Microsoft's OneCare Firewall Draws Fire
Posted by malebolgia on 02 February 2006 - 00:01 · 54 comments & 7312 views
About the Author
Full name: Unknown
Forum name:
malebolgia
Contact: via forum PM
Submissions: Normal · Headline
Full name: Unknown
Forum name:
malebolgiaContact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google- Advertisement
-
-
(1 reply)
#1 Posted by Matt500 on 02 Feb 2006 - 00:07
- Microsoft will be bringing out new software to protect their mistakes in their security suite which was brought out to protect their mistakes in their operating system, OK thats not true but I bet people would buy it if they did.
I guess its still in beta so they are testing things -
#1.1 Posted by lylesback2 on 02 Feb 2006 - 00:11
- you can't fix, what you don't see.
-
(4 replies)
#2 Posted by Buttus on 02 Feb 2006 - 00:19
- isn't that what people were complaining about before they added the firewall? that all ports were by default open? so microsoft adds a firewall, but leaves things open?
huh?!?! -
#2.1 Posted by sphbecker on 02 Feb 2006 - 05:54
- Please reread, ports are not left opened. This is talking about a two-way firewall allowing software on your computer to access the internet.
-
#2.2 Posted by toadeater on 02 Feb 2006 - 18:03
- I think MS included that as a feature, it's not a bug. It's so that MS-approved software can continue to phone home without your approval. Funny, I just finished saying in another thread how I would never trust an MS security product for this very reason. Either because MS is malicious, or simply incompetent. Whatever it is, the record speaks for itself.
-
#2.3 Posted by sphbecker on 02 Feb 2006 - 18:28
- What a funny little post. Anyway, yes, it is a feature, and not even a hidden one. The product works as documented and it only takes four clicks to change that option so that everything is blocked.
-
#2.4 Posted by toadeater on 03 Feb 2006 - 23:34
- There's nothing funny about it. It is extremely suspicious that Microsoft's firewall BY DEFAULT allows MS-approved apps to pass through without the user's knowledge. Why not even a warning like:
"Windows Media Player is trying to phone home to Borg HQ, do you want to allow this?"
-
(1 reply)
#3 Posted by wutang01 on 02 Feb 2006 - 00:23
- There will never be a software which is flawless IMHO ...
-
(1 reply)
#4 Posted by marlow714 on 02 Feb 2006 - 00:26
- Ummm....Anyone home? It's a beta! This dude has no place installing it on some machine for fun. Read the definition of BETA friends. Anything to take a stab at MS.
-
#4.1 Posted by Jugalator on 02 Feb 2006 - 08:17
- However, this isn't about a lack of feature, or even a bugged feature, it's about a special circumvention MS has specifically added.
I'm not sure the beta defense works too great in this case, but hopefully it *was* just a poorly thought out "feature" of this firewall, because digital sigs carry few guarantees the encrypted software won't be malicious.
-
#5 Posted by sullysnet on 02 Feb 2006 - 00:32
- Eff their stupid security app addons, I vote for a new windows competitor
-
#6 Posted by DomFel on 02 Feb 2006 - 00:34
- Funny, I just noticed it the other day, and today the news! What the hell...
-
(1 reply)
#7 Posted by Jeremy1 on 02 Feb 2006 - 00:47
- This isn't a hole, this is just a bad default setting.
-
#8 Posted by Windam on 02 Feb 2006 - 00:47
- we live in a age of extreme prejudice
-
#9 Posted by macstorm on 02 Feb 2006 - 00:57
- Not surprised, it is beta..
-
#10 Posted by serlex on 02 Feb 2006 - 01:28
- every firewall has a hole
-
#11 Posted by Netrack on 02 Feb 2006 - 01:30
- did anyone else notice that he works for a part of McAfee...why wouldnt he be using their software?
