windows xp
Posted by: ken c on 19 September 2004
my daughter bought an hp zt3000 notebook sometime ago. nice pc, but a bit frustrating with the problems we have been having with XP Home.
the pc came with a security update which we were advised to install before logging on to the net, for obvious reasons. we were also advised to install windows updates, which we did -- this was the beginning of a long headache. you see, the windows updater kept telling us that there are some updates available, but it turns out there were the same updates being installed over and over again (could see this from control panel add/remove programs). we also tried to install Norton AV, but this introduced its own problems --- basically everytime i openned it to set it to do live updates automatically, the Norton window would simply close down.
OK, i thought, better wait for SP2 on CD and try again. when this came, couldnt install it --- whenever i tried, the installation would simply abort at various places without any explanation.
anyone had any of these or similar problems with XP home? how did you get around them?
many thanks...
enjoy
ken
the pc came with a security update which we were advised to install before logging on to the net, for obvious reasons. we were also advised to install windows updates, which we did -- this was the beginning of a long headache. you see, the windows updater kept telling us that there are some updates available, but it turns out there were the same updates being installed over and over again (could see this from control panel add/remove programs). we also tried to install Norton AV, but this introduced its own problems --- basically everytime i openned it to set it to do live updates automatically, the Norton window would simply close down.
OK, i thought, better wait for SP2 on CD and try again. when this came, couldnt install it --- whenever i tried, the installation would simply abort at various places without any explanation.
anyone had any of these or similar problems with XP home? how did you get around them?
many thanks...
enjoy
ken
Posted on: 27 September 2004 by pingu
Matthew
"Mekon -- That's quite an in-depth article and on a brief reading I'd disagree with a lot of what he says. However, I recommend you consult a security expert about what it all means."
Can you be specific please Matthew?
cj
Dr CJ , CISA, CISSP
by the way
"Mekon -- That's quite an in-depth article and on a brief reading I'd disagree with a lot of what he says. However, I recommend you consult a security expert about what it all means."
Can you be specific please Matthew?
cj
Dr CJ , CISA, CISSP
by the way
Posted on: 27 September 2004 by ken c
as reported earlier, my daughter's pc is now sorted (actually its also running a lot faster than before... hmmm...)
i have been following(?) the verbal wrestling in this thread -- there is some useful info in it -- but signal-to-noise ratio is descreasing as personal attacks increase.
what would be useful is if someone could summarize what the various vulnerabilities are on a pc connected to the net, using mail client such as outlook or outlook express and IE as browser. does it make any difference what browser you use? netscape? what about mail client? etc etc etc...
hopefully this thread can move to a different plane?
enjoy
ken
i have been following(?) the verbal wrestling in this thread -- there is some useful info in it -- but signal-to-noise ratio is descreasing as personal attacks increase.
what would be useful is if someone could summarize what the various vulnerabilities are on a pc connected to the net, using mail client such as outlook or outlook express and IE as browser. does it make any difference what browser you use? netscape? what about mail client? etc etc etc...
hopefully this thread can move to a different plane?
enjoy
ken
Posted on: 27 September 2004 by matthewr
Cliff,
Congratulations. You have successfully made me angry. In a couple hours when I no longer feel angry I will feel stupid and, perhaps, even slightly ashamed about this, but for the moment I am angry.
Matthew, writing this kind of personal attack repeatedly
"I think you have made a number of statements containing basic errors on fundamental issues of security and have given detailed reasons why."
It is not a personal attack. It is fair comment. You said stuff that I believe is not correct. I pointed this out and explained why. An example of a personal attack is the phrase "Matthew what a fucking arse you truly are!"
However, despite my anger, I am not going to resort to the sort of personal attacks you seem to favour. Instead, I am going to repost some examples of you saying something wrong and me explaining why in the hope that this will quench my rage. I apologise in advance for this but I see little alternative given the fact that you repeatedly post endless variants of "You said I was wrong without saying why" despite my numerous requests that you read the thread as it's all there.
Cliff said "XP Firewall with SP2 gives you the option to unblock applications that are trying to go out through the firewall"
I said Windows Firewall's Exceptions tab allows you to apply exceptions to the list of programs/services for which "Windows Firewall is blocking incoming network connections". If it does allow egress blocking it's being very coy about it.
(This exchange was followed by more supporting evidence, and then repeated several times with more evidence).
Cliff said "Even if you use good passwords on a system which doesn't disable profiles when multiple wrong attempts are made, it isn't secure"
That's just not true. Strong passwords provide more than adequate protection against dictionary and brute force attacks and are provide good protection in all but the most secure applications. Even with today's processing power and bandwidth it would take a typical attack weeks to succeed.
Although password policies like lockout (which are a good idea btw) would remove the relatively small theoretical risk of successful brute force attack against strong passwords, they are mainly designed to protect *weak* passwords not strong passwords. A strong password will defeat the sort of dictionary attack that the overwhelming majority of NETBIOS based attacks use even without a lockout policy.
Cliff said "The best way to let people into your computers is to publish your password methodolgies on an internet forum"
Actually the best way to secure your PC is to publish your security arrangements including password strategies.
"Security by Obscurity" is often one of biggest flaws at the heart of most people's understanding of security (not least Microsoft's).
So, for example, we can look at Dom's published system and say that his method of forming passwords is reasonably secure. However, his method of deriving base pass phrases on which to base his passwords is arguably too narrow and is certainly open to social engineering attacks ("Hey Dom, what's your favourite album?", etc.). For the most secure passwords, such as oinline bnking, Dom may like to consider widening his source of pass phrases.
[Later, on request, more explanation was provided on why Cliff was wrong on this point:]
Because in telling the world how you create your passwords, you are opening the process to scuritiny and validation and it is a fundamental principle of good computer security that you should publish and audit such aspects of your security arrangements.
If your security relies on keeping such things secret your security is almost certainly wrong. Any basic undergraduate computer security course will drum this point into you over and over again.
