Firewall Wizards mailing list archives

Re: Ok, so now we have a firewall, we're safe, right?

From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 31 May 2005 18:28:08 -0400 (EDT)

On Tue, 31 May 2005, Marcus J. Ranum wrote:

Paul D. Robertson wrote:

AV isn't going to be effective against most custom Trojan Horses.


We've always known that this was the end-game of malware. And I
know you've been part of the choir on this particular psalm for a
very long time. :)


Absolutely!  I'm just singing a quick chorus of "now is the hour of our
discontent!"

I always used to say "If I wrote a Trojan..." or "If an attacker modified
or wrote a Trojan..."  Now we get to say "Like that guy who wrote that
Trojan..."

I'm facing the fact that we're stuck with a bunch of reactive management
weasels.  Fine, here's something they can react to!  Then they can pat
themselves on the back for reacting to it "before it happened to us!"

99% of the firewalls out there are already _way_ too
permissive; they allow arbitrary traffic outbound on many
services, because their administrators somehow think
that merely controlling port flows is "security"  I was swapping
Email with a guy last week who was puzzling over "how do
you do SMB securely through a firewall?" and he seemed
to think I was a nutbar for replying "You can't. Period." As
if simply *wishing* it were securable were enough!  The


But we have a firewall, and I'm letting it through- so it's secure now
isn't it?

If custom trojans become a mass-media security meme,
then look for a handful of venture-funded startups in the
next year, offering bogus products designed to detect
and trap these custom malware agents. Of course they
won't work but they'll make a lot of fools sleep better
and they'll make a lot of canny businessmen rich(er).


I *still* contend that removing the execute bit from attachments saved on
MS desktops would give everyone lots more time to deal with credible and
actual threats, rather than the noise that's become a threat simply
because of the volume.  But I suppose if you spend years forcing your
loader to load and execute any manner of garbage as happily as it can,
you'd probably be resistant to that too...

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Ok, so now we have a firewall, we're safe, right?, (continued)
- - - Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)
    - RE: Ok, so now we have a firewall, we're safe, right? Tina Bird (May 31)
    - RE: Ok, so now we have a firewall, we're safe, right? Chris Blask (May 31)
    - Re: Ok, so now we have a firewall, we're safe, right? Chris Blask (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Carson Gaspar (May 31)
  - Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)
  - Re: Ok, so now we have a firewall, we're safe, right? Chris Blask (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Vinicius Moreira Mello (May 31)
  - Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (May 31)
  - Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)