Interesting read here (http://www.matousec.com/projects/windows-personal-firewall-analysis/ZoneAlarm-Pro-6.1.744.001)
Did i waste my (hardearned) money when i bought it (several licenses)?
Any comments?

:wacko: :shifty: :-X :blink:

-{ Quote: "Interesting read here (http://www.matousec.com/projects/windows-personal-firewall-analysis/ZoneAlarm-Pro-6.1.744.001)
Did i waste my (hardearned) money when i bought it (several licenses)?
Any comments?" }-
Hi, All: I have read a while ago when the author posted his findings on this forum(but has been removed since). Up to this day, we are still awaiting ZA's official response. What If somesone would purchase the CODE(they are offered for sale on his web site) and commencing hacking? I rather not to image.>:(

This confirm my post http://www.wilderssecurity.com/showthread.php?t=132049

-{ Quote: "Hi, All: I have read a while ago when the author posted his findings on this forum(but has been removed since). Up to this day, we are still awaiting ZA's official response. What If somesone would purchase the CODE(they are offered for sale on his web site) and commencing hacking? I rather not to image.>:(" }-

Hello, we are also awaiting ZA's response.

Anyway, we will not sell our work to malware creators. Our analysis is intended for vendors and pen-testers. We will not sell our products anonymously - this should discourage those that want to create and spread malware with it.
We will also publish bugs for free regularly (probably since 01/07).

-{ Quote: "Hello, we are also awaiting ZA's response.

Anyway, we will not sell our work to malware creators. Our analysis is intended for vendors and pen-testers. We will not sell our products anonymously - this should discourage those that want to create and spread malware with it.
We will also publish bugs for free regularly (probably since 01/07)." }-
Hi, this is exactly the kind of attitude and approach i am expecting from you. I do admire your excellent work, you are a new kid on the block, carry on your goodwork, surely the viewers will support you all.:thumb:

-{ Quote: "Hello, we are also awaiting ZA's response.

Anyway, we will not sell our work to malware creators. Our analysis is intended for vendors and pen-testers. We will not sell our products anonymously - this should discourage those that want to create and spread malware with it.
We will also publish bugs for free regularly (probably since 01/07)." }-
So who can buy this code except ZoneLabs and hackers? I am confused.
Also I am still confused what is the aim behind all this?

Last I recall this was posted, the Moderator deleted the entire thread.

The security tester should submit his list of 'vulnerbilities' to Secunia to see if it holds any value.

-{ Quote: "Interesting read here (http://www.matousec.com/projects/windows-personal-firewall-analysis/ZoneAlarm-Pro-6.1.744.001)
Did i waste my (hardearned) money when i bought it (several licenses)?
Any comments?" }-
That link was removed recently by one of the leaders of Wilders, don't remember who.

After having read the allegations made by matousec regarding Zone Alarm, I am not convinced that the conclusions are sound. The page seems littered with errors. From the "Tested version" section where the differences between Zone Alarm Pro and Internet Security are erronously described to the "Security" section where the author makes unfounded allegations about Zone Labs' programmers and their ability to program under Windows NT.

I hesitate to make the same mistake as the author of the referenced "tests," but I am willing to bet that the author's obvious financial motivations have tainted the author's ability to objectively evaluate the software. Furthermore, my conclusion is that these findings are without merrit. My guess is that Zone Labs will not respond to these findings because a response would only give credibility to these findings and I'm not convinced that the findings are deserving.

-{ Quote: "My guess is that Zone Labs will not respond to these findings because a response would only give credibility to these findings and I'm not convinced that the findings are deserving." }-
A similar thread has been posted on the ZL forum (which is now locked) and the forum moderator has replied to it. His words can be almost taken as the offical stance of ZL on this issue:
http://forum.zonelabs.org/zonelabs/board/message?board.id=security&message.id=15510

Like what the forum moderator said, any respected security researcher would disclose vulnerbilities to the software company concerned and notable websites like Secunia for no fee. Asking for money just causes people to question your motives and legitimacy of your "results" and is more likely to be a scam.

I am just surprised that the Wilders Security Moderator haven't deleted this thread like the previous one that was posted here.

People tend to trust those who have no financial incentive when testing products.

I don't mind that the link isn't removed this time. Both, good and bad things need to be said.
I don't know if it is true or not, only firewall experts can be the judge of that.
Why selling all these bugs anyway? Good grief, $260 for one bug, that's blackmailing.
Must be a new way of making money on the internet. LOL
Meanwhile I keep on using ZoneAlarm (free or pro), because ZoneAlarm is much cheaper than its so called 'bugs'. ;D

Hi,all: after reading the locked link to ZL, I just could not believe what I have seen. ZL is a leading player in cyber security, everyone including myself is looking up them for leadership and guidance. In the wake of wild discovery of potential and perhaps critcal flaws in their flagship app by a NEW kid in the block, they are panic and act like a chichen w/o head. First, they discredit the author then choose not to act and react by hiding their head(only if they luckily find one) in the sand. Some folks may be old enough to recall the auto giant(not any more) FORD/pinto sega, same pattern of reaction has been followed. At the end, FORD paid for their mistakes very dearly. The author may have some ethical problem by offering his findings for $$. By the same token, ZL sell their work to for $$$ as well. Who is ethical and who is not is question of your judgement. My main concern now is that what IF(hoping it is a big IF) his findings have somewhat merits, and ZL still sit in an ivory tower looking out refusing to do ANYTHING, are our wellbeings in this cyberworld been protected. We have paid ZL $$$ for protection and the PROTECTOR is trying sidesweeping their problems under the carpets. A kind word for CTO at ZL, this is the time for you and your interllectuals to show us that you do CARE!>:(