Consequently, your statement "The best way to let people into your computers is to publish your password methodolgies on an internet forum" is wrong and demonstrates misunderstanding of fundamental security concepts.
[Cliff then further emphasised his poor understanding of this issue:]
Cliff said "Opening up your password methodology to scrutiny is not what you have done. You have put it on the internet. All the worlds hackers now have a better chance of breaking into your PC than they did before"
You are still completely misunderstanding the point. Which is, that any good password selection methodology is only any good if you can show it directly to a potential attacker and it still be secure against all likely attacks.
Or to put it another way, if you have a password methodology that cannot be put on the internet as doing so would compromise its security then you do not have a good way of generating strong passwords.
Like I say this argument is *absolutely fundamental* to lots of ideas about security. Your original comment and subsequent follow ups make it seem very likely that you do not understand this properly.
You are also ignoring the fact that the advice I gave about deriving passwords from known passphrases to create an easy to remember but difficult to guess password is essentially standard advice that is published all over the place. The fact that hackers know that that people use this method does not help them guess passwords.
Cliff said "the cheapest price is $33.30 so I would hardly call that "free"
[link to] AVG Free Edition
Cliff said "It doesn't matter what password methodology you put on F&PS because a programmer can easily hack a password only protected share with a simple looping program going through all possible combinations"
This demonstrates your fundmental misunderstanding of strong passwords and F&PS vulnerabilities and dictionary and brute force attacks. Indeed, the WHOLOE POINT about strong passwords is that the above is not true. I have no idea how this might "depend on the programmer".
Followed by a more detailed explanation:
Cliff said "Also what is this cobblers: "This demonstrates your fundmental misunderstanding of strong passwords "
Ok lets break your original statement down:
"It doesn't matter what password methodology you put on F&PS"
This implies that regardless of password methodologies F&PS will be insecure to simple attacks. This is not true if you choose a strong password.
"a programmer can easily hack a password only protected share with a simple looping program going through all possible combinations"
This strongly suggests that you do not understand that a "strong password" is only strong if it is specfically not vulnerable to such an attack.
"Yes w3sth8m is going to take longer to hack than "abc123"
w3sth8m is not a strong password (it's a sports team with some common numerical subsitutions) and would be highly vulnerable to basic dictionary attacks. It's not appreciably more secure than "abc123"
Cliff said "You will also note that Matthew kindly posts his entire record collection on the internet, which makes the job even easier"
So you are suggesting that a hacker would note down the contents of my record collection, somehow acquire all the lyrics, break the lyrics up into discrete phrases, take the first letter of each phrase, for each phrase generate a few thousand variants based on standard substitutions, compile this into a list and loop through it?
"Your own method of using the first letters of a string of text is no more difficult to interpret"
I note that:
a) It is not my method at all but, by common well publicised consensus, essentially the best way to do it.
b) It's untrue to say that strong passwords are not more difficult to interpret as they inherently have no meaning.
"You would have West Ham United Football Club Are Great (whufcag with the a changed to a 1 or something) rather than Westham I suppose"
You are implying some Mystic Meg like powers on the part of potential hackers that allows them to divine an essentially arbitary pass phrase. You don't seem to understand the exponential difference in combinatorial terms between dictionary words and proper names and pass phrases.
"Yes, and also don't bind to the wireless adapter neither"
I have F&PS sharing bound to my wireless network and it's perfectly safe. Possibly you mean "Don't bind it to non-secured wireless network" but even then, if you have a non-secured wireless network then frankly F&PS is the least of your worries.
"password only security is not as strong as user and password security"
Again that's not really correct and betrays your lack of understanding. In practice usernames are not secret and are both widely known (e.g. "Administrator", "root") and often predictable (e.g. "mrobinson"). Hence the username provides a
trivial amount of extra security and even in user/password logins 99.9% of the security resides in the password itself.
"I only pointed out that if you post your methodology on the internet, it in effect gives the hackers a smaller scope for how to program their attack"
[i]And again you explicitly repeat your fundamental misunderstanding of the points we have been arguing about.
How does in any remotely practical sense the fact that I once used a song lyirc as a passphrase allow a heuristically directed guess at a password like "k3fat30tbw5"?
Cliff said "A good cryptic user ID plus a strong password is n times as good as a strong password on its own"
The user ID is the public (in the technical not literal sense) means of identifying the user. It is not treated as secret information by design (they are in plain text on the screen, they appear on print outs, mail addresses, etc) or by the user. As such no well desinged security system would rely on it for any part of it's security and you should design your security as if a potential attacker already knows this information.
The password is, of course, the aspect of user identity that carries the security. And being so fundamental to security, good practice requires it adhere to certain standards. One of these standards is length where we typically require enough characters so that the password is not vulnerable to brute force attack.
Hence, in any well designed security system, user ids effectively provide no component of the security which instead resides almost completely in the password. This is why most computer systems have user ids based on people names -- if it's not part of security you might as well make it easy to remember and use for all sorts of reasons.
Or, to put it another way, if you need cryptic user ids to ensure security then the real issue is that you need longer passwords.
Cliff said "Do you really believe that a program wanders around the internet randomly hacking open ports to see if messenger is running and then asking it to log on"
Yes. Programs absolutely do randomly wonder around the internet by scanning large numbers of IP addresses looking for certain open UDP and TCP ports on which Messenger runs. And if such programs do find Messenger running they can (in unpatched systems) exploit buffer overrun vulnerabilities in Messenger to install various trojans and completely compromise your system.
Cliff said "Messenger logs on to the Messenger server and is PREVENTED FROM DOING THIS IF YOU UNCHECK THE EXCEPTION ALLOWED TAB."
Almost right. It's not "Messenger" that you are worried about logging on -- it's malicious code that is looking to compromise your machine.
Cliff said "As far as I can see its just a nigh on libellous attack on Steve Gibson, but if it helps Matt secure his PC, good luck to him."
It's an extensive, detailed and well documented critique of Steve Gibson's output over a number of years. If it's libellous presumably he might sue.
