White listing or black listing?

[Guest]

[LeoniAquila]

I respect your opinion solcroft, but I don't really agree with you.

As I wrote earlier:

Symantec (one-sided, I know, but still...) said that three years ago, about 50,000 new malware was created in half a year. The last half year of 2007 - 500,000 new malware!

Maybe AV vendors can catch up with that, I don't know, but I feel more safe with white listing / HIPS (which of course doesn't have to exclude traditional black listing).

I'm very far from being a security expert, but thinking of all new malware that's being created, I'll prefer to step into the future with extremely restrictive policies on my system. In other words, "allow no activity except for safe activity", instead of "allow all activity except for malicious activity".

For non-skilled users, Comodo makes efforts to minimize the number of HIPS popups. Besides, ThreatCast will be used to help them even more. Today already, the white list is quite large, so there aren't that many popups to answer. When there is malicious behavior, the popups are red colored and informative.

I do agree on the XP part (), today there is no other OS I want more. But that's actually rather a question of which programs I can get. If there was a CFP 3 available for Linux I would probably switch.

Everyone, if we are going to discuss white/black listing, we are supposed to do it in the HIPS section! We are here already...

LA

[solcroft]

I'm very far from being a security expert

Hey, so am I.

but thinking of all new malware that's being created, I'll prefer to step into the future with extremely restrictive policies on my system. In other words, "allow no activity except for safe activity", instead of "allow all activity except for malicious activity".

Therein lies the problem.

If you know an activity is safe, why do you have to go through the unnecessary trouble of telling Comodo's product that this activity is safe before you're allowed to do it?

If you don't know whether an activity is safe or not, then just don't perform it! Don't run programs that you don't trust. I don't see why you need a Comodo product to help you with that. In the end, you'll have successfully enforced the policy you had in mind perfectly well all by yourself, without having to tolerate all that noise from Comodo's product.

I do agree on the XP part (), today there is no other OS I want more. But that's actually rather a question of which programs I can get. If there was a CFP 3 available for Linux I would probably switch.

Given Linux's traditional policy of enforcing limited access rights by default, a program like CPF is likely to only introduce extra noise without providing additional security. In fact, Windows can be also configured to only present the user with a limited rights environment - a more no-brainer and quieter anti-malware solution by far.

[LeoniAquila]

Hey, so am I.

But like me you are interested in this, which gives us an interesting discussion. You make me think twice why I do what I do, and think the way I do.

If you know an activity is safe, why do you have to go through the unnecessary trouble of telling Comodo's product that this activity is safe before you're allowed to do it?

If you don't know whether an activity is safe or not, then just don't perform it! Don't run programs that you don't trust. I don't see why you need a Comodo product to help you with that. In the end, you'll have successfully enforced the policy you had in mind perfectly well all by yourself, without having to tolerate all that noise from Comodo's product.

When my system is newly installed, of course I know it's all safe. I don't need Comodo telling me that. I also don't need Comodo warning me for newly downloaded applications (in case I want to update 7-Zip, CCleaner or whatever). But what I do need is Comodo warning me for new, unknown stuff:

For example, I use Firefox with NoScript to avoid getting malware from the internet (by just visiting a site running malicious scripts). However, any of those sites I mark as safe, may get hijacked. It has happened already, although not in the moment when I've visited those sites. That creates a possibility for malware to sneak out of Firefox and into my system, despite the power of NoScript. This is where CFP comes in; it will warn me whenever Firefox will perform such an action. It'll work like a second layer for malware coming from internet activities.

Given Linux's traditional policy of enforcing limited access rights by default, a program like CPF is likely to only introduce extra noise without providing additional security. In fact, Windows can be also configured to only present the user with a limited rights environment - a more no-brainer and quieter anti-malware solution by far.

You are right about Linux. I should clarify that I did not at all mean that I wish to have CFP's HIPS in Linux, all I want is a decent firewall with outbound protection. Maybe such a firewall exist, I didn't look much for it, but I was never satisfied with the built in inbound protection (I'm referring to Ubuntu now) - similar to XP's firewall. Why do I want outbound protection so badly? Because there are so many small unknown applications available in Linux, so I want to see if any of those compromises with my privacy.

