Conjectures and Refutations - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

Aug 28^th, 2008, 1:56pm

   Mischel Internet Security Forum
   Internet Security
   Firewalls (Moderators: Helena, Gavin_Coe, Magnus)
   Conjectures and Refutations

« Previous topic | Next topic »

Pages: 1

Notify of replies

Send Topic

Author

Topic: Conjectures and Refutations (Read 692 times)

mozar
Highly Honored Mass-Poster

Posts: 1524

Conjectures and Refutations
« on: Oct 24^th, 2003, 7:34pm »

Quote

Modify

...is the title of one of Sir Karl Popper books about how Science works , epistemologically speaking .

Conjecture : Some software FWs designs includes protection against malware ( outbound protection ).

Refutation : Almost every month a new leaktest has success against them
(outbound leak) .

P.S. : Since I was a newbie I coudn't buy completely the idea that if I use an AV and an AT and a trojan could escape from their detection this same trojan could not also deceive my FW .
Now , as an advanced newbie , I continue to believe in the coding skills of the crackers.

IP Logged

claire
Stole All the Forum Stars

carpe diem

Gender: female

Posts: 3475

Re: Conjectures and Refutations
« Reply #1 on: Oct 24^th, 2003, 7:42pm »

Quote

Modify

Thanks Mozar,

You answered one of my questions about FW

IP Logged

Claire

maxqnz
Newbie

Walekam salaam, noho ora mai!

Posts: 26

Re: Conjectures and Refutations
« Reply #2 on: Oct 24^th, 2003, 10:37pm »

Quote

Modify

on Oct 24^th, 2003, 7:34pm, mozar wrote:

Th above pairing is rather inaccurate use of English, unfortunately. The fact that new leaktests are designed which expose flaws in software F/Ws does not "refute" the statement that software F/Ws offer outbound protection. Itwould refute the statement that software firewalls offer total outbound protection, but I've never seen that claim made.

Also, those who create such leaktests are guilty of the same sort of hyping as the vendors who tout the efficacy of their product's outbound protection. After all, these leaktests are coded in a very particular fashion, to exploit specific weaknesses. The mere fact that such tailoring of the leaktests is necessary demonstrates that software firewalls do offer some outbound protecttion, and since most major F/W vendors will act very quickly to patch the hole exposed by a new leaktest, the situation is effectively the same as that of the AV and AT vendors, most of whose work is also reactive.

Note that I am not saying that software F/Ws offer total outbound protection (only disconnecting your PC does that), just that examples like the one above are fallacious because they rely on unsound extrapolations and make an "all-or-nothing" assumption that is unwarranted. I have seen such arguments used in support of the view that software FWs are completely useless and a total waste of time. Clearly, if a user understands and utilises the logs of a good F/W, then that user can enjoy a level of outbound protection much greater than zero.

So, in summary, the pairing above would be more accurately written somewhat like this:

FACT: Some software FWs designs includes protection against malware ( outbound protection ). This protection is not perfect, and should not be assumed to be so.

FACT: Almost every month a new leaktest has success against them (outbound leak) . These leaks are normally plugged quickly by major FW vendors.

IP Logged

ओ पालनहारे, तुमरे बिन हमरा कौनों नहीं
What's a pieriansipist?

8Signs
Newbie

I love YaBB 1G - SP1!

Posts: 11

Re: Conjectures and Refutations
« Reply #3 on: Oct 24^th, 2003, 11:30pm »

Quote

Modify

on Oct 24^th, 2003, 10:37pm, maxqnz wrote:

It's been made.

When Network Associates first published the McAfee Firewall (acquired from Signal 9), they called it "An Impenetrable Barrier" around your computer ".. to secure and defend it from Internet hazards such as a hacker trying to steal your private information, a Trojan horse taking control of your PC or other insidious dangers. ...". "Impenatrable" implies total protection. They were forced to back off those words.

Symantec used more finesse in their words, but still gives the impression of total protection: "It automatically hides your PC from hackers, stops spyware and Trojan horse programs from connecting to the Internet, ...". A customer reads that and thinks they will be safe from trojans. A lawyer reads that and says "They didn't say it stops all Trojan horse programs, as long as they stop some, the statement is true.".