So there you have it. *Lots* of what I believe to be incorrect, misleading or incomplete statements by you on the subject of security and my reasoning as to why I think you are wrong.
Once again, I do not claim to be a security expert beyond a basic understanding of the subject gained from an IT degree and 15 years working in the industry. I am more than happy to acknowledge mistakes (I make them all the time) and am happy to bow to superior knowledge on a subject on which I am far from an expert.
I do, however, think it is entirely reasonable, based on the above evidence, for me to say that you have made a good number of incorrect statements that imply poor understanding of security on your part. And that based on that it is reasonable for me to doubt the quality of your adivce on the subject in general.
And that really is my last word on these issues. It’s now all there for you to read TWICE.
Matthew
[This message was edited by Matthew Robinson on Mon 27 September 2004 at 20:17.]
Congratulations. You have successfully made me angry. In a couple hours when I no longer feel angry I will feel stupid and, perhaps, even slightly ashamed about this, but for the moment I am angry.
Matthew, writing this kind of personal attack repeatedly
"I think you have made a number of statements containing basic errors on fundamental issues of security and have given detailed reasons why."
It is not a personal attack. It is fair comment. You said stuff that I believe is not correct. I pointed this out and explained why. An example of a personal attack is the phrase "Matthew what a fucking arse you truly are!"
However, despite my anger, I am not going to resort to the sort of personal attacks you seem to favour. Instead, I am going to repost some examples of you saying something wrong and me explaining why in the hope that this will quench my rage. I apologise in advance for this but I see little alternative given the fact that you repeatedly post endless variants of "You said I was wrong without saying why" despite my numerous requests that you read the thread as it's all there.
Cliff said "XP Firewall with SP2 gives you the option to unblock applications that are trying to go out through the firewall"
I said Windows Firewall's Exceptions tab allows you to apply exceptions to the list of programs/services for which "Windows Firewall is blocking incoming network connections". If it does allow egress blocking it's being very coy about it.
(This exchange was followed by more supporting evidence, and then repeated several times with more evidence).
Cliff said "Even if you use good passwords on a system which doesn't disable profiles when multiple wrong attempts are made, it isn't secure"
That's just not true. Strong passwords provide more than adequate protection against dictionary and brute force attacks and are provide good protection in all but the most secure applications. Even with today's processing power and bandwidth it would take a typical attack weeks to succeed.
Although password policies like lockout (which are a good idea btw) would remove the relatively small theoretical risk of successful brute force attack against strong passwords, they are mainly designed to protect *weak* passwords not strong passwords. A strong password will defeat the sort of dictionary attack that the overwhelming majority of NETBIOS based attacks use even without a lockout policy.
Cliff said "The best way to let people into your computers is to publish your password methodolgies on an internet forum"
Actually the best way to secure your PC is to publish your security arrangements including password strategies.
"Security by Obscurity" is often one of biggest flaws at the heart of most people's understanding of security (not least Microsoft's).
So, for example, we can look at Dom's published system and say that his method of forming passwords is reasonably secure. However, his method of deriving base pass phrases on which to base his passwords is arguably too narrow and is certainly open to social engineering attacks ("Hey Dom, what's your favourite album?", etc.). For the most secure passwords, such as oinline bnking, Dom may like to consider widening his source of pass phrases.
[Later, on request, more explanation was provided on why Cliff was wrong on this point:]
Because in telling the world how you create your passwords, you are opening the process to scuritiny and validation and it is a fundamental principle of good computer security that you should publish and audit such aspects of your security arrangements.
If your security relies on keeping such things secret your security is almost certainly wrong. Any basic undergraduate computer security course will drum this point into you over and over again.
Consequently, your statement "The best way to let people into your computers is to publish your password methodolgies on an internet forum" is wrong and demonstrates misunderstanding of fundamental security concepts.
[Cliff then further emphasised his poor understanding of this issue:]
Cliff said "Opening up your password methodology to scrutiny is not what you have done. You have put it on the internet. All the worlds hackers now have a better chance of breaking into your PC than they did before"
You are still completely misunderstanding the point. Which is, that any good password selection methodology is only any good if you can show it directly to a potential attacker and it still be secure against all likely attacks.
Or to put it another way, if you have a password methodology that cannot be put on the internet as doing so would compromise its security then you do not have a good way of generating strong passwords.
Like I say this argument is *absolutely fundamental* to lots of ideas about security. Your original comment and subsequent follow ups make it seem very likely that you do not understand this properly.
You are also ignoring the fact that the advice I gave about deriving passwords from known passphrases to create an easy to remember but difficult to guess password is essentially standard advice that is published all over the place. The fact that hackers know that that people use this method does not help them guess passwords.
Cliff said "the cheapest price is $33.30 so I would hardly call that "free"
[link to] AVG Free Edition
Cliff said "It doesn't matter what password methodology you put on F&PS because a programmer can easily hack a password only protected share with a simple looping program going through all possible combinations"
This demonstrates your fundmental misunderstanding of strong passwords and F&PS vulnerabilities and dictionary and brute force attacks. Indeed, the WHOLOE POINT about strong passwords is that the above is not true. I have no idea how this might "depend on the programmer".
Followed by a more detailed explanation:
Cliff said "Also what is this cobblers: "This demonstrates your fundmental misunderstanding of strong passwords "
Ok lets break your original statement down:
"It doesn't matter what password methodology you put on F&PS"
This implies that regardless of password methodologies F&PS will be insecure to simple attacks. This is not true if you choose a strong password.
"a programmer can easily hack a password only protected share with a simple looping program going through all possible combinations"
This strongly suggests that you do not understand that a "strong password" is only strong if it is specfically not vulnerable to such an attack.
"Yes w3sth8m is going to take longer to hack than "abc123"
w3sth8m is not a strong password (it's a sports team with some common numerical subsitutions) and would be highly vulnerable to basic dictionary attacks. It's not appreciably more secure than "abc123"
Cliff said "You will also note that Matthew kindly posts his entire record collection on the internet, which makes the job even easier"
So you are suggesting that a hacker would note down the contents of my record collection, somehow acquire all the lyrics, break the lyrics up into discrete phrases, take the first letter of each phrase, for each phrase generate a few thousand variants based on standard substitutions, compile this into a list and loop through it?
