App Review Comodo Firewall Bypassing a Bypass

[Andy Ful]

Cybercriminals are people. But yes, users do put themselves at risk, be it with warez, or by neglecting their security.

I think that @bazang had something else in mind. Most people will always choose convenience and usability over safety. They will skip stronger security solutions that are not the best at performance, require some knowledge or user interaction, affect their habits, etc. I am not sure if we can consider this a problem. Apples fall, wolves eat animals, and criminals always find a way to attack an average computer user.

Edit.
AVs do not pretend that they can protect all people. Their main task is to prevent epidemics, similar to the case of vaccines against COVID. The use of vaccines assumes that a small part of the population may die.

 

[ebocious]

I think that @bazang had something else in mind. Most people will always choose convenience and usability over safety. They will skip stronger security solutions that are not the best at performance, require some knowledge or user interaction, affect their habits, etc. I am not sure if we can consider this a problem. Apples fall, wolves eat animals, and criminals always find a way to attack an average computer user.

Edit.
AVs do not pretend that they can protect all people. Their main task is to prevent epidemics, similar to the case of vaccines against COVID. The use of vaccines assumes that a small part of the population may die.

Sad truth. But no one wants to become a statistic. I don't want to live in a bubble, but I try to stay in shape and eat probiotics. And I am always trying to find ways to fortify my devices as much as I can without sacrificing usability. I know there's no perfect solution. As long as you can install software on your computer, you can install malicious software on your computer.

 

[bazang]

Most people will always choose convenience and usability over safety. They will skip stronger security solutions that are not the best at performance, require some knowledge or user interaction, affect their habits, etc. I am not sure if we can consider this a problem.

Users are the Number 1 threat. Ignorant, lazy, careless, negligent users are categorized as "Insider Threats." A user's intent to commit harm has nothing to do with the definition. They are a vulnerability that is inherent in any information system. Most people - the typical person you might encounter when out in public - are vulnerabilities to the entire interconnect because of what they do - and more importantly what they do not do - on their digital devices.

In this era of BYOD, disregard for security, expecting "somebody else to take care of security," and 100% interconnectivity, such users are an even greater menace to the entire interconnect. The digital security paradigm is many decades behind reality. To compound the problems, laws and regulations are equally decades behind reality.

What a single user does on their computing device can impact every system and every person or entity to which that single user is connected or can connect to - either directly or indirectly.

Security is not software. It is a process. It is a multi-part problem that involves people and everything else. The people (users) are the greatest vulnerability and threat. This is an irrefutable fact. People are ALWAYS the problem. ALWAYS.

Security is not software. It is a process. The entire process is effective only to the extent that security is made a priority - and that means doing many, many things that will upset people. "Digital Rights" is utter nonsense. Global stability is dependent upon digital security. The needs of the many (global stability) needs to come way before the needs of the few (users that want to use stuff). Pandering to people because they want to do what they want to do on their systems is the very worst thing possible - and that is exactly what the hardware manufacturers and software publishers have done for decades. Pandora's box has been opened and there is no reversing it (or even any hope of diminishing its effects).

It is much easier to control what home users can do on their systems than fighting the cyber criminals. The war on cyber criminals can never be won and for every year that passes where effort is not turned to solving the problem by controlling individual users and what they can do on their systems, that is another year that greatly increases the probability that it is too little, too late. I argue that under the current model of allowing "users to use stuff," global society is already doomed. It is exactly that mode of thinking - "Users want to use stuff and we need to allow them to do what they want" - that enabled the rise of a global multi-trillion Euro cyber criminal ecosystem that the entire world is now powerless against.

If the "users want to use stuff" paradigm is so awesome, then why are governments and corporations spending billions upon billions of Euros on security? More importantly, why is all that money spent not improving security? Why, despite trillions of Euros spent, is global society more vulnerable than ever to exponentially increasing threats? Why is the entire global digital interconnect entirely unsafe?

There are grim statistics that show the malware\identity theft\financial loss problem is far worse than the general public knows. The reason they do not know is one of three reasons: 1) the statistics are very expensive to obtain and not releasable per non-disclosure agreements, 2) the statistics are government data that are not for public release and 3) the details of compromises of financial institutions, identity theft, and other types of personal losses are not legally required to be reported - and thereby entire industries get away with covering-up the tremendous amount of harm that is caused by users.

