ask it to?
Chris responded in email:
Because I started to play XM Radio? *shrug*
My response to him (which I realized could be a post in itself - for some reason, whenever I respond to Chris in email, I end up writing many hundred word essays):
Could be - so in this case, the firewall is telling you (correctly) exactly what happened.
That's what firewalls do.
Firefox HAS the ability to open the ports it needs when it installs (as does whatever plugin you're using to play XM radio (I documented the APIs for doing that on my blog about 3 years ago, the current versions of the APIs are easier to use than the ones I used)), but for whatever reason it CHOSE not to do so and instead decided that the correct user experience was to prompt the user when downloading.
This was a choice made by the developers of Firefox and/or the developer of XM radio plugin - either by design, ignorance, schedule pressure or just plain laziness, I honestly don't know (btw, if you're using the WMP FF plugin to play from XM, my comment still stands - I don't know if this was a conscious decision or not).
Blaming the firewall (or Vista) for this is pointless (with a caveat below).
The point of the firewall is to alert you that an application is using the internet in a way that's unexpected and ask you if it makes sense. You, the user, know that you've started playing audio from XM, so you, the user expect that it's reasonable that Firefox start receiving traffic from the internet. But the firewall can't know what you did (and if it was able to figure it out, the system would be so hideously slow that you'd be ranting on and on about how performance sucks).
Every time someone opens an inbound port in the firewall, they add another opportunity for malware to attack their system. The firewall is just letting the user know about it. And maybe, just maybe, the behavior that's being described might get the user to realize that malware has infected their machine and they'll repair it.
In your case, the system was doing you a favor. It was a false positive, yes, but that's because you're a reasonably intelligent person. My wife does ad-hoc tech support for a friend who isn't, and the anti-malware stuff in Windows (particularly Windows Defender) has saved the friends bacon at least three times this year alone.
On the other hand, you DO have a valid point: The dialog that was displayed by the firewall didn't give you enough information about what was happening. I believe that this is because you were operating under the belief that the Windows firewall was both an inbound and outbound firewall. The Windows Vista firewall IS both, but by default it's set to allow all outbound connections (you need to configure it to block outbound connections). If you were operating under the impression that it was an outbound firewall, you'd expect it to prompt for outbound connections.
People HATE outbound firewalls because of the exact same reason you're complaining - they constantly ask people "Are you sure you want to do that?" (Yes, dagnabbit, I WANT to let Firefox access the internet, are you stupid or something?).
IMHO outbound firewalls are 100% security theater[1][2]. They provide absolutely no value to customers. This has been shown time and time again (remember my comment above about applications being able to punch holes in the firewall? Malware can do the exact same thing). The only thing an outbound firewall does is piss off customers. If the Windows firewall was enabled to block outbound connections by default, I guarantee you that within minutes of that release, the malware authors would simply add code to their tools to disable it. Even if you were to somehow figure out how to block the malware from opening up outbound ports[3], the malware will simply hijack a process running in the context of the user that's allowed to access the web. Say... Firefox. This isn't a windows specific issue, btw - every other OS available has exactly the same issues (malware being able to inject itself into processes running in the same security context as the user running the malware).
Inbound firewalls have very real security value, as do external dedicated firewalls. I honestly believe that the main reason you've NOT seen any internet worms since 2002 is simply because XP SP2 enabled the firewall by default. There certainly have been vulnerabilities found in Windows and other products that had the ability to be turned into a worm - the fact that nobody has managed to successfully weaponize them is a testament to the excellent work done in XP SP2.
[1] I'm slightly overexaggerating here - there is one way in which outbound firewalls provide some level of value, and that's as a defense-in-depth measure (like ASLR or heap randomization). For instance, in Vista, every built-in service (and 3rd party services if they want to take the time to opt-in) defines a set of rules which describes the networking behaviors of the service (I accept inbound connections on UDP from port <foo>, and make outbound connections to port <bar>). The firewall is pre-configured with those rules and will prevent any access to the network from those services. The outbound firewall rules make it much harder for a piece of malware to make outbound connections (especially if the service is running in a restricted account like NetworkService or LocalService). It is important to realize this is JUST Defense-in-Depth measure and CAN be worked around (like all other defense-in-depth measures).
[2] Others disagree with me on this point - for example, Thomas Ptacek over at Matasano wrote just yesterday: "Outbound filtering is more valuable than inbound filtering; it catches “phone-home” malware. It’s not that hard to implement, and I’m surprised Leopard doesn’t do it." And he's right, until the "phone-home" malware decides to turn off the firewall. Not surprisingly, I also disagree with him on the value of inbound filtering.