"Your own method of using the first letters of a string of text is no more difficult to interpret"
I note that:
a) It is not my method at all but, by common well publicised consensus, essentially the best way to do it.
b) It's untrue to say that strong passwords are not more difficult to interpret as they inherently have no meaning.
"You would have West Ham United Football Club Are Great (whufcag with the a changed to a 1 or something) rather than Westham I suppose"
You are implying some Mystic Meg like powers on the part of potential hackers that allows them to divine an essentially arbitary pass phrase. You don't seem to understand the exponential difference in combinatorial terms between dictionary words and proper names and pass phrases.
"Yes, and also don't bind to the wireless adapter neither"
I have F&PS sharing bound to my wireless network and it's perfectly safe. Possibly you mean "Don't bind it to non-secured wireless network" but even then, if you have a non-secured wireless network then frankly F&PS is the least of your worries.
"password only security is not as strong as user and password security"
Again that's not really correct and betrays your lack of understanding. In practice usernames are not secret and are both widely known (e.g. "Administrator", "root") and often predictable (e.g. "mrobinson"). Hence the username provides a
trivial amount of extra security and even in user/password logins 99.9% of the security resides in the password itself.
"I only pointed out that if you post your methodology on the internet, it in effect gives the hackers a smaller scope for how to program their attack"
[i]And again you explicitly repeat your fundamental misunderstanding of the points we have been arguing about.
How does in any remotely practical sense the fact that I once used a song lyirc as a passphrase allow a heuristically directed guess at a password like "k3fat30tbw5"?
Cliff said "A good cryptic user ID plus a strong password is n times as good as a strong password on its own"
The user ID is the public (in the technical not literal sense) means of identifying the user. It is not treated as secret information by design (they are in plain text on the screen, they appear on print outs, mail addresses, etc) or by the user. As such no well desinged security system would rely on it for any part of it's security and you should design your security as if a potential attacker already knows this information.
The password is, of course, the aspect of user identity that carries the security. And being so fundamental to security, good practice requires it adhere to certain standards. One of these standards is length where we typically require enough characters so that the password is not vulnerable to brute force attack.
Hence, in any well designed security system, user ids effectively provide no component of the security which instead resides almost completely in the password. This is why most computer systems have user ids based on people names -- if it's not part of security you might as well make it easy to remember and use for all sorts of reasons.
Or, to put it another way, if you need cryptic user ids to ensure security then the real issue is that you need longer passwords.
Cliff said "Do you really believe that a program wanders around the internet randomly hacking open ports to see if messenger is running and then asking it to log on"
Yes. Programs absolutely do randomly wonder around the internet by scanning large numbers of IP addresses looking for certain open UDP and TCP ports on which Messenger runs. And if such programs do find Messenger running they can (in unpatched systems) exploit buffer overrun vulnerabilities in Messenger to install various trojans and completely compromise your system.
Cliff said "Messenger logs on to the Messenger server and is PREVENTED FROM DOING THIS IF YOU UNCHECK THE EXCEPTION ALLOWED TAB."
Almost right. It's not "Messenger" that you are worried about logging on -- it's malicious code that is looking to compromise your machine.
Cliff said "As far as I can see its just a nigh on libellous attack on Steve Gibson, but if it helps Matt secure his PC, good luck to him."
It's an extensive, detailed and well documented critique of Steve Gibson's output over a number of years. If it's libellous presumably he might sue.
So there you have it. *Lots* of what I believe to be incorrect, misleading or incomplete statements by you on the subject of security and my reasoning as to why I think you are wrong.
Once again, I do not claim to be a security expert beyond a basic understanding of the subject gained from an IT degree and 15 years working in the industry. I am more than happy to acknowledge mistakes (I make them all the time) and am happy to bow to superior knowledge on a subject on which I am far from an expert.
I do, however, think it is entirely reasonable, based on the above evidence, for me to say that you have made a good number of incorrect statements that imply poor understanding of security on your part. And that based on that it is reasonable for me to doubt the quality of your adivce on the subject in general.
And that really is my last word on these issues. It’s now all there for you to read TWICE.
Matthew
[This message was edited by Matthew Robinson on Mon 27 September 2004 at 20:17.]
Posted on: 27 September 2004 by matthewr
Pingu,
First, you will perhaps forgive me if you not a certain reluctance to engage with someone who seemingly registered in order to joined a protracted and heated debate. For reasons I am sure you understand.
That, nothwithstanding, you said “What exactly are your objections to Cliff's post of "Mon 27 September 04 09:45"
Well, for example, Cliff in that post said “You extrapolate that I know noting about security when I say that in a user/password login the security provided is 50% by each component”
I object to this on two counts.
Firstly, The sentence is plainly false as I did not extrapolate Cliff’s apparent ignorance from that statement but from his collective contributions on the subject set out above.
Secondly, I believe this views on the element of security provided from a user name is wrong and that the security does indeed primarily reside in the password as I pointed out. I have repeated my reasoning for this again above.
I note that Cliff does not refute my reasoning or provide any of his own and simply states that user names provide 50% of the security because he is aware of a number of financial sites that use nominally cryptic IDs. THis is hardly a good argument for a number of reasons.
Firstly it’s not necessarily true to assume that the cryptic IDs are used to provide, effectively, extra bits of password security. It may well be, for example, that banks need a method for automatically generating IDs for large numbers of
users and wish to do so without basing it on other information such as accounts numbers for which there are very good reasons for keeping them secret.
Secondly, I could always provide counter-examples of sites that do not use cryptic passwords. For example, Nat West’s online banking application is IMHO very well designed from a security point of view but uses user IDs which are far from cryptic (it’s date of birth followed by a short numeric ID).