-{ Quote: "Hi,all: after reading the locked link to ZL, I just could not believe what I have seen. ZL is a leading player in cyber security, everyone including myself is looking up them for leadership and guidance. In the wake of wild discovery of potential and perhaps critcal flaws in their flagship app by a NEW kid in the block, they are panic and act like a chichen w/o head. First, they discredit the author then choose not to act and react by hiding their head(only if they luckily find one) in the sand. Some folks may be old enough to recall the auto giant(not any more) FORD/pinto sega, same pattern of reaction has been followed. At the end, FORD paid for their mistakes very dearly. The author may have some ethical problem by offering his findings for $$. By the same token, ZL sell their work to for $$$ as well. Who is ethical and who is not is question of your judgement. My main concern now is that what IF(hoping it is a big IF) his findings have somewhat merits, and ZL still sit in an ivory tower looking out refusing to do ANYTHING, are our wellbeings in this cyberworld been protected. We have paid ZL $$$ for protection and the PROTECTOR is trying sidesweeping their problems under the carpets. A kind word for CTO at ZL, this is the time for you and your interllectuals to show us that you do CARE!>:(" }-
If you visit that "security" website now, you would see that they have done a test on Kerio and also found a long list of "bugs" for Kerio and advise people not to use Kerio and switch firewalls. I wonder what is Sunbelt Software's official take on the matter. I would not be surprised if its the same:
http://www.matousec.com/projects/windows-personal-firewall-analysis/Kerio-Personal-Firewall-4.3.246/

If they want to charge thats up to them but at least file the bugs say to Secunia to have the bugs verified. Charging for the "tests" and not having someone external verify your work just raises your questions. From the forum moderator's answer, ZL is aware of the tests but they are also aware that it may be a scam and are not willing to for out big cash especially for work that is not verified or even picked up by a editorial board. I just think that this just calls for the use of common sense (which is not common these days) and not jumping onto everything that is claimed to be a bug.

P.S. ZL doesn't sell all their firewalls. ZA (free) is still available for free. Those who buy did so voluntarily because they'd like a feature that is not present on ZA (free) or they don't mind paying for a high-quality firewall.

The dilemma arises though, when supposedly agnitum has apparently asked matousec to test thier new version 4 firewall,therefore giving them some credance in thier ability to fault find etc.I dont know whther they are genuine or not ,however thier wording regarding kerio and ZA seems provocative to say the least.
ellison

-{ Quote: "Hi,all: after reading the locked link to ZL, I just could not believe what I have seen. ZL is a leading player in cyber security, everyone including myself is looking up them for leadership and guidance. In the wake of wild discovery of potential and perhaps critcal flaws in their flagship app by a NEW kid in the block, they are panic and act like a chichen w/o head. First, they discredit the author then choose not to act and react by hiding their head(only if they luckily find one) in the sand. Some folks may be old enough to recall the auto giant(not any more) FORD/pinto sega, same pattern of reaction has been followed. At the end, FORD paid for their mistakes very dearly. The author may have some ethical problem by offering his findings for $$. By the same token, ZL sell their work to for $$$ as well. Who is ethical and who is not is question of your judgement. My main concern now is that what IF(hoping it is a big IF) his findings have somewhat merits, and ZL still sit in an ivory tower looking out refusing to do ANYTHING, are our wellbeings in this cyberworld been protected. We have paid ZL $$$ for protection and the PROTECTOR is trying sidesweeping their problems under the carpets. A kind word for CTO at ZL, this is the time for you and your interllectuals to show us that you do CARE!>:(" }-
Perman,
Your reasoning is seriously flawed. Based upon your logic, Zone Labs should pay me simply because I claim to have bugs for sale. If that was how things worked, then I would be rich. Furthermore, Zone Labs selling their security software that is designed to protect is not the same as selling ways to exploit Zone Labs software. Based on that logic, Microsoft is the same as cyber criminals that sell bot networks.

As an industry leader, Zone Labs is doing just as it should, contrary to your conclusion. You think that Zone Labs should heed to every extortion attempt from every "NEW Kid" on the block. I disagree. The individual(s) behind this so called "finding" may very well be kids simply trying to earn a fast buck. I would be willing to bet that smart business men or women are not behind this. I think this inference can be drawn from the manner in which they are operating.

Ellison64,
Your intuition seems correct. Their wording is provocative, indeed. I would go further and label it suspicious. Their modus operandi only adds to that suspicion.

-{ Quote: "The dilemma arises though, when supposedly agnitum has apparently asked matousec to test thier new version 4 firewall,therefore giving them some credance in thier ability to fault find etc." }-Anyone that visits the site and reads the blog will see that Agnitum only asked that the testing be carried out on the forth coming version 4 rather than the current 3.51. That is not the same as asking for a test. From the blog.
-{ Quote: "And because we have agreed to wait with our analysis for the new version" }-Better stated and more correct:
-{ Quote: "... asked matousec to test thier new version 4 firewall instead of version 3.51..." }-

-{ Quote: "Anyone that visits the site and reads the blog will see that Agnitum only asked that the testing be carried out on the forth coming version 4 rather than the current 3.51. That is not the same as asking for a test. From the blog.
Better stated and more correct:" }-

Whichever way you interpret it though ,agnitum (according to the blog) seems to be a willing participant in matousecs testing methods ,otherwise they wouldnt have even acknowledged them imo.
ellison

-{ Quote: "Perman,
Your reasoning is seriously flawed. Based upon your logic, Zone Labs should pay me simply because I claim to have bugs for sale. If that was how things worked, then I would be rich. Furthermore, Zone Labs selling their security software that is designed to protect is not the same as selling ways to exploit Zone Labs software. Based on that logic, Microsoft is the same as cyber criminals that sell bot networks.

As an industry leader, Zone Labs is doing just as it should, contrary to your conclusion. You think that Zone Labs should heed to every extortion attempt from every "NEW Kid" on the block. I disagree. The individual(s) behind this so called "finding" may very well be kids simply trying to earn a fast buck. I would be willing to bet that smart business men or women are not behind this. I think this inference can be drawn from the manner in which they are operating.

Ellison64,
Your intuition seems correct. Their wording is provocative, indeed. I would go further and label it suspicious. Their modus operandi only adds to that suspicion." }-
Hi,Dallen: Just came across your comments. I like to take few minutes just to let you know my reasonings behind my earlier views, NO intention to escalate ANY furthur debates. You have a good academic credentials around your waist, I do respect you. As you know any leader in any field, in order to continue growth, they must keep their minds OPEN, I mean open to any suggestions from right to wrong, and never SHUT their ears or TUNE thier receiver on selective frequency. This NEW kid on the block, could be just as young as your grandson with lots ideas, his behavior to solicit $$ for his work may leave bad taste in somepeople's mouth, but it does not constitute any intention for extortion(as you label it); not just targeting ZA. The refusal from ZL to deal with these alleged flaws and LOCK the link to this matter on their forum just illustrate something fishy on their part. Again, a very kind for CTO at ZL, this is the black cloud on the horizon, be wise to deal with it before it becomes a catagory 5 hurricane. This kid has mentioned(not a threat)that he will publish his findings in public in Jan, 2007. Be there folks, and be a judge. BTW, ZL has upgrade ZA pro to V 6.5 700, is it still vulnerable to these findings(or should be called threats).

What i find a bit disreputable is that matousec said that they were waiting for ZAs response and yet still slagged thier product off publicly at thier website..Now if there were serious bugs in ZA and matousec are a proffesional company or whatever that charges for thier services,then surely they would have approched ZA and sunbelt ,covertly ...explained thier findings etc etc and maybe ZA or kerio might have been more favourable in thier approach to matousec..Perhaps they did this but i see no evidence at the site regarding this.To most observers it looks like matousec have found faults (allegedly) ,then published the fact publicly on thier website and discredited ZA and kerio ,with an offer to disclose the "bugs" for money.The fact at present though is that millions of people use both these products withot much complaint or problems with thier security.
ellison

Hi, folks: furthur to my previous posting, I have received a private message from matousec indicating that there are two errors needed to be addressed. First is the date for public release, it is july 1,2006 rather than jan.1,2007. Secondly, the scope of releasing info is limited to a few but regular, rather than all bugs. And the products subjected to testing are not limited to ZA products.

On July 1, 2006, it sounds like we will find out for sure if matousec's claims are legit. We've already learned that matousec's business practices are ethically irresponsible. My decision, if I were running Zone Labs, would be to give this matousec the attention he deserves. None.

Do you think Zone Labs became the industry leader by developing an easily exploitable firewall? This is not to say that Zone Alarm is impenetrable, but it is certainly among the best on the market.

Negotiating with matousec and paying for the "exploits," and I use the term loosely, would be a lot like negotiating with terrorists. The instant you go down that path there is no return and you give everyone a financial incentive to become a terrorist. Some may say my analogy is extreme because matousec is not a terrorist. I agree, he most certainly is not. However, it seems matousec is attemping to take Zone Labs "hostage." First he says, I have keys to your palace and if you want them back you must pay. Sounds like extortion to me.

Dallen.

-{ Quote: "
Do you think Zone Labs became the industry leader by developing an easily exploitable firewall? This is not to say that Zone Alarm is impenetrable, but it is certainly among the best on the market. " }-

It's difficult to say. My perception at least is that on the home user market, it's reputation as the leading firewall was helped by good marketing strategy rather than pure technical expertise, not to mention excellent PR help from Mr Steve Gibson.

-{ Quote: "
Negotiating with matousec and paying for the "exploits," and I use the term loosely, would be a lot like negotiating with terrorists. The instant you go down that path there is no return and you give everyone a financial incentive to become a terrorist.
" }-

I'm not going to weigh in on whether it is right to pay money for vulnerabilities, but you might not be aware that such a practise is certainly being done on a fairly large scale by big security companies who offer bounties on serious vulnerabilities, and such information is then used to protect clients which include big fortune 500 companies and government entities.

Compared to the sums of money paid by such companies, what matousec is asking for is peanuts really. Of course, I seriously doubt if what matousec found is comparable , but what is sauce for the goose..........

I personally would support the efforts of Matousec , they look creditable enough to me on first sight with a fairly comprehensive testing methodology. Certainly they exhibit knowledge that surpass the typical run of the mill poster here, even some credited with the "expert" tag (no offense to the experts with that tag).

-{ Quote: "It's difficult to say. My perception at least is that on the home user market, it's reputation as the leading firewall was helped by good marketing strategy rather than pure technical expertise, not to mention excellent PR help from Mr Steve Gibson." }-Mr. Gibson is quite knowledgable and his endorsement usually is indicative of solid software. PR from the mouth of Mr. Gibson occurs after the development of a good firewall. I do not dispute your thoughts regarding the power of marketing.
-{ Quote: "I'm not going to weigh in on whether it is right to pay money for vulnerabilities, but you might not be aware that such a practise is certainly being done on a fairly large scale by big security companies who offer bounties on serious vulnerabilities, and such information is then used to protect clients which include big fortune 500 companies and government entities. " }-By "bounties on serious vulnerabilities," I think you are referring to companies that offer rewards for individuals that are able to discover vulnerabilitites in their own software. If that is what you mean, that is a completely different animal and it is far more ethically sound.
-{ Quote: "Compared to the sums of money paid by such companies, what matousec is asking for is peanuts really. Of course, I seriously doubt if what matousec found is comparable , but what is sauce for the goose.........." }-From an ethical perspective, my view is that the amount being "demanded" is irrelevant.
-{ Quote: "I personally would support the efforts of Matousec , they look creditable enough to me on first sight with a fairly comprehensive testing methodology. Certainly they exhibit knowledge that surpass the typical run of the mill poster here, even some credited with the "expert" tag (no offense to the experts with that tag)." }-You are of course entitled to your opinion just as I am. We will have to agree to disagree on this point. Your point is well received.

Hello everybody,

this thread seems not to be about vulnerabilities in ZA any more, it is now more about the ethic. I respect and welcome all replies here because they show me your reaction and this is very important for me and my group. You know that I do not agree with many of you as well as many of you do not agree with me and my group. That is common in the real world I think (and no, I will not call you terrorists because you do not agree with me ;) ).

I could present many arguments against the biggest opponent (dallen) of ours but that is not my point. If dallen is interested in my thoughts he will PM me.

What I want you to think about is the difference between our group and so called 'penetration testers' or professional betatesters (PT). As PT we also have our own methods, exploits, tools we use to find bugs and vulnerabilities. These are not public properties and can hardly be public if we talk about commercial groups. If PT publish their exploits they will find nothing soon. Of course they can use well known exploits and tools but such an audit would be good only for very poor companies.

There are probably only three differences between us and PT. The first is that PT are always paid even if they find nothing. We are paid only if somebody is interested in our results and only if we find something. The second difference is that the initiator of the analysis of PT is usually the target company. In our case we are the initiator of tests. And the third difference is that our results are available not only for the target company.

Both of us are commercial and sell vulnerabilities, bugs, etc. As PT we do not force anyone to buy our results. If vendors are interested they can buy our results. However, we will not say that some product is good and secure if we know (and we can proove it) that it is not.

I believe that most of you respect the position of PT and do not call them terrorists. And you probably consider PT as good-guys. Now, do you think those three differences between us and PT make bad-guys from us. I do not think so. But do you?

BTW: We are going to prove that our results are real, just be patient. It is very probable that in the first week of July 2006 we will start with public advisories. We will present probably only one bug at that moment, but since then probably every month about 1-5 bugs will be released for 1-3 products. You will be able to read the description of the bug, understand it, download the testing program (including source code), run it (on your own risk of course) and see the result (e.g. BSOD).

Thank you and have a nice day.

matousec,
Your desire to operate out of the public's eye seems consistant with your unethical business model. I no more desire to communicate with you in private than Zone Labs desires to do business with you.

-{ Quote: "BTW: We are going to prove that our results are real, just be patient. It is very probable that in the first week of July 2006 we will start with public advisories. We will present probably only one bug at that moment, but since then probably every month about 1-5 bugs will be released for 1-3 products. You will be able to read the description of the bug, understand it, download the testing program (including source code), run it (on your own risk of course) and see the result (e.g. BSOD)." }-

I´m looking forward to this because of course we all want to know if your claims are really true. But I have a question (I´m no expert), what do you mean with "Locally exploitable bugs"? Does this mean that apps running on your system are able to completely bypass the firewall?

dallen: I just did not want to be offtopic, that is all. I am not sure what is your connection with Zone Labs but we are in contact with Zone Labs, they are interested in the case, they want to solve the problem if there is any in their software, they are no offensive like you. They behave correctly during our communication. So I can not see where your information come from that ZL do not want to communicate with us. Whether or not ZL will do a business with us is still an open question, neither of side can confirm your words.

It seems that it is you and only you that want to make bad guys from us. I do not know why, I would really like you to PM me to explain to me why you say here things that are not true. I am interested in your thougths and I also would like to explain things to you but I think all this is offtopic and should be discussed in PM.



Rasheed187: Our definition is in the methodology reference (http://www.matousec.com/projects/windows-personal-firewall-analysis/methodology-reference.php) in section bugs on our site. Simply said if the bug's character is said to be Complete system control and its exploitability is local then yes, apps running on your system are able to completely bypass the firewall.

-{ Quote: "Mr. Gibson is quite knowledgable and his endorsement usually is indicative of solid software. PR from the mouth of Mr. Gibson occurs after the development of a good firewall. I do not dispute your thoughts regarding the power of marketing. " }-

You are entitled to your opinion just as I am.

-{ Quote: "
By "bounties on serious vulnerabilities," I think you are referring to companies that offer rewards for individuals that are able to discover vulnerabilitites in their own software.
" }-

No. We are talking about third party companies, akin to but not quite like the Pen Testers (with their own special tricks...) that Mat mentions before. It's hardly a big secret.....

See http://labs.idefense.com/vcp.php for example, even though this is hardly news...

About Dallen

-{ Quote: "
It seems that it is you and only you that want to make bad guys from us. I do not know why, I would really like you to PM me to explain to me why you say here things that are not true. I am interested in your thougths and I also would like to explain things to you but I think all this is offtopic and should be discussed in PM.
" }-

Relax, it's jus one of Dallen's pissed off issue of the month/year. Once he has some target set in his eyes, there is no turning back or changing his mind.

-{ Quote: "dallen: I just did not want to be offtopic, that is all. I am not sure what is your connection with Zone Labs but we are in contact with Zone Labs, they are interested in the case, they want to solve the problem if there is any in their software, they are no offensive like you. They behave correctly during our communication. So I can not see where your information come from that ZL do not want to communicate with us. Whether or not ZL will do a business with us is still an open question, neither of side can confirm your words. " }-
We seem to be getting an entirely different idea from what Zone Labs Forum Moderator is saying:
http://forum.zonelabs.org/zonelabs/board/message?board.id=security&message.id=15510

Seems that ZL's "more official" stance is that they are not trusting you. Note that the forum moderator does not normally locked or delete threads with regards to vulnerbilities being found in ZA in the past so that users can discuss it freely (unless it was already posted before in another thread to prevent repetition). The thread that had your "vulnerbilities" instead was locked which is rare.

Wilders Security moderators had deleted your first thread about these "vulnerbilities" too.

-{ Quote: "We seem to be getting an entirely different idea from what Zone Labs Forum Moderator is saying:
http://forum.zonelabs.org/zonelabs/board/message?board.id=security&message.id=15510

Seems that ZL's "more official" stance is that they are not trusting you. Note that the forum moderator does not normally locked or delete threads with regards to vulnerbilities being found in ZA in the past so that users can discuss it freely (unless it was already posted before in another thread to prevent repetition). The thread that had your "vulnerbilities" instead was locked which is rare.

Wilders Security moderators had deleted your first thread about these "vulnerbilities" too." }-

This is probably an action of someone who is not in contact with representatives of ZL because in mails from ZL there is nothing like this. This means that what you write can hardly be an official attitude of ZL.

I have to agree with Dallen on this one.While matousec really may have discovered vulnerabilities ,in both kerio and Za ,the way that matousec has published this ,leaves a lot to be desired ,and does seem to be holding the companies concerned, to ransom through spreading fear and suspicion through thier userbase. .First of all is it really ethical to say
"We do not think there might be a worse personal firewall from the security point of view than Kerio Personal Firewall 4.3.246. We strongly recommend all its users to change the personal firewall" while not actually showing the millions of users what the problems are?.Matousec..have you actually contacted sunbelt about the vulnerabilities and have they responded?.If yes to both then maybe you should explain to readers what thiers and your response was ,to warrant your site comments ,and maybe get more people to understand your methods.The same goes with ZA.If you were/are in contact with Zonelabs and they want to "solve the problem" then why spread fear and mistrust of thier product before giving them the chance to fix it?...or was that the intended purpose of your reviews? , because thats how it comes accross to me.If you found problems and ZA told you to go away ,then by all means make it public ,but giving the reader a little more info regarding this would be more appropriate in my humble view..
ellison

Devil's Advocate
-{ Quote: "You are entitled to your opinion just as I am." }-Absolutely. Just because we do not agree on a particular topic does not mean we cannot discuss the matter. After all, is this not how ideas change and people learn?
-{ Quote: "No. We are talking about third party companies, akin to but not quite like the Pen Testers (with their own special tricks...) that Mat mentions before. It's hardly a big secret.....

See http://labs.idefense.com/vcp.php for example, even though this is hardly news..." }-Thank you for clearing this up. Obviously, I did not understand what you were talking about.


matousec
-{ Quote: "dallen: I just did not want to be offtopic, that is all. I am not sure what is your connection with Zone Labs but we are in contact with Zone Labs..." }-I have no official connection with Zone Labs, I am simply a customer.
-{ Quote: "It seems that it is you and only you that want to make bad guys from us. I do not know why, I would really like you to PM me to explain to me why you say here things that are not true. I am interested in your thougths and I also would like to explain things to you but I think all this is offtopic and should be discussed in PM." }-You have changed my mind. I will be sending you a PM explaining my position and will await your response. I am currently out of town and will be traveling today, so the earliest you should expect the PM is later tonight or early tomorrow morning.

Devil's Advocate
-{ Quote: "
Relax, it's jus one of Dallen's pissed off issue of the month/year. Once he has some target set in his eyes, there is no turning back or changing his mind." }-
You could not be more wrong. However, this goes back to having your own opinion and I will respect yours even if I completely disagree with it.


ellison64,
Thank you for agreeing with me.

-{ Quote: "This is probably an action of someone who is not in contact with representatives of ZL because in mails from ZL there is nothing like this. This means that what you write can hardly be an official attitude of ZL." }-
The forum moderator is in fact from ZL and is the only one who can easily communicate with the development team and pass down any news from them. Even the gurus on the board do not have this privilege and when they want to contact ZL, they have do so via normal tech support email and get their reply only a few days later.

Briefly and IMHO.I ve read this topic,about ethics,about how ZL should deal with such cases,"terrorists" etc.It's like hearing the CEO of ZL discussing the issue in his administration board.I am the end user customer.My concern is the safety of MY PC,not the ethical problems or blackmails ZL has to deal with.

