Intego Launches IM Encryption Software to Protect your Priva...

Discussion in ' News Discussion' started by MacBytes, Jun 17, 2004.

  1. space2go macrumors regular

    Feb 5, 2004
    Hmm before I looked at their site I just wanted to write "I wouldn't use that while they don't say how the encryption works.". *sigh*

    Now it is:
    I wouldn't use that while they openly lie on their site.

  2. PlaceofDis macrumors Core

    Jan 6, 2004
    i wouldnt use it just because it is Intego, arent they the ones who came up with the concept Trojan and then turned around and said that it was a Trojan and not a concept? i just think that this company is a little bit shady thats all
  3. bousozoku Moderator emeritus

    Jun 25, 2002
    Gone but not forgotten.
    Their software is also quite good--especially NetBarrier. While their marketing department is suspect (I've had a run-in with them), the developers are first rate.
  4. PlaceofDis macrumors Core

    Jan 6, 2004
    thanks for the info bousozoku, i had not heard anything about thier software quality, its nice to know that it might be good, even if their marketing and other employees might s*ck
  5. space2go macrumors regular

    Feb 5, 2004
    How so?
    From their product description it looks like they put everything into it that makes personal firewalls on windows the security risk they are.
  6. bousozoku Moderator emeritus

    Jun 25, 2002
    Gone but not forgotten.
    Whatever that might be. I can't provide any reasonable reply to such a vacuous statement.
  7. space2go macrumors regular

    Feb 5, 2004
    OK let me tell you a bit about personal firewalls.

    Having finished I noticed I had written more than just a bit you might want skip to the section titled conclusion (in all-caps) before deciding to read any individual sections. ;)

    What they claim to achieve:

    -Control Outgoing connections:
    All they do is replace the system library for networking with their own version which then enforces the pf rules.
    This library is a nice comfortable way to do network i/o which is why most programmers choose to use it. But they don't have to. They could just as well interface directly with the relevant kernel functions or bring their own library. That means malware actually has the choice wether it likes to ask the pf nicely for permission or wether it simply goes ahead with whatever it wants to do.
    A pf of course could actually modify your kernel to disallow that. A third-party closed-source software changing your kernel! I fear some people could actually accept that so let's assume that's actually the case and there's no way around the pf if something needs networking.
    Even then the pf can't prevent spyware from merrily transmitting everything it finds. That is if you allow any outgoing connections at all. That is because neither you nor the pf actually have the information needed to decide wether some connection request should be granted or not. All you get is "program X wants to connect to host Y at port Z".
    X: tells you exactly nothing as everyone can name their program what they like. The same of course goes for any other information extracted from the program (vendor, version, ..).
    Y: tells you nothing as well as it's just another label. By the same account ips don't come evil-flavoured as well.
    Z: stands to prove wether the average user does even know what a port is and it does tell you nothing about the true (not the supposed) type of connection anyway.
    And even if X atually is X you still don't know wether it's asking for the connection for itself or wether some other program prompted it to do so. (AppleScript is great ain't it?)
    All that is left is your guesswork wether a program named X could have a legitimate need for the internet and your knowledge wether you started it or told it to do something. And that is where human nature strikes twofold:
    - When the pf asks you to decide on a connection chances are you are doing something completely different, don't want to be disturbed and just "want it to go away!" and thus more or less randomly pick one option.
    - Ask a human a dozen times the same question like "May $YOUR_DEFAULT_BROWSER connect to .. ?" and he'll want an option to never hear that question again. In that case most likely authorizing the browser to connect to the internet whenever it pleases it. As every browser can at least be prompted to get a given URL spyware can now send whatever it wishes back home and most likely get new instructions and additional code too.
    Thus the "blocks outgoing" functionality does not work even in a theoretical pf that is stronger than any current real one and completely flawless in realisation. Bring it down to real-world strength and average error-counts and all that is left are some decorating tatters.
    Not a single pf ever passed leak-tests without some fails.
    So why the popups talking about outgoing connections getting intercepted?
    Firstly some programs could trigger the pf on purpose to make the user feel safe and protected while the true connection is already over. Naturally this would be known spyware where users would get curious if they wouldn't get a warning from their pf (e.g. anti-cheat tools for online games).
    Secondly some spyware programs still simply hope there is no pf and are not prepared to deal with one. But a pf does not even protect you from them. No matter how bad the programming skills of the author are he was good enough at social engineering that you installed it in the first place. Might as well convince people that it has a good online updater for example.

    To sum it up a pf can't protect you against spyware (or any other form of trojan that needs the 'net) and with a pf installed you thus still have to be as cautious as without it. Essentially you have gained nothing but work.

    But that's the most-marketed feature of pfs!

    -Protection against and giving notice of "hacker attacks":
    At least 99% of all alarms you'll get from your pf are histerical bull****. There are a lot of innocent reasons for incoming unrequested traffic and they cover almost all of it. It stands to reason that among all that yelling from a pf any true attacks will simply get ignored. All that notifications of the user actually serve only one purpose: To make the user think he needs the pf as he's under attack all the time.
    This nuisance actually compounds the aformentioned issue that the user at some point will stop reading the pf's notices and simply press any button.
    To lower the nuisance level automatic responses get activated at some point or other with the most common one being "attack detected -> blacklist attacker".
    And that's something that actually enables attacks that were not possible without a pf. For instance this enables very cheap (for the attacker) DDOS attacks on servers. They work by doing short attacks against random targets with the source ip faked to the one of the real target T. Those computers hit that run a pf with that rule on (on some default) will now blacklist T which means no more traffic from that site. (Of course even without that automated reaction a lot of people might react the same way when asked by the pf.) If T is a shop it'll have far less customers and if T actually distributes software patches some people may enjoy old problems for a long time.
    Additionally their handling of incoming connections is far less secure than that of most kernel-space software firewalls as local programs can tamper with them far easier. Some still can simply switched off by any program and most don't have any protection for their rule-sets which mean any program can add rules at it's own liking. And none seem to have any protection against scripting of their popup windows.

    -Internet filtering and privacy stuff:
    Nice stuff to have (under your own control) and if it was implemented the right way ("The firewall core should treat those other parts as hostile and check everything it gets. All parts should run with the least rights required to perform the task at hand." seems a good start) it might increase the risk of a fatal error only by a little bit that could be justified by the gain. As it stands now those things have nothing to do in a firewall.

    -Traffic Monitoring:
    Yeah nice graffics and lists. And they are supposed to tell the user what? "I'm working, I'm useful, look I can produce evidence for it.". Again actually a nice feature now and then but something that really does not have to be part of a firewall. Netstat is a tool that shows the same info (i think something like it comes with windows as well so no need there either) and some GUI code would make a nice little standalone program (which i think already exists) that serves the same purpose without the ability to interfere in security matters as it needs no special rights to do its work.


    So let's just compare a pf to an OS with the supplied kernel-space firewall switched on and unneeded services switched off.

    Both can reject incoming traffic you did not request.
    Both can't prevent spyware from phoning home if you allow any internet access.
    Both alllow you to monitor your internet traffic.

    advantage of a pf:
    Some utility features you can get as standalone programs as well

    disadvanteges of a pf:
    included bonus features make firewall less secure
    nuisance through uncountable useless alerts and questions
    makes the user fell more secure than he is
    might itself be malware
    can be prompted to join in a ddos

    So pfs even lose against minimal security measures. As their marketing tries to impress upon people that a pf is enough security they overall clearly represent a security risk.

Share This Page