Cliff has also said, more than once, that a cryptic user ID a strong password each provide 50% of the security. I do not believe this is true because user IDs are essentially by design and by usage not secure. For example, unlike passwords they are usually displayed in plain text when logging in, they are frequently quoted to support personnel over the telephone when a password absolutely never would be, available to internal staff, etc.
Hence, far from being 50:50, I believe that the majority of the security of a login resides in the password and not the user id. I also believe that in a well designed secure application, you should design your password security on the basis that it should still provide enough security even if the user id is compromised.
Also in the post you cite, Cliff raises again the idea that publishing a methodology for deriving passwords is inherently not secure. He states “If this were not the case then I'm sure the CIA, like you, would publish to the level of detail you have given, how they choose their "pass phrases".
Again I have already repeated the explanation I originally gave above. However, in essence,
-- Any good policy for deriving passwords can be widely published without compromising the security of the passwords it generates.
-- If the CIA has a flawed method of deriving passwords and it keeps it secret it perpetuates its problem.
-- If it published that flawed policy for public review it would quickly be informed of the flaws and would be able to take appropriate steps to recifty the problem.
Cliff also said "You advocate reading a website as a source of security information when all it does is rubbish someone elses opinions about security.
This statement is incorrect as viewing the website (http://www.grcsucks.com) will quickly demostrate. For a start to state "all it does is rubbish someone elses opinions about security" is wrong for two major reasons:
1. It provides extensive analysis and critique of false, and misleading statements by Steve Gibson which are so widely known (he has a gift for self-publicity) that almost everytime Windows/Internet security is raised anywhere people start quoting him and providing links to the flawed "Shields Up!". (In fact if this forum's search function was working you' find lots of previous links to this site from me in response to people quoting reffering to Gibson).
2. It provides lots of links to all sorts of articles on security and debunkig of other fraudulent/misleading products/sites.
Which I trust answer's CLiff's request to "Please explain in detail how that is supposed to help anyone visiting this forum for detailed security advice"
Regarding his specific points about NETBIOS and whether he is right or not, then to be honest I don't know but am happy to state that I am far from an expert on NETBIOS and am more than happy to be corrected on specific points wihtout a quibble.
However, I would state:
1. My repeatedly stated view has been that if someone can packet sniff your LAN on your side of the firewall F&PS is the least of you security problems.
2. It's still my belief that network shares on your own side of the firewall with appropriate passowrd security and properly patched and protected systems is not a per se insecure system in sort of home/ofice contexts we were orginally discussing.
3. Cliff raised the ideas of packet sniffing and decoding plain text network datastreams after his initial misktakes regarding password security had been exposed and to obfustifacte these issues and mistakes. I think that is obvious from reading the thread.
"Can you be specific please Matthew?"
I speed read the aritcle posted my Mekon and my reaction was "Hmm, not sure about that". I would need to read it in more detail to get into specifics and to be honest it's far from my area of expertise.
Matthew
[This message was edited by Matthew Robinson on Mon 27 September 2004 at 20:23.]
First, you will perhaps forgive me if you not a certain reluctance to engage with someone who seemingly registered in order to joined a protracted and heated debate. For reasons I am sure you understand.
That, nothwithstanding, you said “What exactly are your objections to Cliff's post of "Mon 27 September 04 09:45"
Well, for example, Cliff in that post said “You extrapolate that I know noting about security when I say that in a user/password login the security provided is 50% by each component”
I object to this on two counts.
Firstly, The sentence is plainly false as I did not extrapolate Cliff’s apparent ignorance from that statement but from his collective contributions on the subject set out above.
Secondly, I believe this views on the element of security provided from a user name is wrong and that the security does indeed primarily reside in the password as I pointed out. I have repeated my reasoning for this again above.
I note that Cliff does not refute my reasoning or provide any of his own and simply states that user names provide 50% of the security because he is aware of a number of financial sites that use nominally cryptic IDs. THis is hardly a good argument for a number of reasons.
Firstly it’s not necessarily true to assume that the cryptic IDs are used to provide, effectively, extra bits of password security. It may well be, for example, that banks need a method for automatically generating IDs for large numbers of
users and wish to do so without basing it on other information such as accounts numbers for which there are very good reasons for keeping them secret.
Secondly, I could always provide counter-examples of sites that do not use cryptic passwords. For example, Nat West’s online banking application is IMHO very well designed from a security point of view but uses user IDs which are far from cryptic (it’s date of birth followed by a short numeric ID).
Cliff has also said, more than once, that a cryptic user ID a strong password each provide 50% of the security. I do not believe this is true because user IDs are essentially by design and by usage not secure. For example, unlike passwords they are usually displayed in plain text when logging in, they are frequently quoted to support personnel over the telephone when a password absolutely never would be, available to internal staff, etc.
Hence, far from being 50:50, I believe that the majority of the security of a login resides in the password and not the user id. I also believe that in a well designed secure application, you should design your password security on the basis that it should still provide enough security even if the user id is compromised.
Also in the post you cite, Cliff raises again the idea that publishing a methodology for deriving passwords is inherently not secure. He states “If this were not the case then I'm sure the CIA, like you, would publish to the level of detail you have given, how they choose their "pass phrases".
Again I have already repeated the explanation I originally gave above. However, in essence,
-- Any good policy for deriving passwords can be widely published without compromising the security of the passwords it generates.
-- If the CIA has a flawed method of deriving passwords and it keeps it secret it perpetuates its problem.
-- If it published that flawed policy for public review it would quickly be informed of the flaws and would be able to take appropriate steps to recifty the problem.
Cliff also said "You advocate reading a website as a source of security information when all it does is rubbish someone elses opinions about security.
This statement is incorrect as viewing the website (http://www.grcsucks.com) will quickly demostrate. For a start to state "all it does is rubbish someone elses opinions about security" is wrong for two major reasons:
1. It provides extensive analysis and critique of false, and misleading statements by Steve Gibson which are so widely known (he has a gift for self-publicity) that almost everytime Windows/Internet security is raised anywhere people start quoting him and providing links to the flawed "Shields Up!". (In fact if this forum's search function was working you' find lots of previous links to this site from me in response to people quoting reffering to Gibson).
