An idiot customer decided to talk to me today about computing and the dangers of the Internet. To leave out the inane discussion i had with that fool i just want to stick to the pertinant stuff:
Does Ad Aware cost money? Does it track the web pages you visit? Is is worse than SpyBoy b/c Spybot “doesn’t do any of that?”
Does Norton AntiVirus/Internet Security has security holes that are more vulnerable than Windows holes. Is ZoneAlarm the Great Wall of China and Norton just a fence?
Is Windows “Longhorn” going to so full of 3D effects that M$ won’t even bother securing it?
He mentioned some kind of program that he uses that strips MAC addresses and headers off packets that prevents any trackable surfing–is this for real?
VPN, IPSec, and L2TP connections can be broken using “reverse-something?” and SSL is just as vulnerable when giving out credit card info on a web page.
He supposedly has a lot of articles saved that he is going to bring in and show me, so i don’t know how believable this stuff is. Anyone know if anything he says is half-way true?
no and no. First off, ZoneAlarm and Norton AntiVirus do different things. One is a software firewall and one is AntiVirus software. Comparing ZoneAlarm and Norton Personal Firewall on the other hand: they’re about the same.
MS has been getting better at securing things, but they’re still the big source of a lot of problems, mainly because they’re so big and are therefore the main targets for hackers. The statement “MS won’t even bother securing it” is far from correct; they spend plenty on security time, training, reviews, QA, etc.
Depends on what he’s describing. If he is saying he can visit a web site without anyone knowing what IP address he came from by only using software on his computer (i.e. he’s not using a service or other third intermediate system), he is lying. The part about stripping MAC addresses is a) irrelevant, b) silly, and c) useless from a security perspective if you know anything about how routing across the internet works.
When properly implemented (which it generally is), it is infeasible to crack IPSec, L2TP (both types of VPN) or SSL. “Infeasible” meaning “impossible for all practical purposes.”
He’s likely a nut, but he also probably has said articles, as there’s plenty of stuff designed to generate fear out there.
1:
AdAware is free and not any kind of hostile software. SpyBot does more or less the same thing, but in a different way. Between the two of them they’re good protection and a necessary aid for most people. It’s quite important to use them both though, I think, since they each have blind spots.
2:
ZA is the generally accepted gold standard of software firewalls, and deservedly so IMO. I don’t know of any specific security issues with either it or Norton - doesn’t mean they’re not there though. Any software you load may contain security holes.
3:
Longhorn is being written with the goal of security much more in mind. An awful lot of it’s going in as managed code to alleviate stuff like buffer overflows which seem to be the main problem afflicting Windows these days. It’s still early days, of course, and I’ve only spent a few hours playing with it but it certainly looks promising.
4:
A program that did this would be useless. Without their headers the packets aren’t valid and wouldn’t reach their destination. If the software replaced the header information with false data (“spoofing”) then the destination server wouldn’t know to reply to your address, making communication impossible. He probably means something like an anonymising proxy where you route all requests through a third party and so appear to be them rather than yourself.
5:
VPN etc are as secure as the individual implementation - you can’t really make blanket pronouncements. As a rule these systems are cryptographically secure and cannot be trivially broken. SSL remains secure, though recently a very specific side-channel attack was discovered. This attack relies on the server and client negotiating their session in an unusual (non-default) way (using a 3DES cipher rather than RC4, for example), and the attacker being able to be a “man in the middle” intercepting communications from both sides, and a few other very specific things. In practice it’s not a threat.
A lot of places on the internet like to scare-monger security (usually because they’re selling something that they claim will fix the problem). It sounds like your customer is that rare and priceless blip on the marketing graph - the man who believes every pitch he reads. Unfortunately, explaining to him exactly why he’s wrong may prove difficult. If you want me to clarify any specific issues let me know and I’ll do my best.
Most tracking software has very little use for header information as such. A lot of surf tracking is done using third-party cookies (e.g. DoubleClick can track your surfing to any site that uses DoubleClick ads because their ad placement on these sites place a DoubleClick cookie that can be read at other sites). Other tracking software uses spyware within your computer tracking outgoing requests (e.g. a trojan logging program). There are some “inline” tracking programs (e.g. FBI’s Carnivore) which would rely more heavily on header info, but as others have noted above, you can’t strip enough header info to make yourself “safe” and remain functional.
The protocols and cryptographic algorithms used in these systems are sound. There are specific implementations which may be breakable, especially in the case of VPNs which is a broad category rather than a specific protocol like IPSec or SSL, but there are secure alternatives in every category. However, saying that SSL is secure is not the same as saying credit card transactions are secure. The use of SSL makes it extremely impractical for a thief to try to eavesdrop on the client-server exchange to obtain credit card info. However, once the transaction info hits the server, SSL’s job is done and security past that point relies on other systems. Almost all credit card thefts on the Internet involve cracking a back-end accounting system and stealing data en masse, which has nothing whatsoever to do with SSL. You have to understand the threat model and what part these acronyms play in securing parts of it.
micco really cuts to the heart of it here. Despite a lot of the hoo-ha in the news about this protocol or that protocol having a weakness you’re far more likely to lose data through the site you transacted with being hacked than by someone intercepting your transmissions.
One other thing i remember now regarding the computer identification, but my wording might be a bit off. There is a string of numbers in the registry that allows M$ to track you or something like that. But it’s only in 1 place in the registry and it’s hidden very well. Any clues?
Actually, there are now several flavors of Ad-Aware, some of which cost money. The “free” version of Ad-Aware is only free for non commercial uses, and there are features in the Plus version that aren’t available in the free version. Ad-Aware is put out by Lavasoft.
Spybot-S&D is currently free for all. It is put out by PepiMK Software.
In a real exciting development, the guy behind Spybot is developing a resident version of Spybot whose goal is to prevent the installation of Spyware in the first place. According to his news, it’s currently in “early alpha”, and there’s no word as to whether this will still be freeware or not, but my hopes are up!
Everything else has been pretty much covered already, but I do have one question:
I don’t understand how having “3D effects” has anything to do with security…one has nothing at all to do with the other.
However, for the truly paranoid, there is only one single, absolutely guaranteed 100% way to make sure one never, ever gets a single virus, worm, trojan, spyware, malware or the like - Look for that big black cable plugged into the back of the computer - usually at the top, near an orange switch that will say either “115” or “230”, and pull it out. Never plug it back in again.
To answer SlickRoenick’s question,
The only thing I can think of is the Product Activation key for WinXP and up. When you first install XP, it enumerates your hardware and generates a code - that code is transmitted to Microsoft during the activation process. When XP starts, it checks that code against your current hardware configuration. If there have been enough changes, you have to get XP re-activated (I had to do it by phone). However, this code is generated by the OS, and is supposedly not able to be reconstituted back to the information that created the code. There is plenty of information about Windows Product Activation out there, but I won’t post any cites here as most of the good information is intertwined with information on how to circumvent it, which is against this board’s policy.