The global system is built upon not being transparent about the extent to which users create the vast majority of problems. Institutions and companies do not want to be held responsible for individual users. They do not want to assume the accountability, the liability, and most of all the expense. Therefore they fight every measure to make statistics transparent and publicly available.

Home users are and shall remain the greatest vulnerability. The cyber criminals (the bad people) shall remain the greatest threat.

It is far, far easier to stop home users from being a threat to themselves and everyone else than it is to track-down and stop the threat actors/criminals.

 

[bazang]

Cybercriminals are people. But yes, users do put themselves at risk, be it with warez, or by neglecting their security.

We live in a world where the vast majority of people die because of over-eating than starvation.

Who is to blame? The person who cannot control themselves and overeats or overeats without regard to their health - or the food growers, manufacturers, or sellers?

Just try to protect people by placing a limit on how much junk food they may purchase. Those people - who blame the growers, manufacturers and sellers for their obesity - will bring pitchforks and rifles into the streets and riot. The hypocritical obese will riot, burn down city blocks because they want their junk food - but according to themselves, they aren't to blame for eating so much of it that they are obese.

This very same thing - hoomans and what they do and do not do - is the reality of the digital world and the interconnect.

People are ALWAYS the problem. ALWAYS.

 

[ebocious]

We live in a world where the vast majority of people die because of over-eating than starvation.

Who is to blame? The person who cannot control themselves and overeats or overeats without regard to their health - or the food growers, manufacturers, or sellers?

Just try to protect people by placing a limit on how much junk food they may purchase. Those people - who blame the growers, manufacturers and sellers for their obesity - will bring pitchforks and rifles into the streets and riot. The hypocritical obese will riot, burn down city blocks because they want their junk food - but according to themselves, they aren't to blame for eating so much of it that they are obese.

This very same thing - hoomans and what they do and do not do - is the reality of the digital world and the interconnect.

People are ALWAYS the problem. ALWAYS.

If a woman gets kidnapped and taken advantage of, is it her fault? What about a mugging? This school of thought is the reason why rape victims are asked if they flirted or dressed too "provocatively." Whatever the victim could have done to potentially avoid being victimized, they did not pull the perpetrator's strings. The perpetrator acted on their own accord, and is ultimately at fault. Malware doesn't write itself.

I'm not disputing the fact that most malware infections happen with user intervention. But it doesn't change the fact that a minority of innocuous users are victimized by malevolent actors. Now, we can still redirect SOME of the blame their way, as the owner is responsible for their own security. And that's why this website is here.

 

[bazang]

I'm not disputing the fact that most malware infections happen with user intervention. But it doesn't change the fact that a minority of innocuous users are victimized by malevolent actors. Now, we can still redirect SOME of the blame their way, as the owner is responsible for their own security. And that's why this website is here.

It is not about who is to blame. Whether it is the threat actor or the user, one is categorized as a threat and the other a vulnerability. As I stated multiple times, it is a multi-part problem involving threat actors and users.

It is about being realistic and practical in solving the many problems. It is much easier to solve security issues on the user side than it is on the threat actor side. You should think of users (home) as attack surface. Users total in the billions. As a group they create the greatest attack surface. That attack surface is also the most easy to attack and compromise.

In society, it is much less costly and much more effective to fix most security issues on the user side. Sending out law enforcement to track-down and prosecute cyber criminals is a losing strategy. The war on cyber criminals is unwinnable whereas a lot can be done on the user side to greatly increase security. People are the Number 1 problem in security and until the focus moves from solving security problems with software to solving those problems at the easiest to address source - the individual user - things will never change. People are ALWAYS the problem. ALWAYS.

In the world of risk management and threat modeling, home users are categorized as an "Insider Threat." That is because they are ignorant, they do not follow security best practices, they could care less about security, they make mistakes, and so on. Fixing those things cannot be done with software alone.

Most home users are victims because they victimize themselves by doing things that they should not, and not doing the things that they should.

 

[ebocious]

It is not about who is to blame. Whether it is the threat actor or the user, one is categorized as a threat and the other a vulnerability. As I stated multiple times, it is a multi-part problem involving threat actors and users.