[3] I'm not sure how you do that while still allowing the user to open up ports - functionality being undocumented has never stopped malware authors.
Comments
Anonymous
November 02, 2007
The Windows Firewall prompt, in this case, IS ambiguous though--to an average end-user. "Windows Firewall has blocked this program from accepting incoming network connections." Clearly, to them, Firefox has been accepting incoming network connections. They don't know the distinction between incoming connections and incoming data. Without knowing anything about sockets, "incoming network connections" is ambiguous and is read as "incoming network data". Windows Firewall is working as expected and Chris is being a little harsh; but he does make a point that even above-average users can misinterpret this dialog.Anonymous
November 02, 2007
Did you see the post at blogs.msdn.comAnonymous
November 02, 2007
The comment has been removedAnonymous
November 02, 2007
Am I the only one here who thinks that allowing malware to turn off the firewall is a very bad idea? Even a prompt saying "Malware.exe wants to disable your firewall. [Allow] [Deny]" would be better than the current behavior, IMO.Anonymous
November 02, 2007
Triangle, how do you tell the difference between malware and the user? If you can answer that question, then there are a number of game companies that would just LOVE to talk to you. Raymond gave a hint as to why this is so hard several years ago: http://blogs.msdn.com/oldnewthing/archive/2004/01/01/47042.aspxAnonymous
November 02, 2007
Do the firewall APIs that open ports not need some sort of privileged token to be called? I.e. should something that is opening a port on the firewall only work when run with admin privileges?Anonymous
November 02, 2007
Peter: That's a good question. I'd assume that you need admin rights.Anonymous
November 02, 2007
> Triangle, how do you tell the difference between malware and the user? You assume that everything is malware except for a few special programs, and make it so that only those programs are allowed to do "sensitive" things, such as turn off the firewall or overwrite system files. When the user wants to change something, they go through one of these programs. "But then I can just create an instance of one of those programs, and send window messages to it" - no you wouldn't be allowed to send window messages to a program that has more privileges than you do. Only the user is allowed to interact with those programs.Anonymous
November 02, 2007
Triangle: So the malware injects it's code into those special programs and does it's thing. Even if you CAN block malware from opening up its own ports, how do you block IE or Firefox from accessing port 80? Malware can attach itself to IE or Firefox (both of which have extension mechanisms that allow code to run with the privileges of the user) and can access port 80 just fine. If you can make outbound connections to port 80 on another computer, you can do anything. All you gain by adding an outbound firewall is make the life of the malware author slightly harder.Anonymous
November 02, 2007
> Triangle: So the malware injects it's code into those special programs and does it's thing. Well, of course it isn't allowed to do that. Jeez. When I said "send a window message", I meant "Send window messages, inject code into it, read/write into its address space, or in general do anything that would mess it up" > Even if you CAN block malware from opening up its own ports, how do you block IE or Firefox from accessing port 80? Well, malware would be allowed to open up ports. But allowing something to communicate with something else over the internet isn't a security risk unless: A) it's doing so over a raw socket, and can spoof or DOS people B) it sends the users private data over the wire Both of which could be considered 'sensitive' operations.Anonymous
November 02, 2007
Good post, but I still like outbound firewall protection. Not so much from malware, per se, but from all the tracking stuff the "legitimate, commerical" software does. I want to know if the app I purchased and installed is reporting home. If the EULA doesn't disclose what and why is sent home, or if I simply don't want to share that information, I block the outbound connection. Sure, the app could have disabled the feature at install time, but I haven't come across one yet that turns off the free version of Zone Alarm. Lots of major apps report home, but not from my machine.Anonymous
November 02, 2007
Adrian: That's fine. And I agree with you that sometimes it's interesting to see who's phoning home. Triangle: I asked this before: How do you identify malware? Don't forget: As far as the operating system is concerned, "malware" is indistinguishable from "Firefox".Anonymous
November 02, 2007
> Don't forget: As far as the operating system is concerned, "malware" is indistinguishable from "Firefox". That is absolutely 100% fine. As long as firefox doesn't try to open a raw socket, mess around with the firewall settings, overwrite system files, or any other sensitive operations, that is no problem.Anonymous
November 02, 2007
Triangle: It's ok if it runs a botnet client, sends spam for the botnet herder, pops up advertisements and sends all your financial data to eastern europe? Malware can do all of that without requiring any elevation at all. You have a strange definition of "ok".Anonymous
November 02, 2007