-
(2 replies)
#12 Posted by Geo on 02 Feb 2006 - 03:34
- The fact this is beta has nothing to do with it, nor is it a hole. It's just a downfall of making it easier for the user, nb. catch 22. Although I do hope something better can be worked out.
-
#12.1 Posted by sphbecker on 02 Feb 2006 - 15:16
- I agree, but simply asking the app to be signed might be a little too opened. I would think a white-list that is automatically updated would be a better idea, but then there is the issue of what it takes to get on Microsoft's white list and I'm sure someone would cry foul-play.
I do strongly agree that prompting the average user anytime anything tries to use the internet is a bad idea. Just think of how many support issues will come up because a use clicks deny thinking he is helping security and then can't figure out why is app doesn't work. -
#12.2 Posted by Ideas Man on 02 Feb 2006 - 17:15
- Exactly, Windows OneCare includes a MANAGED firewall, i.e. Microsoft contains a list of good programs and updates the firewall to automatically allow them when it downloads updates for OneCare, this isn't just put out there with a default set, that is a bad idea, but having them automatically updated with definitions that help you manage the firewall by providing a list of good and bad apps, this IS a good idea because the average user, who usually doesn't know any better, would allow everything, this way, most of the hard work is done for them.
I say, continue on Microsoft. I quite like this feature, it makes securing your system easier to the average home user, who it is targeted at.
-
(4 replies)
#13 Posted by DrunkenMaster on 02 Feb 2006 - 03:38
- Hmm ... If this Mark Curphey is so concerned about security, why is he telling everyone where he works? Why not just tell everyone your educational credentials?
I'm not suggesting that his advise is bad. But I have to wonder if he's not letting the cat out of the bag because Foundstone or McAfee asked him to. -
#13.1 Posted by DarkSim905 on 02 Feb 2006 - 04:54
- Maybe you're forgetting a few key steps in any type of interview?
IMO, as someone else said, people just showing a wide biased against software that shows that it is easy to use and tries to be easy to use. People are always gunning at Microsoft for childish reasons, or nitpick at them.
Lay off them and let them do what they do best -- maintaining and creating their operating system package.
-
#13.2 Posted by DrunkenMaster on 02 Feb 2006 - 05:04
- If I read your reply correctly, you are saying that I am 'gunning' at Microsoft. I'm not.
I've said that there are perhaps ulterior motives to this press release, such as McAffee positioning their software as being better than the MS one. If anything I'm defending MS. -
#13.3 Posted by Jugalator on 02 Feb 2006 - 08:15
- "I've said that there are perhaps ulterior motives to this press release, such as McAffee positioning their software as being better than the MS one."
Well, they sure have some good points here if that's so... -
#13.4 Posted by DJROrion on 02 Feb 2006 - 13:28
- I have used McAffee software before. they are going to need much more than that to make themselves look better. Not to mention tearing up a piece of Beta Software to make your release version look better is laughable at best. I will continue to NOT use McAffee after this. Its not gaining them any customers.
-
#14 Posted by matt74441 on 02 Feb 2006 - 05:14
- Comments Cleaned.
-
(6 replies)
#15 Posted by sphbecker on 02 Feb 2006 - 05:49
- I actually don't see this as a problem. Here is why.
First the OneCare firewall is a two-way firewall, meaning that not only can nothing get in your computer without its permission, but nothing can get out. For those of us who understand firewalls that isn't a big deal, but for simpler people they will not understand why their programs are not able to access the Internet.
The solution is that Microsoft has a white-list of trusted software witch has Internet access by default. Keep in mind that this is only access to get out to the Internet, this isn't access to open listening ports allowing others to connect to you. The idea is that software like the AOL Instant Messenger can get to the Internet automatically (OneCare shows an alert that it allowed access), but an unknown program will not have Internet access unless you grant it.