Quote:

Also, those who create such leaktests are guilty of the same sort of hyping as the vendors who tout the efficacy of their product's outbound protection. After all, these leaktests are coded in a very particular fashion, to exploit specific weaknesses.

I dunno. Maybe it comes down to the level of security you expect. Someone who demands a lot will call leaktests proof that PFs are not good enough. Someone with a life Wink

who just wants something that will probably work fine (and has in the past) will not be worried by the leaktest stream.

Think of going out on the ocean in a boat and someone says, "that boats going to leak" and you say "looks fine to me". Then they take a hose and shoot water through a hole. You fix the hole and say, "there, the boat will float" and they shoot water through another hole. The optimist will say that some day the holes will all be found and the boat will surely float. The pessimist will say the boat is a seive and I can go on finding holes until you switch to Canoenix Grin

.

I guess that analogy makes me a boat repairman and I don't like selling tubes of glue that customers must continually apply on their voyage just to stay afloat.

Quote:

The mere fact that such tailoring of the leaktests is necessary demonstrates that software firewalls do offer some outbound protecttion,

Yes, you're right there, especially when the app you want to control is not agressive.

Quote:

and since most major F/W vendors will act very quickly to patch the hole exposed by a new leaktest, the situation is effectively the same as that of the AV and AT vendors, most of whose work is also reactive.

I suppose in the practical sense, the question is are they reactive enough? A/V products are updated daily and you apply an update that doesn't require a reinstall or reboot. I don't think PFs are there yet. Correct me if I'm wrong, but I believe Leaktest updates require reinstalls, except for BlackICE, which has an update mechanism.

James Grant

IP Logged

mozar
Highly Honored Mass-Poster

Posts: 1524

Re: Conjectures and Refutations
« Reply #4 on: Oct 24^th, 2003, 11:42pm »

Quote

Modify

Hello , maxqnz

Again you talk about words and I talk about problems - and beside the fact that English is not my native language , I really prefer problems .

The issue is : I'm using a Dedutive approach and you're using an Inductive one .

If I've included words like "some" , "perfect" , "normally" ,
I would have been constructing "ad hoc" subterfuges , i.e. , any possibility of refutation wouldn't be valid because *that* refutation was already anticipated .
On the other hand , the terms of your suggested proposition are not precise enough to any serious logical analysis.

Regards ,

mozar

P.S. : maxqnz , you said that I had a "rather inaccurate use of English" .
I think that what you've tried to say was that the *terms* of my sentence were not precise enough to any valid argumentation .

P.P.S. : I've said also " Since I was a newbie I couldn't buy completely the idea " . Well , when I said "buy completely" the idea of a margin of success in malware protection was implicit , wasn't it ?

IP Logged

maxqnz
Newbie

Walekam salaam, noho ora mai!

Posts: 26

Re: Conjectures and Refutations
« Reply #5 on: Oct 24^th, 2003, 11:54pm »

Quote

Modify

on Oct 24^th, 2003, 11:30pm, 8Signs wrote:

Thanks. Both examples definitely do state, explicitly or implicitly, that they offer total protection, and this, of course, is nonsense. I have been informed. Cheesy

Quote:

I dunno. Maybe it comes down to the level of security you expect. Someone who demands a lot will call leaktests proof that PFs are not good enough. Someone with a life Wink

.

I guess that analogy makes me a boat repairman and I don't like selling tubes of glue that customers must continually apply on their voyage just to stay afloat.

Ah, but that's the all-or-nothing type of analogy. A boat with a hole, any hole, will take on water and eventually become unsafe, most likely very quickly. A better analogy for your purposes would be a suit of armour. One could walk around in a suit of armour, taking and successfully deflecting many hits, without knowing that there was a hole in the suit. Once you know about the hole, you fix it, or buy a new suit with fewer holes. I say fewer becauser there ain't no such thing as a suit with no holes,or else you couldn't put it on.

Quote:

Sygate Pro has an update mechanism, also.