> It's ok if it runs a botnet client, sends spam for the botnet herder, pops up advertisements and sends all your financial data to eastern europe? First of all, it wouldn't be able to read any of your financial information. Remember, that's sensitive data. But the rest of the things you mentioned go beyond the scope of /operating system level/ security. Those would be best implemented by the popup blocker and the firewall.Anonymous
November 02, 2007
Larry Osterman's post (er, rant) (found here - http://blogs.msdn.com/larryosterman/archive/2007/11/02/chris-pirillo-s-annoyed-by-the-windows-firewall-prompt.aspxAnonymous
November 02, 2007
Triangle: If you can read the data, then firefox can read the data. If firefox can read the data, the malware can read the data.Anonymous
November 02, 2007
>If you can read the data, then firefox can read the data. If firefox can read the data, the malware can read the data. So you're only safe if you never run any programs at all on your computer? If that's the case, then it doesn't seem the security system is doing much.Anonymous
November 02, 2007
Triangle: That's why I'm claiming that an outbound firewall doesn't improve your security. An inbound firewall helps you by protecting you from threats outside your computer, but once the malware's inside your computer, the firewall ceases to have value. At that point, you have to rely on tools like antivirus and antispyware applications. See David's post (above) for more context on the value of an outbound firewall - he called out some cases I had missed where it does have value.Anonymous
November 02, 2007
> That's why I'm claiming that an outbound firewall doesn't improve your security. An inbound firewall helps you by protecting you from threats outside your computer, but once the malware's inside your computer, the firewall ceases to have value. At that point, you have to rely on tools like antivirus and antispyware applications. I understand this. A firewall isn't designed to protect you from threats already on your computer. But what I was claiming was that certain programs shouldn't be allowed to disable the firewall.Anonymous
November 02, 2007
Triangle: We're in 100% agreement then. There's an easier way of saying "certain programs shouldn't be allowe to disable the firewall" and that's "normal users shouldn't be allowed to disable the firewall". And that's exactly what Vista (and OSX and Linux) does by forcing all users to run as normal users and prompt for elevations.Anonymous
November 02, 2007
> There's an easier way of saying "certain programs shouldn't be allowe to disable the firewall" and that's "normal users shouldn't be allowed to disable the firewall". And that's exactly what Vista (and OSX and Linux) does by forcing all users to run as normal users and prompt for elevations. It's easier on the operating system developers, yes. But, for the user, it is harder and less productive. It also doesn't protect the user from malicious applications that might want to say delete all their files. And it produces dialog fatigue, to the point where the user will elevate any program for any reason just because it's what their used to.Anonymous
November 02, 2007
"So you're only safe if you never run any programs at all on your computer?" Pretty much. For best security, smash computer. Other than that, you can do a lot of the things most OSes do these days -- restricting access to certain roles or actions to specific users or classes of users. Whatever the user can do, malware can do. There's a lot of magical thinking when it comes to computers; security is definitely one area. ("But what I was claiming was that certain programs shouldn't be allowed to disable the firewall," seems to fall into this category. The rule here has to be that only admins can disable the firewall, otherwise it becomes completely unenforceable.)Anonymous
November 02, 2007
I'm not sure what the problem here is. Isn't there some kind of Win32 API call like IsEvilProgramThatDoesBadThings(LPCTSTR lpProgramPath)? That way you can only let programs who aren't evil turn off the firewall. No? You ought to get to work on that Larry. Ask Raymond to help. ;)Anonymous
November 02, 2007
Triangle: But do you have a better plan? Since you can't trust the return address of caller it's not possible to distinguish legitimate system tools and malwares whether it's signed or not. And if you don't allow people to disable firewall/add allow list to open port, people are going to hate it. Seems user privilege level is the only thing we can trust here... But I think perhaps it'd be better to allow programs to specify what specific privilege it requires in the manifest file, and have the information displayed in UAC prompt, so the user can know if they're going to enable the program to do something unusual if the user know enough...Anonymous
November 02, 2007
Great post Larry. I was however grateful for outbound firewall protection on a friends computer. It helped to track down the malware on their computer.Anonymous
November 03, 2007
> Since you can't trust the return address of caller it's not possible to distinguish legitimate system tools and malwares whether it's signed or not. And if you don't allow people to disable firewall/add allow list to open port, people are going to hate it. When you move the mouse, or press keys on the keyboard, it generates an interrupt that traps the CPU into kernel mode. That is how you can tell the difference. USB mice & keyboards are slightly different, but the principle is the same: The kernel receives mouse and keyboard notifications directly. No return address snooping or anything of that sort is remotely required. As for generating fake window messages/etc: Sending a message to a program in a different address space requires going through the kernel also. Sending a message to yourself doesn't; but that isn't a security issue either. Furthermore, there are special registers in the CPU that only the kernel can write to, such as page registers and certain permission registers. Those can be used to store pointers to permission data about the process that was running before the CPU entered kernel mode.Anonymous
November 03, 2007
Triangle: What's to prevent the malware from faking out whatever indication that you specify? How do you KNOW that a message isn't fake. Remember that the malware has full control over your process, so it can fake out any system calls you make. The gaming companies have been fighting this particular battle for years (trying to stop cheaters) and they've not been able to solve it.Anonymous
November 03, 2007
The comment has been removedAnonymous
November 03, 2007
Triangle: You're missing my point. The malware can do anything the user can do. It can attach a debugger to a process running in the context of the user, it can modify the running code in that process. And if it can modify the running code in the process, it can defeat any check you apply. Remember: The job at hand is trying to block malware that is running in the context of the user from trying to access the network. I'm asserting that as long as you allow ANY code running in the context of the user to access the net, the malware can also access the net. Your only other alternative is to run the code that's accessing the net in a sandbox that the user can't access. Because you don't want the user to be able to access it, you need to run it at a higher privilege level than the user (in general, you can modify things running at a lower privilege level than you). And that is exactly the opposite of what you want to have happen - you want to run the web browsing experience at as low a privilege level as possible.Anonymous
November 03, 2007
> Remember: The job at hand is trying to block malware that is running in the context of the user from trying to access the network. I'm asserting that as long as you allow ANY code running in the context of the user to access the net, the malware can also access the net. There is no danger in having any program access the network (Minus source spoofing or potential DOSing, however the TCP/IP protocol covers both). The danger is the data the program is allowed to send. > Your only other alternative is to run the code that's accessing the net in a sandbox that the user can't access. Because you don't want the user to be able to access it, you need to run it at a higher privilege level than the user (in general, you can modify things running at a lower privilege level than you). I never said anything about a sandbox. Unless you consider running code at a low privilege level sandboxing it. And, even if you did consider that sandboxing, in what backwards system is the user not allowed to access something sandboxed? It's the opposite: The code in the sandbox is restricted from interacting directly with the local machine, not the other way around.Anonymous
November 03, 2007
I think this conversation is going around in circles... Triangle, keep in mind, if you run anything with a login with admin privileges, that application is basically not restricted. That's the context that Larry is describing. In that context there's no way to tell what is and isn't malware (actually, in any context you can't differentiate, but in the admin privilege context there's no way to automatically restrict certain applications). If you don't let the malware run in that context, it won't have access to that privileged functionality, like writing to system files, and opening firewall ports (assumption for firewall points, I haven't see anything that confirms our assumption that opening a firewall port requires the currently logged-in user (or the selected run-as user) have a specific security token--but it should be easy to confirm). Since network communications isn't typically a privileged function firewalls are needed to allow certain applications access to certain ports, regardless of what the currently logged-in user's privilege level is. That's historically been the problem with user-attributed privilege: without things like firewalls and CAS, you can't restrict what applications can do and still run applications that are unrestricted without specifying which login to use to run each application (which is VERY tedious and requires system admin intervention on enterprise networks).Anonymous
November 03, 2007
I was going to jump up and down about your IMHO concerning outbound firewalls until I read the footnotes. [1] works for me. I understand that smarter malware will, if it can get buried that deep, disable the firewall software. I haven't been able to invent a case where malware could be running under LUA (hmm, maybe because of trojaning of some legitimate package?) and be installed, but I wouldn't want to rule out such a scenario. I haven't thought about it enought and I'd rather be safe than sorry. I also like to know how many packages are distributed these days with phone-home arrangements (to "helpfully" check for updates they can't auto-install in my LUA account anyhow). I actually do block a lot of those, although it is a pain on XP where I can't easily issue one-time exceptions to the firewall rule (not with OneCare at any rate).Anonymous