It is about being realistic and practical in solving the many problems. It is much easier to solve security issues on the user side than it is on the threat actor side. You should think of users (home) as attack surface. Users total in the billions. As a group they create the greatest attack surface. That attack surface is also the most easy to attack and compromise.

In society, it is much less costly and much more effective to fix most security issues on the user side. Sending out law enforcement to track-down and prosecute cyber criminals is a losing strategy. The war on cyber criminals is unwinnable whereas a lot can be done on the user side to greatly increase security. People are the Number 1 problem in security and until the focus moves from solving security problems with software to solving those problems at the easiest to address source - the individual user - things will never change. People are ALWAYS the problem. ALWAYS.

In the world of risk management and threat modeling, home users are categorized as an "Insider Threat." That is because they are ignorant, they do not follow security best practices, they could care less about security, they make mistakes, and so on. Fixing those things cannot be done with software alone.

Most home users are victims because they victimize themselves by doing things that they should not, and not doing the things that they should.

Actually, cybercriminals do get tracked down and prosecuted. Correction is and likely always will be part of a multi-faceted answer to a multi-faceted problem.

Thank you for finally admitting that there are malicious actors, and not simply users infecting themselves. And again, no one is arguing that users are not the biggest issue, nor is anyone arguing the fact that the best solution is for users to take responsibility for their own security, as I said in my previous comment.

The problem is that the most common advice given to users is to use antivirus software, keep your computer up to date, and stay away from dodgy websites. But Windows already comes with antivirus, and updates itself automatically unless you stop it, which average users do not. Unfortunately, drive-by downloads are a thing, and not just on warez and adult sites. Last I read, I believe about 80% of online threats are on well-known sites, such as Betty Crocker and NFL.

I think we are more in agreement than you think we are. The difference is that I don't fixate on one thing and nothing else until it's 100% fixed, because it will likely never be 100% fixed. People can work on more than one project at a time, and we have to. You can't pick up the broom every time you see another speck on the floor, and ignore the dishes, the toilets, the laundry, and dinner. We have to look at the bigger picture.

P.S.: I feel like I'm picking a fight, but it's not what I want. I'm not trying to put anyone down; I'm an explainer.

 

[bazang]

Thank you for finally admitting that there are malicious actors, and not simply users infecting themselves.

I said it from the beginning.

And again, no one is arguing that users are not the biggest issue, nor is anyone arguing the fact that the best solution is for users to take responsibility for their own security, as I said in my previous comment.

People will never be accountable or take responsibility unless it is imposed upon them very forcefully by individual governments and international agreements.

For every 1 Euro spent on the user side of enforcing security, one must spend 10 to 50 Euros on the cyber criminal side (pursuing them via law enforcement). Those numbers are a particular government's internal statistics.

The answer is to impose very strict security at the device level upon users. It means that "users want to use stuff" will not happen on such devices. They shall be locked out of doing all the things that they are allowed to do now, which are responsible for the vast majority of security incidents.

Such a change in protection paradigm and model shall never happen. It is easier to just leave users to their own whims and make profit from people being people.

The average user does not care about security. So I have no compunction whatsoever about allowing them to destroy their life savings because they are "users that want to use stuff." For families that have children and the parents allow children to be unsupervised, they get what they permitted to happen. It is the same as those obese people. Nobody forced them to stuff their faces and over eat. They did it to themselves.

 

[ebocious]

I said it from the beginning.

I'm sorry, but you really didn't. You omitted it completely the first time, and then deflected the second time with the anecdote about junk food, until I confronted you with a more vivid scenario to highlight the separation between victim and perpetrator.

People will never be accountable or take responsibility unless it is imposed upon them very forcefully by individual governments and international agreements.

For every 1 Euro spent on the user side of enforcing security, one must spend 10 to 50 Euros on the cyber criminal side (pursuing them via law enforcement). Those numbers are a particular government's internal statistics.

The answer is to impose very strict security at the device level upon users. It means that "users want to use stuff" will not happen on such devices. They shall be locked out of doing all the things that they are allowed to do now, which are responsible for the vast majority of security incidents.

Such a change in protection paradigm and model shall never happen. It is easier to just leave users to their own whims and make profit from people being people.

