Hello KURT!

23 Jan 05 11:34, you wrote to me:

 KW>> do i agree? no, not really... it can still spread far and wide
 KW>> since there are still plenty of clueless people with poorly
 KW>> protected network shares...

 BS>> Aha.. But most ISP's is filtering port 137-139/tcp ?

 KW> are they? how do you know? i've heard that some big-name ones are, but
 KW> i don't think that is the same thing as 'most'...

My ISP is doing that, and I bet others do here.. I'm on cable btw ..

 KW> [snip]
 KW>> consider the number of people who *undo* all their security
 KW>> measures by rebuilding their system from scratch (and then
 KW>> failing to re-apply whatever security best practices they might
 KW>> have half-learned) instead of just removing whatever virus or
 KW>> worm they may have had...

 BS>> I guess not many people is doing that?

 KW> actually, lots of people are doing that... in fact, there are some
 KW> supposedly knowledgable folks in europe who seem to think that the
 KW> only way to deal with a virus infection is to format and re-install
 KW> and they've been trying to spread this idea...

Sometimes it's unfortionally.. But by a minor infection there shouldn't be
a problem by cleaning it using an anti-virus program. But on hacker attacks
I wouldn't doubt reinstalling the system.

 KW>> then
 KW>> consider the number of new computer users who haven't applied any
 KW>> security best practices yet... then consider the number who
 KW>> ignore hardening their system in favour of simply using a
 KW>> firewall (which may or may not always be there to protect
 KW>> them)... then consider the number of people who just do not learn
 KW>> how to prevent re-infection...

 BS>> Firewall is a buzz word in these days.. Personally I've no reason
 BS>> for using one..

 KW> if you don't connect to the internet then you have no need for one,
 KW> otherwise you do...

I connect to the Internet yes.. My server is online 24/7, but still there
is no reason for a firewall because the only ports which is opened is
needed. I see now reason for filtering outbound traffic.

 KW> it used to be that people would talk about the
 KW> myth of the firewall (the myth being that firewalls were necessary) -
 KW> nobody mentions the myth of the firewall anymore...

Firewalls are nessersary if you can't close all ports which could make
damage on the system. A firewall in my terms is a ip filter, not all those
fancy windows crap, like Zonealarm. ;-)

 KW>> in a perfect world, spreading over network shares wouldn't be
 KW>> very effective - but we don't live in a perfect world...

 BS>> No.. But why not use a non-standard port for doing it?

 KW> a non-standard port? why bother?

It's would be more easier, and would work if port 137-139 is blocked ;-)

 KW> look, this discussion arose out of an entry from sophos' online
 KW> descriptions that i posted a couple weeks back... i don't post
 KW> descriptions for viruses/worms/trojans unless sophos is claiming to
 KW> have gotten reports of them in the wild, so the malware in question
 KW> *is* in the wild... it is spreading, no matter how much you think
 KW> it shouldn't...

I just thought it's cluefull, that the programmer didn't use less code, by
doing it "the proper way".. I'm only a programmer not a virus
programmer, maybe why I think it's cluefull. ;-)

Bo


... It's nice to be important, but it's more important to be nice!
--- GoldED+/LNX 1.1.5