November 03, 2007
Chris's comment also implies that Vista's firewall just randomly decided, after months of use, to suddenly prompt for permission with Firefox. It's worth noting that Mozilla updated Firefox this week, on November 1, to version 2.0.0.9. That's the same date that this screenshot was uploaded to Flickr and the same date as Chris's blog post. In fact, the automatic update appeared here on my system about five minutes before I saw this article. Isn't it possible that that the firewall took action because this was a new executable? Although Chris may have been using a program called Firefox for the past six months, he wasn't using this version...Anonymous
November 03, 2007
malware running as an add-in to an application running under LUA should run, no? The user has to explicitly "install" it though; but you could say that about most malware now-a-days. Doesn't LUA check version information, so if an application is updated, it will prompt again?Anonymous
November 03, 2007
AddPortMapping requires that the application's credentials under which it is running be a member of the Administrators group. You can't seem to get to INetFwOpenPorts.Add without either being in the Administrators group or some specific privilege (that Administrators have); but I haven't tracked down the specifics...Anonymous
November 03, 2007
Dennis: I don't think that there's a vector for installing malware from low rights IE (LoRIE), but there absolutely is a vector for malware when running under LUA. You can deploy applications without requiring elevation on XP and Vista - all you need to do is to write to HKCU and you're good. It's harder for malware to hide itself in that case, but that hasn't stopped stuff in the past.Anonymous
November 04, 2007
I agree with both points of view. I prefer having outbound filtering enabled (so at least I'm told when something is trying to phone home), but any such implementation in the default Windows firewall is going to have ISVs screaming for a "let my app through" API they can call during installation -- and as soon as that exists, any benefit it provides from a security standpoint is purely an illusion (since it depends on how lazy the malware authors are). (And even if there wasn't an API, if it stored the data in the registry or in a file in a non-cryptographically-secure manner then it'd have the same problem, just with a slightly taller hurdle.) In the end, though, I think it would be a decent solution to:
- have an API to create firewall exceptions that requires elevated permissions to run.
- store the firewall exceptions in a cryptographically secure manner (with the key in a non-user-readable file) to ensure that only the official API can create an exception.
- have a "paranoid" option (off by default) that prompts the user with exact details whenever a program calls the API.
- turn outbound filtering on by default. Again, none of this will (or can) protect against elevated apps. (Or against FAT32 drives, since file permissions don't work there.) But it should help discourage bad behaviour in user-level apps.
Anonymous
November 04, 2007
It may be worth mentioning that it is possible in principle to design an operating system that meets Triangle's specifications; the important point is that it is probably impossible (or at least implausibly difficult) to retrofit such a design on Windows (or MacOS or Unix). Current operating systems allow (essentially) every process in a given user's space to represent the user, that is, to do anything the user is allowed to do. I don't believe this is necessary; however, it's so fundamental to the OS design that changing it comprehensively would presumably require rewriting pretty much every application in existence, i.e., you're talking about a new OS. (In fact it may be worse than that, because moving an existing application to such an OS would probably require a much more significant rewrite than is usual when porting to a different OS.) Personally I'd still like to see serious research done on the subject, because to my mind this change is essential if we ever want to build computer systems that are adequate to the tasks we ask of them.Anonymous
November 04, 2007
Miral, interestingly enough, I believe that 1 and 2 are implemented in Windows today, 3 and 4 aren't. But what "exact details" would you want to let the user know about? The only thing you know for certain is the PID of the process that requested the exception. From that, you can guess the name of the executable that contained the code running in that process, but you can't even guarantee that - unelevated malware can spoof anything other than just the process ID and the thread IDAnonymous
November 04, 2007
Well, you should also know what it was trying to do (open a connection to 123.123.123.123 port 123, bind to port 321, etc, etc) that'd be useful to know...Anonymous
November 04, 2007
Harry: I believe that it what Microsoft Research's "Singularity" project is trying to do (or one of them anyway)...Anonymous
November 05, 2007
The comment has been removedAnonymous
November 05, 2007
Pirillo seems to have influential readers at MS. Wish he'd move on to whine about Media Player and Explorer so those would get fixed Before SP2. For now, after year of Vista I finally gave up and am back with XP. What a relief.Anonymous
November 05, 2007
Karl, I disagree. That's ok. I do feel oblighed to point out that there are known examples of malware that disable the firewall (http://www.sophos.com/pressoffice/news/articles/2004/10/va_bagleaufw.html for an example - that was literally the first hit in my search for "worm disables firewall"). If Windows had an outbound firewall that was enabled by default, the first thing that phone-home malware would do upon installation would be to disable the firewall. Attempting to defend an infected machine against itself is just theater.Anonymous
November 05, 2007
Karl: Also, you seem to believe that chroot is an effective security barrier. It's not, and nobody who's worked on *nix security believes it is (ref: http://it.slashdot.org/it/07/09/27/2256235.shtml and http://kerneltrap.org/Linux/Abusing_chroot).Anonymous
November 05, 2007
The comment has been removedAnonymous
November 05, 2007
The comment has been removedAnonymous
November 05, 2007
The comment has been removedAnonymous
November 05, 2007
Norman: Because the incoming firewall's not trying to stop malware that's currently on the computer. It's trying to stop malware that's NOT on the computer. Once the malware gets on the computer, it's game over. But until the malware can get on the machine, the firewall is extremely valuable.Anonymous
November 05, 2007
The comment has been removedAnonymous
November 05, 2007
The comment has been removedAnonymous
November 06, 2007
You all (especially Karl Levinson) should re-read note [1].Anonymous
November 07, 2007
Exactly. We should get rid of the phrase "game over." What does game over mean? That we should keep the keylogger or malware on the system without even detecting it? No thanks. Microsoft needs to give us a way of detecting compromises. The outbound firewall, and protecting and monitoring changes to its configuration, would be one way of doing it, if Microsoft would stop arguing against what most of the customers want. If Microsoft thinks its job is over once the system is compromised, that's a significant problem.Anonymous
November 07, 2007
The major problem with Windows firewall is that it is no option to deny specific IP addresses - only to block all and allow specific addresses through. I have a public site that gets hit frequently by a couple of spammers: I know their IP addresses and they are too stupid to change them frequently enough to keep me off-scent, but I can't firewall them out because I need the rest of the world to have (http) access. Grrr.Anonymous
November 07, 2007
Baffled: It appears that the firewall has that capability. I don't know if the UI exposes that functionality, but you should be able to achieve that with code (or possibly with the netsh command). Karl: "Game over" to me means: It's time to reformat the hard disk and find your last known good backup. You have no idea of knowing what's been compromised, so the only SAFE option is to reset the machine.Anonymous
November 07, 2007
The last time I made custom settings on Windows XP's firewall, I could specify a subnet (IP address and mask) to allow listening while denying the rest of the world. I didn't see a way to set a subnet for denial while allowing the rest of the world, the way Baffled needs (though it might be there, just not immediately visible). Some third-party firewalls do exactly what Baffled needs. So do hardware firewalls, which I really recommend to Baffled. > "Game over" to me means: It's time to reformat the hard disk OK, excellent. But meanwhile, please don't make extra contributions to help malware continue pumping out spams until being detected, please don't make extra contributions to help malware continue hiding from detection, etc. Security measures are useful. OK, footnote [1] said that, but the phrase "game over" is ambiguous and had appeared to mean security measures were considered no longer useful.Anonymous
November 08, 2007
The comment has been removedAnonymous
November 08, 2007
The comment has been removedAnonymous
November 08, 2007
The comment has been removedAnonymous
November 09, 2007
The comment has been removedAnonymous
November 11, 2007
The comment has been removedAnonymous
November 16, 2007
I'm not going to argue the toss over "game over", but there are some valid points that I think are being missed all around. First up is the time interval between malware getting on and you detecting it. Some malware can be extraordinarily effective at hiding itself. Whatever course of action you decide, it should be your goal to reduce that time interval as much as possible. An outbound firewall can help here, by flagging a "hello! unexpected network access happening here" alert. Yes, some malware will disable (or attempt to disable) an outbound firewall. But some won't. Exact same scenario as AV. In a situation where you're compromised, surely it's the responsibility of the product vendor to give you the best chance possible for early detection? Getting that alert, or noticing that your outbound firewall is disabled, both seem like good early warning signs to me. And early detection will give you the opportunity to take whatever course of action you deem appropriate before the damage is done. Now, one thing that got me riled is the "protecting your computer against itself" comment. This is overly simplistic. In a scenario where you're compromised but don't know it, your computer may be potentially attempting to compromise other people's computers. That is not nice. Whatever side of "game over" you subscribe to, it's difficult to justify not having an outbound firewall in these circumstances. Even if it does become disabled, if it can give you a better chance of containing the compromise to your own machine, then it has already paid it's due.