The average user does not care about security. So I have no compunction whatsoever about allowing them to destroy their life savings because they are "users that want to use stuff." For families that have children and the parents allow children to be unsupervised, they get what they permitted to happen. It is the same as those obese people. Nobody forced them to stuff their faces and over eat. They did it to themselves.

I'm getting the impression that a friend, family member, or employee of a company you worked for FUBARed their system, and seriously got your goat. I'm sorry.

 

[bazang]

No, you didn't. You evaded it twice until I railroaded you into it.

Sure I did. I stated it very clearly three different times. You just did not bother to read what was stated. If you go back and re-read it, you will find that I said it. Again, not just once for you to understand, but three separate times.

I'm getting the impression that a friend, family member, or employee of a company you worked for FUBARed their system, and seriously got your goat. I'm sorry.

Nah. I said that it makes the most sense to just let people be who and what they are, and then earn profit from them being their selves and what they are. Nobody is exploiting the people. The people are doing it all to themselves. People create their own problems. People like me provide the solutions to some of those problems.

I am grateful that people are the way that they are. They do all the hard work and create so many fantastic business opportunities.

Now, actually solving the various problems by addressing the primary causes, well that is an entirely different matter.

If society wants to actually solve problems, then that will require really competent authoritarian policies and actions. Start first with users because they are fundamentally the greatest single cause of terrible digital security and outcomes.

I provide solutions to that end to multiple governments.

The point that I was making is that your tax dollars spent on law enforcement chasing cyber criminals result in a dismal return on investment whereas creating device-level security that actually protects users from themselves would cost a fraction of the amount spent funding the war on cyber criminals.

 

[ebocious]

The point that I was making is that your tax dollars spent on law enforcement chasing cyber criminals result in a dismal return on investment whereas creating device-level security that actually protects users from themselves would cost a fraction of the amount spent funding the war on cyber criminals.

I could almost get behind this. The problem is when government wants to set up a backdoor for themselves, all in the name of "protecting our citizens."

 

[bazang]

I could almost get behind this. The problem is when government wants to set up a backdoor for themselves, all in the name of "protecting our citizens."

As far as any operating system, particularly Windows, the U.S. has any of a number of means of getting inside of the OS without a deliberately created or implanted back door.

How does the U.S. get Microsoft to give it whatever it needs to get into an individual's OS? It asks Microsoft for it.

The scale of criminality used to be in the millions. Now it has grown to a scale of billions. Law enforcement and government security services are still the same size. Those organizations have not grown in size, resources, capacity to match the exponential growth in criminality.

Therefore, to have effective security, law enforcement and government security services must have the capability to decrypt communications and access information that criminals want to hide from them.

The supremacy of the state must come first. It is even more important now than it has ever been because of the exponential growth in criminality, terrorism, organized crime, etc.

There are people that want to hobble security services in the name of "individual digital rights" which is a load of bollocks.

 

[ebocious]

As far as any operating system, particularly Windows, the U.S. has any of a number of means of getting inside of the OS without a deliberately created or implanted back door.

How does the U.S. get Microsoft to give it whatever it needs to get into an individual's OS? It asks Microsoft for it.

The scale of criminality used to be in the millions. Now it has grown to a scale of billions. Law enforcement and government security services are still the same size. Those organizations have not grown in size, resources, capacity to match the exponential growth in criminality.

Therefore, to have effective security, law enforcement and government security services must have the capability to decrypt communications and access information that criminals want to hide from them.

The supremacy of the state must come first. It is even more important now than it has ever been because of the exponential growth in criminality, terrorism, organized crime, etc.

There are people that want to hobble security services in the name of "individual digital rights" which is a load of bollocks.

Government has the ability to track IP data, and collaborate with ISPs and other relevant parties to intercept communications if criminal activity is suspected. In some cases, they may try to hack into a computer with a warrant, but this is rare, and their ability to do so may be impacted by the presence of strong security. In such cases, they obtain a warrant to physically seize a device. I'm not aware of any historical evidence of a backdoor that allows them to simply waltz in any time they want. And security software isn't all made in the US, or vetted by government for compliance with backdoor policies. Microsoft, Apple, and Google (Alphabet) have all gone to court to fight for users' privacy.