To use a similar example as before,one may phone Ford and say that he has discovered that in particular driving conditions,the car gets out of control,but wants money to reveal these conditions.Now,supposed that i have bought that Ford car,what is my concern?Not to be killed or whether Ford has to deal with ethical problems?Isn't it ethical problem for Ford towards me,the driver,that she knew about a potential danger and let me drive the car anyway? OK,let's say that the person that phoned Ford is unethical,what does this make Ford towards me?Ethical?

IMHO,if these exploits are REAL,and be exploited maliciously,the fallout will be a lot worse for the reputation of ZL,cause the client will simply lose faith in the firewall,just like i don't trust Kerio firewall 4,since i ve been using it from the early betas and it has caused me so much trouble with bugs ,that i simply won't use it even if they tell me that it's OK.If i were ZL,to protect my reputation,i would buy 1 (as sample) of the supposed vulnerabilities.If it's true,then it would become serious.If it is not,i would make a joke out of the author,divulging the results with all means available and then sue him,if not for fraud ,at least for maliciously blackening the reputation of my leading product(and i suspect the court would grant me a compensation well over 200$).But as i said before,that's not MY problem.It's ZL's problem.ZL has to decide on what's better for her reputation,i have to decide what's better fot the safety of my PC.

Now,i say openly that i use ZA Free,so anyone can reply with "you didn't buy it ,so why complain?".But i don't think it would be a rational reply,but rather a sophism.If had ZA Pro,i would have wanted the same thing.No matter if your parents donate you a car or you buy it,you want it to drive safely.That's the bottom line for me.

Regards

-{ Quote: "To use a similar example as before,one may phone Ford and say that he has discovered that in particular driving conditions,the car gets out of control,but wants money to reveal these conditions.Now,supposed that i have bought that Ford car,what is my concern?Not to be killed or whether Ford has to deal with ethical problems?Isn't it ethical problem for Ford towards me,the driver,that she knew about a potential danger and let me drive the car anyway? OK,let's say that the person that phoned Ford is unethical,what does this make Ford towards me?Ethical?
" }-

Hi, ur logic is wrong. It,s rare for cars to have big issues so often. On the other hand softwares are never so complete, they always have vulnerabilities, if u cover one, another comes.( BTW, I don,t mean that ZA people should not care for this but the way of these so-called analyzers is just like black- mailers. I really hate this attitude. Why not they make a firewall themselves without serious vulnerabilities if they are so capable and people will be happy to pay them money in taht case. They seem to be destructive minded rather than constructive).)

-{ Quote: "Hi, ur logic is wrong. It,s rare for cars to have big issues so often. On the other hand softwares are never so complete, they always have vulnerabilities, if u cover one, another comes.( BTW, I don,t mean that ZA people should not care for this but the way of these so-called analyzers is just like black- mailers. I really hate this attitude. Why not they make a firewall themselves without serious vulnerabilities if they are so capable and people will be happy to pay them money in taht case. They seem to be destructive minded rather than constructive).)" }-

You 're right.Cars don't have problems so often.The issue is still there though.You keep saying what ZA people should do.I don't know what you are,i know that i am an end user.So,if i get hacked,or my father's business is,and i get to know that it was part of these famous vulnerabilities,should i be angry with ZL or not?Or should i feel OK,because i support ZL in their ethical confrontation with the author,while i HOPE that those vulnerabilities are not real?

In my opinion,things are 2.Many things in life are unethical.But blackmail is illegal,not unethical.So,to get things staight.If this is a blackmail,ZL should sue him.If they beleive it's a lie,they should sue him.Leaving it pending in mid air doing nothing is only damaging their own figure even if the author for moral reasons can be seen as immoral.If it's unethical,they should figure out what's better for their reputation.If their end users get hacked,they won't care about ZL's ethics.That's what i m trying to say.

P.S: ZL is in the security camp,not just any software.Leaving supposed "critical" vulnerabilities without other reply than "it's immoral","they blackmailing us","we don't know if it's true" isn't very reassuring for the customer,at least in my mind.You don't want to pay?Then make your staff find them themselves ,so that no other guy from outside can claim he found them first.You claim it's blackmail or lie?Fine,sue him,both are illegal,so that your customers can come to your support and back you up against him and let the Law judge who's right.
But leaving it like that?If they keep accumulating "vulnerabilities",simply it will acquire the fame of Sygate which they never bothered to close the proxy vulnerbility or IE6 because they don't bother to fix quickly the holes.What ZL will keep saying?"It's always that author who keeps finding supposed vulnerabilities,so don't beleive him ,cause it's immoral"?

Today's society is about being paid for everything,not morality.I m a medicine student.You 've no idea of what deals happen behind the back of the masses of people to promote a drug,or how to grab for first a "potentially" or "Promicing" molecule from a small independent research center before another drug company grabs the patent on it or the "blackmail" that you,as patient,gets,even if you don't know it,just because your doctor is taking "rewards" from a certain drug company to prescribe HER drugs to you instead of another drug that may be even better or cheaper,but is from another "competitor" company.Or do you ever wonder how drugs approved by the state authorities as safe,sometimes happen to be proven later dangerous for health?Because "blackmails" happen all the time to doctors who do the trials,to state officials etc, in order to accellerate the release in commerce.And people get scandalised for 150$ about a firewall?? ;D Ok,one can be scandalised,but for the end user,i don't think it can be left like that forever.

Anyway,i m not trying to convince anyone and usually in a forum you don't convince anyone.I just wanted to say my opinion from the POV of how a user feels,not how ZL feels.I mean,i use ZAF because i think it's safe ,not only because it's free.They give a free version,so it's good for them too.In a couple of years,that i ll be a doctor and won't mind so much about money anymore,if i still have faith in ZL,i ll probably buy the Pro,since i like ZA(that's the idea behind free versions anyway).But if i don't have faith in ZL's policy anymore,i ll go buy another firewall,since the choice of paid firewalls is much wider.

Regards

Hyperion,
The real question to be asked is whether you will "buy the Pro" with money that entered your pocket as a kick-back from a pharmaceutical company. I hope that you become part of the solution and not part of the problem.

Regarding your Ford analogy, I think it would be prudent for Ford to at least look into your claims of discovery. It could even be negligence if they did not. However, they should do so quietly as not to invoke fear into their customer for what may later prove to be no good reason.

I have been communicating with matousec privately (something that I had previously stated I would not do) and my opinion has changed (not entirely, but rather partially).

Contrary to Devil's Advocate's earlier statement:
-{ Quote: "Relax, it's jus one of Dallen's pissed off issue of the month/year. Once he has some target set in his eyes, there is no turning back or changing his mind." }-which I consider to be total crap. I do not target companies or individuals and I most certainly maintain and open mind, which is subject to change. In fact, my opinion of him/her recently changed.

My exchange with matousec has caused me to reconsider my stance. In my message to matousec I informed him that ethics are based on values and values are a function of cultural norms. Therefore, what may be unethical to me based on my beliefs and values may be perfectly acceptable to a person raised in another culture. However, I maintained that what he was doing and the way he was going about it did not sit well with me.

After having taken the time to better understand his points of view and learn a little about his thinking, my initial conclusion was both premature and overly harsh.

I do not retract my words, nor to I entirely withdrawal my conclusion. However, my "terrorist" comments that compared matousec's approach to that of a hostage taker were inaccurate. matousec seems like a businessman who's intentions are to profit from the improvement of security.

Zone Labs should, in my opinion, maintain their position publicly while privately exploring whether matousec's claims are legitimate. Not exploring the possibility could be seen as being negligent in the future.

-{ Quote: "Hyperion,
The real question to be asked is whether you will "buy the Pro" with money that entered your pocket as a kick-back from a pharmaceutical company. I hope that you become part of the solution and not part of the problem.

Regarding your Ford analogy, I think it would be prudent for Ford to at least look into your claims of discovery. It could even be negligence if they did not. However, they should do so quietly as not to invoke fear into their customer for what may later prove to be no good reason." }-

I hope i will part of the solution too and maybe i ll accompany my ZA Pro order with ceritification that i didn't use immoral ways to earn that money with which i ll pay,since ZL's policy is revolving so much around morality ;D Everyone has to deal with his own conscience,not only with the law.If i were matousec,i would have consciense problems,but he is not me and unless ZL considers him acting illegally,the way he wants to make his money is a secondary concern of me-the end user.At the end,the user has a relation with ZL,not with Matousec.

I agree with your Ford comment too.But we keep talking of how Ford/ZL sees the issue.The problem here is that the issue has gone pubblic and ZL doesn't seem to care.This isn't "news".I 've heard of this claim some time back.It's pubblic.And seems that ZL has still done nothing to approach the immoral author or take any action for what matters.So,i would like to understand,according to you,an average ZA user that happens to read matousec's site or ZL user forum or read this news in various sites,not necessarily specialized in security,but off-topic,what is he going to think?Sympathize with ZL and think "oh,heck,that matousec is just another lunatic script kiddie who wants money selling hot air,poor ZL,no discussion with blackmailers!"?I sympathize with ZL,but i like my PC more.

I mean,is there a worst fear than uncertainty?You 've studied psychology.I think the users will feel MUCH more releived to know that ZL has taken legal action against him,or that have denied pubblically his claims,or that otherwise are negotiating with him or that have admitted the vulnerabilities are true and will be fixed.I guess we ll have to wait till July and see if the released "free" adisory is real or not and whether then ZL will decide to do something about it or will continue to ignore the issue because of the immoral means the author uses.

Anyway,from the replies till now,i guess most users take into consideration ZL's sentiments as first priority,although it comes as suprise to me,but human nature is an abyss.

I really have nothing more to add,i m starting repeating my previous posts.

Regarding the "legal action" proposition, I cannot speak to whether matousec has violated any laws. I am sure, however, that Zone Labs has very capable legal representation that will make that determination. That being said, one would have to ask if doing so is a good business decision. After all, wouldn't it be cheaper to simply buy the potential exploits and prove whether matousec is right or wrong?

Hi,folks: So much has been debated, discussed and concerned. The issue or so called problems still have not dealt with by ZL(at least publicly). We can debate the legal issue between ZL and the KID all night along, what about the class action suit which may arise due to the negligence of ZL?Another kind word for ZL, this time is for CEO, it is the time for you to speak up, telling your royal clients what is your position on this critical issue, are you still sittin in your ivory tower looking out the black clouds? My grandfather often told me : when it rains, it ofen pours. I do hope your roof does not leak.

-{ Quote: "Regarding the "legal action" proposition, I cannot speak to whether matousec has violated any laws. I am sure, however, that Zone Labs has very capable legal representation that will make that determination. That being said, one would have to ask if doing so is a good business decision. After all, wouldn't it be cheaper to simply buy the potential exploits and prove whether matousec is right or wrong?" }-

You are probably right.I don't know if it can be legally defined a blackmail,if yes,in that case ,ZL may have profit,not so much econimically speaking but as policy,to "cut the knees" of any future "matousecs" that would dare to think of doing the same.If the vulnerabilities don't really exist,it would be again a nice lesson to others,plus it could be used as promo to show that "ZA is a secure firewall and even certified by a judge".