Three things to keep in mind. One, this isn't any different from the way the Norton Internet firewall works. Two, the XP SP2 and OS X firewalls are only one-way; so EVERYTHING currently has access to the Internet and few complain about that. Three, it is really easy to turn off this feature and require your consent for everything (settings, Firewall tab, change level to Prompt). -
#15.1 Posted by Jugalator on 02 Feb 2006 - 08:13
- 1. This default whitelist is a bad idea; digital sigs doesn't have much to do with security. It's basically a money matter who have them, if even that. What a digital sig do is tell "this software is from company X" and make it hard to change X due to encryption. And that's it. Company X could be any company, or a fake company. If this fw lets through traffic after seeing "oh, this software is from *a* company", then it's incredibly stupid.
2. I've heard a lot of complaints about the one-way fw of SP2 when it was released. I dunno where you were then. Of course, now not too many may compain, as its limitations are quite well understood and people that want some decent security just don't use it.
3. That the defaults are right is the most important thing here, as novice users will usually not start fiddle with settings the first thing they do, and that's exactly one of the target groups with this fw.
Last edited by Jugalator on 02 Feb 2006 - 08:24 -
#15.2 Posted by asellus on 02 Feb 2006 - 10:04
- Digital signature doesn't help security. But it helps tracing those who distribute malware. Getting a signed application is not easy, it is just as hard as getting a SSL certificate from Verisign. You can't simply faked credentials to get signed.
If a signed programs turned out to be malware, the creators are going to be caught. I think allowing signed applications to be able to connect out to Internet bt default is still a good idea. -
#15.3 Posted by Sub on 02 Feb 2006 - 13:22
- Digital Signatures dont help security???? What fud are you 2 spillin here.
-
#15.4 Posted by sphbecker on 02 Feb 2006 - 15:09
- If you don't like it then turn it off; like I said, you can change the option with four clicks.
I really don't see this as a point of debate at all. MS cannot make the default option to prompt for everything because there would be too many support issues.
Anyway, I would ask anyone who reads the article to do more research before passing judgment; it is full have half truths.
"Any firewall, any security device should have a default deny," - that is true for incoming connections, but that rule of thumb is not true for outgoing. If it was, then OneCare should ask the user’s permission before establishing a connection with any furan IP address.
"It just invites malicious hackers and other malware goons to exploit it," - statements like this are common, but think people, what would it take to exploit this??? It would not only take malware already running on your computer (security has already been compromised at that point) but that software would have to be signed and traceable.
"Yes, the OneCare firewall does allow any signed application and the Java Virtual Machine to pass through without alerting the user" - clearly that isn't a direct quote from MS because it isn't correct. Yes it allows any signed application running on your computer to pass through without first asking for the user's consent, but it does alert the user.
"said Mark Curphey, vice president at vulnerability management specialist Foundstone, a part of McAfee." - that should tell you all you need to know. -
#15.5 Posted by asellus on 02 Feb 2006 - 15:39
- Digital Signatures dont help security???? What fud are you 2 spillin here.
Yup, it doesn't help security at all. It only helps accountability. Digital signatures help you verify that a Microsoft (or any given developer) programs does indeed come from Microsoft (or the given developer). Plenty of spyware are digitally signed, but that does not make them better. -
#15.6 Posted by sphbecker on 02 Feb 2006 - 16:20
- Yes, but the accountability means that the software is unlikely to do something illegal; less the writer be easily tracked and prosecuted.
I still say this is a moot point. The outbound side of a two-way firewall is pretty unnecessary. In fact, you see all the posts here saying that software firewalls suck and the only true security is in a hardware firewall. Well if that is true then my point is proven. Hardware firewalls do not have the capability of restricting access based on the program; they can only look at the packets (and yes, any software can use port 80 and HTTP to send/receive information, not just a web browser).
If you are paranoid about security then go ahead and do the 4 clicks to change the setting.
-
(2 replies)
#16 Posted by Croquant on 02 Feb 2006 - 07:11
- Well, once they work the bugs out of this it'll be nice that the n00b masses will finaly have an actual firewall.