I don't share the kind of paranoia you have, such that you support an authoritarian state. I could support Internet licensing, or perhaps working with the Department of Education to require classes in computing and Web security. If government were endowed with the kind of absolute power that you suggest, criminals would simply infiltrate government itself, and have their way with everyone's private data.

 

[bazang]

Government has the ability to track IP data, and collaborate with ISPs and other relevant parties to intercept communications if criminal activity is suspected.

In some cases, they may try to hack into a computer with a warrant

I work very closely with government law enforcement and security services.

The U.S. Government, for example, does not require a warrant for any Executive Agency to hack anybody's computer. Hacking a computer is not prohibited by the U.S. constitution. The SCOTUS ruled on this about 10 years ago.

Law enforcement needs a warrant to seize a digital asset (laptop, desktop, mobile phone, online account, etc). But they do not need a warrant to attack the digital asset.

It is different in other nations (variations), but more or less those governments work with their law enforcement and security services in such a way that their investigations are successful.

I'm not aware of any historical evidence of a backdoor that allows them to simply waltz in any time they want.

It is not a backdoor. All the government needs to do is ask Microsoft to give it access through various mechanisms. Microsoft cooperates fully.

I don't share the kind of paranoia you have, such that you support an authoritarian state.

I am not paranoid. I just know that governments must be able to decrypt communications and other encrypted data & information to be able to provide security.

What I know from direct in-person experience is that governments do not violate privacy protections. When it comes to national security, an individual either does not by law or should not (such rights do not exist in the first place) have individual "digital rights" that prevent the government security services from fulfilling their missions.

A person is OK. Beyond the individual, people are ALWAYS the problem. ALWAYS. When the scale gets beyond just a few people, then a state needs to be competent and ruthlessly enforce authoritarian policies.

The war on cyber criminals fails to a large extent because of ridiculous "individual digital rights." So law enforcement and security services have to use create, completely legal methods to track and hunt down criminals, threat actors and terrorists.

 

[ebocious]

It is not a backdoor. All the government needs to do is ask Microsoft to give it access through various mechanisms. Microsoft cooperates fully.

In order for Microsoft to “give access,” this implies a backdoor of some sort. Care to elaborate? To my knowledge, Microsoft will share data on its servers (e.g. Outlook, OneDrive, Azure) in response to a subpoena. But they don’t deliberately plant vulnerabilities in their software that allow for surreptitious remote access to customers’ devices.

A person is OK. Beyond the individual, people are ALWAYS the problem. ALWAYS. When the scale gets beyond just a few people, then a state needs to be competent and ruthlessly enforce authoritarian policies.

Maybe I’m misunderstanding you. Are you talking about authoritarian policies with regard to punishing criminals? I thought you meant punishing victims of remote exploits. If it’s the former, I might be inclined to agree.

 

[silversurfer]

@ebocious and @bazang
After all your comments, both of you said enough to explain your point of view and your personal opinions. But all that is rather off-topic, now it’s time to stop the discussion.

The main topic of the thread should be regarding Comodo Firewall.

 

[bazang]

I think Trump should appoint Melih Abdulhayoglu the Director of Cybersecurity & Infrastructure Security Agency.

That way Americans will get effective, $0 cost security software installed on their systems.

Then Melih will get some U.S. taxpayer monies to fix bugs.

 

[Digmor Crusher]

I think Trump should appoint Melih Abdulhayoglu the Director of Cybersecurity & Infrastructure Security Agency.

That way Americans will get effective, $0 cost security software installed on their systems.

Then Melih will get some U.S. taxpayer monies to fix bugs.

Sure, why not?
Its going to take 20 years to repair all the damage Trump is going to do to the country anyways.

 

[bazang]

Sure, why not?
Its going to take 20 years to repair all the damage Trump is going to do to the country anyways.

Giving Americans something for nothing ($0 cost security software) can hardly be characterized as "damage."

It is the best of both worlds. Users who are upset about Comodo bugs will finally get fixes for them and U.S. taxpayers will subsidize the rest of the world with free security software - the same as they do now. U.S. taxpayers subsidize Europe, Ukraine, and SEATO nations. U.S. money printer go... brrrrrr!