If we go even further,it may be even cosier for ZL to...hire matousec ,if it comes out that he did find these vulnerabilites.I don't say either that ZL MUST take legal action. What counts for me much more than the above that are ZL's headaches,not mine,is that as a user i would expect ANY kind of action.Something.Like i wrote before "I think the users will feel MUCH more releived to know that ZL has taken legal action against him,or that have denied pubblically his claims,or that otherwise are negotiating with him or that have admitted the vulnerabilities are true and will be fixed."

My problem is that from ZL there is silence since this issue came up.I would feel more reassured for the time being with a statement like "ZL is aware of the claim and currently is conducting extensive testing of the firewall in order to determine its next move and the serioussness of the claims".Instead silence,they close the topics in the forum and everyone is happy.One from that can assume anything he likes.They try to find if the vulnerabilities are true so to decide legal action or not?They managed to find 1 or 2 ,so they try to find more on their own and avoid paying him for all?They didn't find anything and decided to ignore him ,cause they don't want this issue to take more pubblicity?They did find something,but they don't want to acknowledge it ,because it could lead a new kind of "matousecs" ,a kind of "freelance"-immoral security analyzers that will follow his example and start this peculiar type of activity (either pay me or i ll say in pubblic that you ve got holes in your software)?I don't know.It's like waiting for the doctor to tell you *something* ,because the patient on the bed next to you says "Hey,i ve seen your symptoms before,you have the "x" disease".

I guess we,ll all have to wait and see what the holes are.Considering theres supposed to be so many, i dont hear or see many posts regarding catastrophic security breaches at present of either ZA or kerio.Of course the holes if present should be patched.I still think matousec could do with a good PR guy though ,the way this whole issue has been presented and appears.
ellison

-{ Quote: "I still think matousec could do with a good PR guy though ,the way this whole issue has been presented and appears.
ellison" }-
...and a good lawyer by the sound of things.

-{ Quote: "...I still think matousec could do with a good PR guy though ,the way this whole issue has been presented and appears.
ellison" }-

I agree.For someone "new" in the sector,his approach has been as careful as a bull in a shop selling crystal decorative items.He may be good,he may be a genious,but i doubt he gained many sympathies in either product vendors or users camp.

-{ Quote: "I still think matousec could do with a good PR guy though ,the way this whole issue has been presented and appears.
ellison" }-
The best place to get good PR (and for free) would be to submit the discovered vulnerbilities to Secunia, have them verify the bug exist and rate how critical the bug is.

Hi,folks: I have made a painful decision: due to stubborn inaction and persistent silence from ZL, I jump the ZA ship and continue my sailing with OUTPOST FW, updated version V.4 today. I do hope Agitium has a different mentality towards new discovery, and never will let their clients STAND ALONE.*puppy*

-{ Quote: "Hi,folks: I have made a painful decision: due to stubborn inaction and persistent silence from ZL, I jump the ZA ship and continue my sailing with OUTPOST FW, updated version V.4 today. I do hope Agitium has a different mentality towards new discovery, and never will let their clients STAND ALONE.*puppy*" }-

I had been a loyal user of Outpost firewall, but on reading Permans reason for jumping ship has also made me to want to change firewalls. I have now decided to use ZA Pro 6.5. since Agnitum are going to use matousek to test its firewealls...

-{ Quote: "Hi,folks: I have made a painful decision: due to stubborn inaction and persistent silence from ZL, I jump the ZA ship and continue my sailing with OUTPOST FW, updated version V.4 today. I do hope Agitium has a different mentality towards new discovery, and never will let their clients STAND ALONE.*puppy*" }-
ZL is not the only one to be silent. Sunbelt Software have also being keeping quiet about their views on this post. Does that make both Zone Labs and Sunbelt Software bad companies? If it does, god help the computer community since firewalls from these two companies have the largest market share in the world..

-{ Quote: "Hi,folks: I have made a painful decision: due to stubborn inaction and persistent silence from ZL, I jump the ZA ship and continue my sailing with OUTPOST FW, updated version V.4 today. I do hope Agitium has a different mentality towards new discovery, and never will let their clients STAND ALONE.*puppy*" }-

Unless you have made an error with the build number (or are an agnitum beta tester) ,version 4 of outpost is still a beta and not publicly released yet,so you could end up with a bigger security headache than staying with ZA.
ellison

-{ Quote: "Unless you have made an error with the build number (or are an agnitum beta tester) ,version 4 of outpost is still a beta and not publicly released yet,so you could end up with a bigger security headache than staying with ZA.
ellison" }-


ZA 6.1 is good but 6.5 is a nightmare , I'd go with Kerio & have on my laptop...Outpost is making a serious mistake to deal with those guys

-{ Quote: "The best place to get good PR (and for free) would be to submit the discovered vulnerbilities to Secunia, have them verify the bug exist and rate how critical the bug is." }-

why dont' they do this:

submit ONE of each type of flaw (critial, serious, medium, minimal) in zonealarm (total no more than 4) to secunia. IF secunia verifies these flaws as legit, THEN matousec will be vindicated. JMHO.

Very funny - so ZA security flows are Motousec's headache 8)