I guess I'm too lazy to find a Linux distro that is non-bloated, small, has a beautiful GUI (I love Mac OS X too, just like you do) and is easy to set up. Ubuntu was very easy to start with, but way to bloated. Now I'm using nLite to get Windows XP exactly how I want it, instead.

LA

[salmonela]

I think Comodo crew should develop more its heuristic module, today we have in CFP just one more level of info. I would rather see less of it when execute an *.exe and be sure it is malicious than (many FP) and just have it as an information.
NOD32 is level to be reached 70% with very few FP, I am amazed with that percentage, how is that possible?

[God]

I respect your opinion solcroft, but I don't really agree with you.

Well I not only don't agree with solcroft, but I also don't respect his opinion!
 
"The thing about Comodo is that they seem to have a clown for a CEO and a culture of isolationist self-worship at their forums. I have nothing against them otherwise, since they develop and give away products for free, and that's no sin. I hate to generalize, since I'm sure there are exceptions, but from what I can see, their fanbase seems to be built purely on inexperienced newbies who allow themselves to be deluded by leaktest results and the opinion that they actually know how to use Comodo's products to any effective degree, led on by their prancing chieftain that is Melih."
solcroft, Wilders Security Forums, April 1st, 2008

www.wilderssecurity.com/showthread.php?p=1213919&highlight=comodo#post1213919

[JamesFrance]

I agree with God here, as I too have been offended by the words of solcroft on Wilders.

Typical of the arrogance of the academic, I thought.   A very narrow expertise and totally lacking in commonsense.   It is so easy to posture on forums anonymously and attack others who have far greater achievements in life.   Wilders seems to be full of a clique whose posts are allowed however offensive they may be and any other opinions are suppressed.

Most forums would discourage the sort of personal and offensive comments solcroft made in that thread, but not Wilders.

I am always amused by the use of the term 'fanboys' which I often read over there to describe those of us who enjoy this forum.

They clearly do not recognise freedom of speech when they see it.

[panic]

Hey all,

They run their forums they way they see fit, we run ours they way we see fit.

They have their standard of vinyl pocket protector,we have free speech.

The topic is "Blacklisting V Whitelisting"

Please keep to the topic.

If you want to complain about Wilders or a forum member at Wilders, do it at Wilders. Good luck.

[Floyd]

The topic is "Blacklisting V Whitelisting"
Please keep to the topic.

I agree 100%!
Besides, seems impossible to top God's post.
Even Melih tried but gave up.
 

[panic]

Yes, it's almost impossible to beat the one post hit and runners that have been flooding the forums lately. I'd email them, only a lot of them are using auto expiring freemail accounts.

[LeoniAquila]

Well I not only don't agree with solcroft, but I also don't respect his opinion!

I've seen that post before, and of course it isn't a nice one. However, in this thread I only meant that I respect solcroft's opinion here (he/she hasn't insulted anyone yet, I think).

LA

[gaby]

Whitelisting is a philosophy /approach – correctly mentioned by Ewen also in another recent topic – and not a list not a DB or whatever. This one of the main reasons that brought be years ago to use Comodo FW, in the first place.

I'm not sure what this topic is about – if it's about AV's, there's no other faster approach than blacklisting, at least for WinOS, that has proven so far not ready for real multitasking.

If we're talking FW's, it's becoming more and more difficult for me with every new release to tell what are the default whitelisted actions in CFP. The reasons behind this approach -improving usability for new users - are obvious, but are not so cozy for the average user, who would like to know if some Adobe (Qt, Acrobat..) or some recently installed mediaplayer, connects to some server without asking permission.
Evolution (or involution – take your pick) of windows will make maintenance of any database a nightmare - just thinking to the forthcoming subscription-based win7 (I have enough subscriptions in my life as it is, thanks, but no, thanks).
Here's some interesting reading: http://arstechnica.com/news.ars/post/20080411-vistas-uac-security-prompt-was-designed-to-annoy-you.html
However, the TCast approach to recommend – but not enforce – an action, I find beneficial for everybody.