2. It provides lots of links to all sorts of articles on security and debunkig of other fraudulent/misleading products/sites.
Which I trust answer's CLiff's request to "Please explain in detail how that is supposed to help anyone visiting this forum for detailed security advice"
Regarding his specific points about NETBIOS and whether he is right or not, then to be honest I don't know but am happy to state that I am far from an expert on NETBIOS and am more than happy to be corrected on specific points wihtout a quibble.
However, I would state:
1. My repeatedly stated view has been that if someone can packet sniff your LAN on your side of the firewall F&PS is the least of you security problems.
2. It's still my belief that network shares on your own side of the firewall with appropriate passowrd security and properly patched and protected systems is not a per se insecure system in sort of home/ofice contexts we were orginally discussing.
3. Cliff raised the ideas of packet sniffing and decoding plain text network datastreams after his initial misktakes regarding password security had been exposed and to obfustifacte these issues and mistakes. I think that is obvious from reading the thread.
"Can you be specific please Matthew?"
I speed read the aritcle posted my Mekon and my reaction was "Hmm, not sure about that". I would need to read it in more detail to get into specifics and to be honest it's far from my area of expertise.
Matthew
[This message was edited by Matthew Robinson on Mon 27 September 2004 at 20:23.]
Posted on: 27 September 2004 by matthewr
Patrick -- I do not normally need a triple smiley to denote irony in my posts.
Ken -- If you want to know more than the basics, I recommend you read a good book. For example http://www.amazon.com/exec/obidos/tg/detail/-/1590593162/002-2594681-9350450?v=glance
Ken -- If you want to know more than the basics, I recommend you read a good book. For example http://www.amazon.com/exec/obidos/tg/detail/-/1590593162/002-2594681-9350450?v=glance
Posted on: 27 September 2004 by ken c
quote:
Originally posted by Matthew Robinson:
Ken -- If you want to know more than the basics, I recommend you read a good book. For example ...
matthew, sound good ... many thanks.
enjoy
ken
Posted on: 27 September 2004 by Tarquin Maynard - Portly
quote:
Originally posted by Matthew Robinson:
I am not sure why you chose to stick you oar in at this point, Mike, but for completeness sake you should probbly have included my subsequent apology:
"Maybe bollocks was a bit strong and I was in a bad mood, so for that I apologise"
I chose this moment because somebody mentioned, at the weekend, an incredibly long thread about Windows XP. I did not have the chance to read the entire thread - life is just toooo short, but the "bollocks" word was on page one: the accusation of rudery was on the ( then ) last page: these where the two I read. Good of you to be man ehough to apolgise, though.
quote:
Also, to be pedantic, it was a foul mouthed, arbitary and unfair dismissal of someone's point and not foul mouthed abuse.
Thanks for clearing this up. "Bollocks", then, in Mundo Matthius, is not abuse. Pedantry far beyond me. I must admit.
Regards
Mike
Memo to self: if ever employing either of these two for a job, make sure its NOT on a hourly rate, but piece work
Spending money I don't have on things I don't need.
Posted on: 27 September 2004 by Steve Hall
Ken,
Not been here much since I first posted a reply. How is your PC now? I must admit I skipped from page one to page six of the tread, but I did see Matthews appology (accepted).
For those that are interested, the average time to infection for a new machine can be seen here:
Average time
And this is taken from the Internet Storm Centre.
Steve (GCIA GFIH GCFA)
Not been here much since I first posted a reply. How is your PC now? I must admit I skipped from page one to page six of the tread, but I did see Matthews appology (accepted).
For those that are interested, the average time to infection for a new machine can be seen here:
Average time
And this is taken from the Internet Storm Centre.
Steve (GCIA GFIH GCFA)
Posted on: 28 September 2004 by Mike Hughes
Matthew,
Tell you what mate. If you claim "expertise" then learn how to spell it properly. Then, maybe I'll bother to concentrate on spelling your name properly. Why does the word "pathetic" keep coming to mind?
No Smiley needed at this point apparently.
So, it's not just me and Cliff then???
Those of you who merely skip in here to look at the first and last pages really ought to print the rest off because
a) it is high comedy.
b) I no longer feel alone on this forum.
c) there is an awful lot of sense written about security and an awful lot of pedantry that in no way undermines the fundamentals of what Cliff says.
Mike
quote:
If you are going to take the trouble to post a lengthy diatribe on the subject my behaviour you might at least do me the courtesy of spelling my name correctly.
quote:
I make no claim to deep experitse. I am more than willing to concede mistakes and errors I might make and to acknowledge that many, many people know much more about this than me.
Tell you what mate. If you claim "expertise" then learn how to spell it properly. Then, maybe I'll bother to concentrate on spelling your name properly. Why does the word "pathetic" keep coming to mind?
No Smiley needed at this point apparently.
quote:
Matthew, I assume you have no use for smileys at all, since there are none that signify pomposity, arrogance and smugness quite as well as your ample prose.
So, it's not just me and Cliff then???
Those of you who merely skip in here to look at the first and last pages really ought to print the rest off because
a) it is high comedy.
b) I no longer feel alone on this forum.
c) there is an awful lot of sense written about security and an awful lot of pedantry that in no way undermines the fundamentals of what Cliff says.
Mike
Posted on: 28 September 2004 by Mike Hughes
I was looking for a job actually Cliff.
That was a joke by the way. I have decided to use Quick Reply because then I can be as superior as Matthew and not use smileys.
Mike
That was a joke by the way. I have decided to use Quick Reply because then I can be as superior as Matthew and not use smileys.
Mike
Posted on: 29 September 2004 by matthewr
Cliff,
As tempting as it is to respond in depth to your latest Litany of Blunders, I did say it was my last post on the subject and someone has to stop the Cycle of 1000 Word Posts or we'll be doing this forever.