No, wait, that's what Zone Alarm is for. -
#16.2 Posted by DigeratiPrime on 02 Feb 2006 - 15:35
- thats from July 12, 2005 its probably been fixed a long time ago
-
#17 Posted by DJ Prem on 02 Feb 2006 - 09:56
- Still in Beta and things will change, people just need a change to critisize* MS
-
#18 Posted by Beastage on 02 Feb 2006 - 12:29
- Like others here, I don't see this as bad, it just helps the average user more.
Firewalls will never be 100% safe , especially not cheap software firewalls , so at least it can be user friendly
-
#19 Posted by jixu on 02 Feb 2006 - 12:51
- o, his wife doesnot support his software.
which firewall is running on his son/daughter's computer and what security hole he will discover next time?
-
#20 Posted by ahhell on 02 Feb 2006 - 14:25
- This makes me laugh coming from a guy that works for McCrappy.
Oh my god....the built in firewall is crappy!! Oh Noes!!111! Please buy McAfee!! It is the aw3som3!1!1
All software firewalls suck...how is this news??
-
#21 Posted by trparky on 02 Feb 2006 - 18:50
- They probably figure that most people are too stup...I mean...don't have the necessary knowledge to know the difference between something good and something bad. So, based upon that idea and the idea behind digital signatures is that trusted programs will have a digital signature, bad programs won't.
If you really stop to think about it for a moment, what do you think the "SmartDefense Advisor" does in ZoneLabs ZoneAlarm Pro? Yep, that's right, it sets up known and trusted binaries for access when it first starts up.
So wait a moment...ZoneAlarm can do this but not Microsoft? It isn't fair the Microsoft catches as much flak for something that another program is getting away with.
-
#22 Posted by miniM3 on 02 Feb 2006 - 19:16
- who cares? Really if you don't know how to configure a firewall then stop complaining. All firewalls are pretty descent once you get to know them a little better.
-
#23 Posted by Blackice on 02 Feb 2006 - 19:23
- McAffee are just upset that Vista will have a bidirectional firewall (i.e. it'll be a much more realistic security solution), and on top of that, OneCare has a good firewall, antivirus, and Microsoft has a very good built-in antispyware in Vista.
After all those, Microsoft is a very formidable competitor in Windows security applications (and are makking some apps free as part of Windows). McAffee are just going to lose customers like sand through their fingers.
Note: I said McAffee had customers. That's an assumption, I don't know anybody who uses McAffee. I know lots of IT security professionals.
-
(1 reply)
#24 Posted by Magallanes on 02 Feb 2006 - 22:21
- A firewall must balance two factors :security and burden-factor.
For example Zone Alarm (think in a common-user) :they install it... and trouble, many apps and programs will not run, some pages dont open and zone alarm start to showing a lot of "worthly" messages (the first one can be instructive but when you see a warning message the 100th times you find only a annoying).
Open some ports/programs by default anticipating the choice of the user is a wise choice. -
#24.1 Posted by Danrarbc641 on 03 Feb 2006 - 07:28
- Exactly. How many of our grandmas would install a firewall only to find every single thing that's supposed to access the internet has stopped working. How many would be able to realize the firewall is why. How many would know they have to allow the programs access. How many would just assume the software was bad and uninstall it immediately so their computer works again.
That's what this firewall is aimed at.
The security software, available in a public beta version, by default allows applications that use the Java Virtual Machine or have a digital signature to connect to the Internet. Like any blanket security-bypass rule, these default settings are a bad idea, said Mark Curphey, vice president at vulnerability management specialist Foundstone, a part of McAfee.
"Any firewall, any security device should have a default deny," Curphey said in an interview Tuesday. "Any door should always be closed." Curphey discovered the issue when running software on his wife's computer, on which he had installed OneCare. He informed Foundstone security consultant Roger Grimes, who subsequently blogged about it on the InfoWorld Web site. Grimes also blasted the default bypass settings.