I should clarify that I did not at all mean that I wish to have CFP's HIPS in Linux, all I want is a decent firewall with outbound protection. Maybe such a firewall exist, I didn't look much for it, but I was never satisfied with the built in inbound protection (I'm referring to Ubuntu now) - similar to XP's firewall. Why do I want outbound protection so badly? Because there are so many small unknown applications available in Linux, so I want to see if any of those compromises with my privacy.

LA, HIPS in Linux, cmon. Linux devs are not going to trace you down, because they give the software for free, and anybody can take a look at the code. You can safely control your outbound on a port's basis. If you don't like to look into iptables, take a look at Guarddog. ATM I'm on Mandriva, but I'd recommend you to start with PCLOS.
User controlled whitelisting is the only way, IMHO. Regards, Gabi

[LeoniAquila]

LA, HIPS in Linux, cmon. Linux devs are not going to trace you down, because they give the software for free, and anybody can take a look at the code. You can safely control your outbound on a port's basis. If you don't like to look into iptables, take a look at Guarddog. ATM I'm on Mandriva, but I'd recommend you to start with PCLOS.
User controlled whitelisting is the only way, IMHO. Regards, Gabi

I get your point, but still I wouldn't be completely comfortable with Linux - at least not until I've learned it. Of course that's a common thing for every OS, but now I've not only learned how Windows works - I've also privacy concerns that I didn't have two years ago. So staying on XP with CFP makes me really comfortable since I trust the system and my personal ability to maintain it.

LA

[LeoniAquila]

For everyone's info, this thread made an off topic turn so I split the topic. You can see the discussion here.

LA

[axl]

And how does that explain Windows? 

In reality, the evolution and marketing of technology are inextricably entwined, rather than a quest for the best possible soluton.

IBM's MicroChannel architecture was/is a technical masterpiece.

The power of mainframes lies primarily in its I/O capacity; with that in mind, Microchannel's superiority shouldn't be that surprising?
Maybe why all financial transactions, airline reservations etc still have to go through mainframes.
But then again you knew that. 

OS/2 Warp was amazing.

Only OS I can remember that could run apps with higher requirements than avaiable.
I remember having 4mb physical and being able to run Wing Commander, a game requiring 8mb...
Even Vista can't approach the functionality of the decade old Workplace Shell.

Ditto the Amiga hardware / Operating System combination.

I hoped BeOS would have taken over that niche..

The Pick database system.
The C/TOS operating system and hardware.

And just when you thought you knew everything...

Where are they now? Snuggled up comfortably as a footnote in the annals of computing history.

Market acceptance does not always equate to technical superiority. The reverse is equally true (just ask the *nix guys).

Marketing, being in the right place at the right time...
Heck, there are just too many reasons why one can fail in the software market...

Add boredom to that list.
 

[panic]

The power of mainframes lies primarily in its I/O capacity; with that in mind, Microchannel's superiority shouldn't be that surprising?

Sorry to pull you up axl but IBM's MCA (MicroChannel Architecture) was a desktop hardware platform, not mainframe.

MicroChannel Architecture was introduced as a desktop hardware replacement for IBM's original AT architecture, somewhere around 1988. It was done when IBM realised just how much of the market was jumping on the clone bandwagon and not sticking with those three revered initials - I, B and M.

It had a totally redesigned interface bus, memory controller architecture and CPU bridge. Way ahead of its time, incredibly fast and efficient but no-one bought it. It required MCA interface cards, as opposed to standard XT/AT interface cards, and IBM controlled the licensing absolutely and charged an arm and a leg for it. Consequently, peripherals and add-ons for MCA PCs were ludicruously expensive.

Technically beautiful, but practically useless.

And just when you thought you knew everything...

No-one knows everything, despite what my wife tells me.


Cheers,

Ewen :-)

[Tags:]