Mike,
You may like to reflect on the fact that your recent posts in this thread have had zero content and have amounted to little more than childish rants at someone you barely know and have never met simply becuase you had a minor disagreement with them about computer security.
Matthew
As tempting as it is to respond in depth to your latest Litany of Blunders, I did say it was my last post on the subject and someone has to stop the Cycle of 1000 Word Posts or we'll be doing this forever.
Mike,
You may like to reflect on the fact that your recent posts in this thread have had zero content and have amounted to little more than childish rants at someone you barely know and have never met simply becuase you had a minor disagreement with them about computer security.
Matthew
Posted on: 29 September 2004 by pingu
Matthew said
"I did say it was my last post on the subject"
errr twice
case rests
"I did say it was my last post on the subject"
errr twice
case rests
Posted on: 29 September 2004 by matthewr
Pingu,
You remind me of someone. Have we met before?
Matthew
You remind me of someone. Have we met before?
Matthew
Posted on: 29 September 2004 by Berlin Fritz
He's trying to seduce you, as Robinsons are prone to do, innit:
Posted on: 29 September 2004 by pingu
Matthew said
"Have we met before?"
I am on the telly quite a bit, but never after 5 o'clock
pingu
PS Not all Vuk's user IDs have a K in them
"Have we met before?"
I am on the telly quite a bit, but never after 5 o'clock
pingu
PS Not all Vuk's user IDs have a K in them
Posted on: 29 September 2004 by Mike Hanson
quote:
Originally posted by Matthew Robinson:
"The average time to infection on a WinXP system is about 5-10 mins when connected to the Internet"
Bollocks.
You're absolutely correct, Matthew. In fact, I'm running Windows XP Pro, and until recently (a few months ago) I had NEVER loaded any antivirus software as a resident service. Occassionally (every few months) I would do a manual scan, but nothing was constantly sitting there protecting me. I also was not running any type of Firewall. After years of virus threats, I never had a virus on my machine.
I should mention, however, that I was somewhat protected by other measures:
- I'm behind a DSL Router, which is a firewall of sorts.
- I prescan my e-mail using FireTrust's MailWasher Pro, which lets me delete unwanted mail before Outlook has a chance to get it.
- I retrieve e-mail using FireTrust's Benign, which prevents any type of nasties from tagging along with my incoming e-mail.
- I don't open stuff that's obviously not safe.
- I don't spend much time perusing suspicious websites.
- I occasionally run Pest Patrol and Spybot Search & Destroy.
- I don't use chat programs like ICQ.
- I don't use peer-2-peer file-sharing programs like eMule.
- I use Google's toolbar to block popups.
BTW, I've not loaded SP2 on my machine yet.
Yes, viruses are problems, and you do have to protect yourself. If, however, you're catching them within 5-seconds of connecting to the net, then you're doing something terribly wrong.
-=> Mike Hanson <=-
Posted on: 29 September 2004 by matthewr
Cliff,
Ok. I shall reply in detail when I have a moment.
Matthew
Ok. I shall reply in detail when I have a moment.
Matthew
Posted on: 29 September 2004 by Tarquin Maynard - Portly
Any chance it can be PM or by using MSN messenger?
Its like picking a scab: you know you should not, but just cant resist looking at it.......
Regards
Mike
Spending money I don't have on things I don't need.
Its like picking a scab: you know you should not, but just cant resist looking at it.......
Regards
Mike
Spending money I don't have on things I don't need.
Posted on: 29 September 2004 by pingu
Mike (Hanson)
See the post on page 6 from Steve
in which he references real world data from here
http://isc.sans.org/survivalgraph.php
In short, Matthew is wrong.
See the post on page 6 from Steve
in which he references real world data from here
http://isc.sans.org/survivalgraph.php
In short, Matthew is wrong.
Posted on: 29 September 2004 by matthewr
Cliff,
I'm afraid I'll need a 1000 words if I am going to cover all your mistakes in detail. I'll try to keep it short as possible though.
Matthew
I'm afraid I'll need a 1000 words if I am going to cover all your mistakes in detail. I'll try to keep it short as possible though.
Matthew
Posted on: 29 September 2004 by rodwsmith
Why don't Cliff and Matthew settle this seemingly intractable disagreement with a hacking competition?
Whichever of them is the first to get into the other's machine is the winner.
The loser gets his credit card number and expiry date posted here. So the rest of us that can't resist spending hours reading all this can at least order some freebie naim/porn/viagra/booze off the internet or something...
Whichever of them is the first to get into the other's machine is the winner.
The loser gets his credit card number and expiry date posted here. So the rest of us that can't resist spending hours reading all this can at least order some freebie naim/porn/viagra/booze off the internet or something...
Posted on: 29 September 2004 by ken c
in concrete terms, what does it mean to say x% of computer security is in the pwd or whatever... is x a probability of successful breach? if not what is it? especially given that you need BOTH items for a breach, even though obe of them may be EASIER(?) to crack than another.
intuitively, i dont find it hard to accept that the way pwd's are handled (blind) means they are "more secure" than if they were visible -- if only for the trivial reason that someone looking over your shoulder (or with a camera in an adjacent building) can actually SEE your pwd. but i know little about this subject -- for now i just want to know what it means to make a numerical statement such as 'security is 99.9% in the pwd' vs another nuber like 50%... else the arguments and counter arguments are meaningless to me...
enjoy
ken
mike hanson: if you try to use your xp machine without the h/w firewall and all the other bits and pieces that you have surrounding it -- you will be able to observe very easily how your pc will be attacked by all sorts of trojans and worms. at least thats what happened to my daughters pc, even with the critical security updates that came with the pc. we were on the net ony during the time we were trying to get some more updates from microsoft. of course, experiences differ and you may be lucky.
i definitely am looking to get a router/firewall soon.
intuitively, i dont find it hard to accept that the way pwd's are handled (blind) means they are "more secure" than if they were visible -- if only for the trivial reason that someone looking over your shoulder (or with a camera in an adjacent building) can actually SEE your pwd. but i know little about this subject -- for now i just want to know what it means to make a numerical statement such as 'security is 99.9% in the pwd' vs another nuber like 50%... else the arguments and counter arguments are meaningless to me...
enjoy
ken
mike hanson: if you try to use your xp machine without the h/w firewall and all the other bits and pieces that you have surrounding it -- you will be able to observe very easily how your pc will be attacked by all sorts of trojans and worms. at least thats what happened to my daughters pc, even with the critical security updates that came with the pc. we were on the net ony during the time we were trying to get some more updates from microsoft. of course, experiences differ and you may be lucky.
i definitely am looking to get a router/firewall soon.