I stres again, though, that the point of my post was the need for careful choice of language. I have read lengthy treatises that explained in minute, and specious, detail, how the existence of and success of leaktests proved that software FWs are a waste of time. That's like saying that a kevlar vest for a cop is a waste of time because he can still get shot in the head. Both sides of the debate tend to resort to oversimplification and hype to make their point. Here's how I see it:

1. Perfect, complete security for a computer does not exist while connected to any other computer at all. Therefore, security is all about risk reduction and management, not risk elimination.

2. Software firewalls can play an important part in reducing exposure to the risks inherent in being connected.

3. Users must inform themselves of the risks, solutions on offer that address those risks, and thier own unique risk status. This status includes things like the amount of time online (exposure to risk), and the user's ability to afford protection. (If you're offering to shout me a router, that would be very nice) They are then in a position to make an educated decision about a risk management strategy that suits them.

4. Sloppy, or worse, intentionally misleading, use of language, whether by security product vendors, or others, serves only to muddy the waters, making more difficult the process of user education that is the key to a successful programme of risk management.

« Last Edit: Oct 25^th, 2003, 12:12am by maxqnz »

IP Logged

ओ पालनहारे, तुमरे बिन हमरा कौनों नहीं
What's a pieriansipist?

maxqnz
Newbie

Walekam salaam, noho ora mai!

Posts: 26

Re: Conjectures and Refutations
« Reply #6 on: Oct 25^th, 2003, 12:07am »

Quote

Modify

on Oct 24^th, 2003, 11:42pm, mozar wrote:

Hello , maxqnz

Again you talk about words and I talk about problems - and beside the fact that English is not my native language , I really prefer problems .

The whole point of my post was that less-than-careful use of words when discussing problems can both cloud understanding of the problems, and impede resolution thereof. Quote:

On the other hand , the terms of your suggested proposition are not precise enough to any serious logical analysis.

I made no proposition, I simply restated your "conjecture" and "refutation" as two facts, which they both are.

Quote:

P.S. : maxqnz , you said that I had a "rather inaccurate use of English" .

In that specific instance, yes. Conjecture is defined as:
inference from defective or presumptive evidence b : a conclusion deduced by surmise or guesswork c : a proposition (as in mathematics) before it has been proved or disproved

and the statement
"Some software FWs designs includes protection against malware ( outbound protection ). " is not conjecture, it is a fact.
It does not address the efficacy of that protection, it simply states that such protection exists.

Likewise, the fact that leaktests expose shortcomings in the software's design does not "refute" the above statement of fact.

Here's a parallel example, using the wording you chose:

Conjecture: Tanks have armour-plating.

Refutation: Some shells can pierce a tank's armour-plating.

The first sentence is not a conjecture, it is a statement of fact. So is the second. Both are facts.

« Last Edit: Oct 25^th, 2003, 12:13am by maxqnz »

IP Logged

ओ पालनहारे, तुमरे बिन हमरा कौनों नहीं
What's a pieriansipist?

Ian
Stole All the Forum Stars

Good things come to those who wait ...

Posts: 2907

Re: Conjectures and Refutations
« Reply #7 on: Oct 25^th, 2003, 2:29pm »

Quote

Modify

Quote:

Correct me if I'm wrong, but I believe Leaktest updates require reinstalls, except for BlackICE, which has an update mechanism.

Not quite a correction Grin

, but Sygate applies new updates without restarting - at least in terms of signatures. At least, that's what happened yesterday on our test XP laptop. However, all will require at least restarting if there's a major update (for most it's a reboot).

I've noticed far fewer resets using XP than my home Win98 PC.

On the whole (steady now; no 'Preparation-H' jokes thank you), I use leaktests and portscans to give a general indication of which system I don't want to be running, rather than a cast-iron case for one particular product. However, once tarnished... I still stay clear of BlackIce because of how it performed 3-4 years ago.

IP Logged

... but crap arrives pretty much straight away.

Jamming
Stole All the Forum Stars

Remember when a Trojan was just for protection.

Gender: male

Posts: 2038

Re: Conjectures and Refutations
« Reply #8 on: Oct 25^th, 2003, 2:34pm »

Quote

Modify

As to the BlackIce issue, the reason their performance bothered me was instead of trying to fix it they spent their time at first trying to refute it. I have no problem with someone is out thought, but when they refuse to accept it and delay a fix, that is what I hold against them.

IP Logged

Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster