On 02/14/13 18:24, Daniel Bertrand wrote: > Hello, > > Thanks for providing such great software. It really is much > appreciated. > > I was wondering what your stance is about the constant hack attempts > on machines on our ISP networks..
"It happens. You can't stop the attack attempts. You can stop them from being successful. It takes more than technology." (that's MY stance) It costs them nothing to try to hit your systems. The likelihood you can prosecute them is just about zero. Even if your computer has no useful data sitting on it, it is still a very useful resource to them. No cost, no risk, high potential gain. Guess what is going to happen... > I see CONSTANT scanning for ports from all over the world, mostly > from Italy, Russia, and China. Doesn't matter where they are from (well, you can argue this. China and India are mostly after Intellectual Property. Russian mob is after financial info. Your next door neighbor is after adding you to their botnet. That's assuming your "attackers" are after you in particular. Most likely, it's just an automated scan from someone's compromised machine). Some people spend a lot of time classifying them. Me? I don't want any of them in my network, I don't care who they are or what their motives are...I only care about their methods...and how I can counter them. > Every firewall/router product that I have purchased has been > compromised so far. I don't believe this at all. Not one bit. More likely, your machines BEHIND your firewall/router have been compromised by careless users. Unfortunately, no firewall will prevent stupid...and lots of people think they can. I work in an environment where people ARE after us in particular, they want OUR data, it's targeted attacks, not (just) random knob twisting (that's part of the fun -- the roar of the random knob twists helps hide the targeted attacks). They don't compromise our firewalls, they aim for our users. The normal configuration for most home firewalls or routers is "block incoming, pass outgoing", which is easy for the users, but all that does is block unsolicited incoming attempts. If you can be persuaded to open the channel to the bad guys (that's the pass outgoing), they can then utilize your systems. That's not your firewall/router being compromised, that is your users being exploited. > Is there really a secure, trustworthy adaptive filtering firewall > configuration for each OS configuration out there? If you have stupid users, it's unplug the wires from the back of the computer. If you have a block all incoming rule, your users will end up being the weak link. You don't need specific rule sets for each OS, and in fact, it won't help...you are already (hopefully) blocking unsolicited outside contact. The problem is the invited contact: the website visited, the application downloaded. > Most people who are on the net are completely oblivious and helpless > when it comes to this constant trolling for access, they have no idea > what to do to secure their machines. > > > Shaw has neglected me and left me for dead when I ask for better > control and protection from malicious attackers. not their job. AOL tries to make it their job...and totally **** your machine up in the process (got that, Mom? no, didn't think so. *sigh*). Meanwhile...if you have a simple "block all incoming" router/firewall, disable Java, remove any product put out by Adobe, and practice safe computing, you can live a pretty safe life at the moment on the 'net. At the moment, Java and Adobe products are the primary things that let bad guys onto your system through your firewall while you are behaving yourself (that is not to say they are the only potential risk, but when it comes to exploits in mass-market OSs, "thar's whar da gold is"). > What do I do to make sure I don't spend money on new hardware but get > a PF configuration that I can trust besides "block in all"? > > Are there published rulesets for Mac/Windows etc. that we can just > drop into our pf.conf and /etc/pf.anchors/ directory? No. Your problem is basically one of users, which is outside our ability to save you. For sake of analogy (and my apologies to my those who have heard me babble this one many times before) ... let's say you run a business, and as part of that business, you have a fleet of vehicles that are used as an important part of that business. You find you have a few drivers who are responsible for a large number of "events" with those vehicles. Do you: 1) Fire those employees? 2) Reassign them to non-driving occupations? 3) Retrain those employees to be better drivers? 4) Put bigger bumpers and better airbags on the vehicles? In the computer industry, we do #4. We never do 1 through 3. There is a belief that technology can make dumb people safe...and it just isn't true. Note: as I'm using it here, "dumb" or "stupid" doesn't necessarily mean a character flaw...it's just the people who haven't been trained or learned how attackers hit you. Why do they teach how accidents happen in driver's ed? Because that's how you learn to avoid them. You can't just hand people computers and say "click away!" and expect technology to keep them safe. The usual response I get from doubters of my statement: "You can't train everyone to never make a mistake" My response: we don't even try to train people. The "technology will save us" is CLEARLY not true. And this is waaaay off topic for this list... Nick.