Posted on: 29 September 2004 by sideshowbob
On points of detail, both Matthew and Cliff have said a lot of things that are correct, and some things that are overstated or questionable, and in some cases factually wrong. No big deal, who cares?
To make life simple, my summary of security as far as home computer users go would be:
Clever crackers who know what they're doing probably know a lot more about computers and security than the targets of their attack. Fortunately, most crackers are merely script-kiddies, people who run toolkits written by other people, and have minimal understanding of how they actually work. These people are easy to defeat, through a combination of strong passwords, turning off unused services, running a firewall and only opening ports you need to open (XP's built-in firewall isn't much cop, there are plenty of cheap alternatives, but any firewall is better than none), keeping up to date with security fixes through Windows update, and running a network process viewer and learning how to read its output.
There isn't really a lot more to it than that.
-- Ian
To make life simple, my summary of security as far as home computer users go would be:
Clever crackers who know what they're doing probably know a lot more about computers and security than the targets of their attack. Fortunately, most crackers are merely script-kiddies, people who run toolkits written by other people, and have minimal understanding of how they actually work. These people are easy to defeat, through a combination of strong passwords, turning off unused services, running a firewall and only opening ports you need to open (XP's built-in firewall isn't much cop, there are plenty of cheap alternatives, but any firewall is better than none), keeping up to date with security fixes through Windows update, and running a network process viewer and learning how to read its output.
There isn't really a lot more to it than that.
-- Ian
Posted on: 29 September 2004 by Mike Hughes
[QUOTE] Mike,
You may like to reflect on the fact that your recent posts in this thread have had zero content and have amounted to little more than childish rants at someone you barely know and have never met simply becuase you had a minor disagreement with them about computer security.
Matthew /QUOTE]
Matthew,
You may like to reflect on the definition of the words 'rant' and 'childish' and point out to us all where I did so and how your behaviour on this and other threads differs so profoundly from my own.
Do correct me (I know you will) but this is The Padded Cell and we are allowed to contribute within reason what we wish whether on thread topic or off? Bearing that in mind I think I'll damn well contribute as I see fit and let the administrators decide whether that steps across any boundaries rather than yourself.
I challenged some of your opinions because I believe I have sufficient real world experience and knowledge to say you are wrong. Other people have joined me in challenging you too and for broadly similar reasons. There's a message in there for you. For goodness sake man, take the hint.
I'm not one of those people who wants to contribute for the sake of it or repeat what others with clearly more experience and knowledge and so I haven't felt the need to contribute anything extra to my initial comments on the technical front whatsoever. I asked you to back up what you say and others clearly share my frustration that, for all the huffing, puffing and repetition, you conspicuously fail to do so.
Therefore, it is only right and proper that I confine my contributions to perhaps helping you out of this hole by trying to provide a little levity whilst gently pointing out what a pompous a**e you are making yourself out to be to all and sundry.
Got that?
Good!!!
Mike
You may like to reflect on the fact that your recent posts in this thread have had zero content and have amounted to little more than childish rants at someone you barely know and have never met simply becuase you had a minor disagreement with them about computer security.
Matthew /QUOTE]
Matthew,
You may like to reflect on the definition of the words 'rant' and 'childish' and point out to us all where I did so and how your behaviour on this and other threads differs so profoundly from my own.
Do correct me (I know you will) but this is The Padded Cell and we are allowed to contribute within reason what we wish whether on thread topic or off? Bearing that in mind I think I'll damn well contribute as I see fit and let the administrators decide whether that steps across any boundaries rather than yourself.
I challenged some of your opinions because I believe I have sufficient real world experience and knowledge to say you are wrong. Other people have joined me in challenging you too and for broadly similar reasons. There's a message in there for you. For goodness sake man, take the hint.
I'm not one of those people who wants to contribute for the sake of it or repeat what others with clearly more experience and knowledge and so I haven't felt the need to contribute anything extra to my initial comments on the technical front whatsoever. I asked you to back up what you say and others clearly share my frustration that, for all the huffing, puffing and repetition, you conspicuously fail to do so.
Therefore, it is only right and proper that I confine my contributions to perhaps helping you out of this hole by trying to provide a little levity whilst gently pointing out what a pompous a**e you are making yourself out to be to all and sundry.
Got that?
Good!!!
Mike
Posted on: 29 September 2004 by matthewr
OK my popular demand I'll spare everyone another 1000 word post.
I shall withdraw my accusation that Cliff has demonstrated fundemental misuderstandings of security and put down whatever minor errors he may have made in this thread to combinaiton of hasty replies and my unreasonable pedantry.
I shall also apologise to Mike for saying his post was childish and a rant when all he was doing was making a reasonable plea for me to stop being a pompous arse.
I shall also apologise to anyone else who inadvertantly read this thread for my part in boring them and wasting a no doubt not inconsiderable part of their day.
Matthew
I shall withdraw my accusation that Cliff has demonstrated fundemental misuderstandings of security and put down whatever minor errors he may have made in this thread to combinaiton of hasty replies and my unreasonable pedantry.
I shall also apologise to Mike for saying his post was childish and a rant when all he was doing was making a reasonable plea for me to stop being a pompous arse.
I shall also apologise to anyone else who inadvertantly read this thread for my part in boring them and wasting a no doubt not inconsiderable part of their day.
Matthew