1st july....bugs in zonealarm

Matousec did mention that he was engaged in talks with Zone Labs relating to his "discoveries." It will be interesting to see what happens if he uses this as justification for not speaking publicly on the issue.

My concern is that he made serious claims publicly. If he uses formal talks as an excuse for not justifying his claims, then we may never know if he is for real, or not.

After all, I could now claim to have uncovered many serious flaws in Microsoft's OS. When people ask me to qualify my claims all I have to do is to state that Microsoft has contacted me regarding a deal; therefore, I cannot comment on the details. Am I for real or a phony?

 

I think he's waiting till the 1st of April to tell us its just been one big April fools joke.

 

Re: matousec

Hello dallen, ned, everyone,

You are so impatient dallen. It was also a new experience for me to see how slowly the communication with big company can be. But I can assure you that we are closer and closer with Zone Labs and Sunbelt to make a deal. And also if we are not asked from the vendor not to speak about it (and I really think we will not be asked because there is no reason for it) we will inform everyone about results on our site AFTER something is finished in this. We plan to write a longer report of the first phase of our analysis after Outpost 4 is tested.

I can see that you care only about Zone Labs and ZoneAlarm but we are not limited only to one vendor. We have already released four advisories. One for ZoneAlarm, one for Kerio, one for Norton, one for BlackICE. There is no why to prefer one product when we have always (sooner or later) received a response from the vendor. I can see you are greedy to see more on ZoneAlarm because you use it. I can understand that but that is all. You should try look at the thing from our point of view too. We will not prefer ZoneAlarm in our advisories, especially not when we are close to make a deal with them.

You are false. Find that statement, link it. There is no such. What was said was not about ZoneAlarm, it was in general and that is what happens. We publish at least one advisory about personal firewall vulnerability every 14 days and we will try to keep this frequency in the future for as long as possible. Now count with me, it has been a month since we started with this. And we are on four advisories now. It was one advisory month ago, two advisories 14 days ago and one yesterday. Please do find that statement of mine if you do not believe or agree what I am writing now.

Would be nice if we are able to continue up to 01/04/07 with this frequency.

 

Re: matousec

I have tried, but it is difficult to do because you insist upon remaining cloaked in secrecy. It seems that you expect people simply to trust you without proof. In this case, I think the phrase "trust, but verify" is appropriate. You are not allowing us to verify.

Shouldn't you also try to look at the thing from our point of view too? When you do, keep in mind that many people in this industry over promise and under deliver.

 

Hi dallen.


The information you want is probably near to the information matousec want to sell. In such a perspective i find perfectly normal that matousec hide behind trade secret. Have you not heard of apple suing ppl who leak trade secret ?

In any case i highly recommand that you forget matousec, hope there is a deal made and you'll end up with a better product. There is no sentence or action of you questioning his credibility that will push him to release such ressult for free. I understand the current release of information as a tease to let him make a deal with compagny.

I do not understand what he makes on this forum as it should be between him and them. It may be part of another "hey-look-at-me" tease to conclude the deal. In any way there is nothing positive yuo'll get by posting about insecurity and probability. It's a tease ... it's all about probability.

 

this his review for norton firewall 2006..

Norton Personal Firewall 2006 version 9.1.0.33 - Review

just see what he has written ....i haven't a more absurd,foolish,jocular and laughable review of a security product in my life...
i don't claim to be even a "very experienced" firewall user,leave alone an expert,but my 6yrs of computer security products usage has taught me enough to claim that this review just tries to brainwash the users with no material claim to not to use some of the best security products....
and most stupid comment is his design bugs
plz,guys don't waste ur time on such rubbish!

 

fx3,
I respect your words and you raise some valid points.

matousec,
Above I have highlighted the gist of your conclusions about four major firewalls. Note that of the four conclusions available on your website, not one is positive. Based upon your own conclusions, are you saying that four of arguably the most popular firewalls on the market available to consumers are, in your words, "insufficient", "worse...security [available]", "very poor", and "lowest possible [protection]" and that consumers should not rely on any of them for protection? That seems to be what you are saying. In that case, should we follow your advice and go without a firewall altogether? Or maybe we should only go without a firewall until your "deal" is complete.

 

Hi dallen
After reading the quote you posted, i understand a bit better your reaction.

Matousec migth have found some issue concerning inside security

(eg if a computer is infected by a trojan, this trojan migth make zonealarm crash again and again until the user uninstall the firewall and the trojan have a free path to net outside)

However such issue does not let him judge usability or desirability of a product. (wich you have summarised as bold claim).

In any way, if the computer is not protected by a HIPS one can alwais modify memory of this app and make it crash on demand, no matter if there is bug or no. So being able to crash a program because of bug does not make it less desirable that a bug-less feature-less app that can anywais be crashed.

-----------------------
matusec:
On another note... for the pool, you make it very hard to access and vote the less popular choices
Combined to the fact you can vote only once, this elimnitate most of the change for smaller option.

 

Hello,

dallen,
I do not think I have ever said that people should not use personal firewall, read articles on our site, there is clearly said that people really should use it. Personally I think that desktop firewall is much better thing to buy than antivirus or antispyware because protection based on patterns can be easily bypassed.

f3x, dallen,
HIPS is something that should every personal firewall include in its security concept, if it is missing the firewall is useless, it is big bug in the security design of such product. When we analyse personal firewalls we are checking their behaviour in lots of situations. If you read article on our site called 'Design of ideal firewall' you can easily imagine many of these situations. I can give you an example. It is very common that someone discovers bug in popular Internet browser, it can be Mozilla/Firefox or Internet Explorer or Opera or whatever you use. We hear about such bugs often. Then it is enough for you to surf the wrong page and you can get some badware without notice. And there are many other ways how badware can appear in your computer. Then it is upon your personal firewall to protect your system.
Now tell me what is your personal firewall protection (e.g. protection of outbound connections) good for when that malicious application can ask your firewall to disable for a while / kill it / infect trusted program and then access the Internet without any user alerts? This is how botnets are created and there are millions of computers connected to botnets. So, I do not think this is not serious problem.

dallen,
about those four products. They are all far from the ideal design but ZoneAlarm is much closer than others which is probably the good news for you as its user. What I say is not stop using your ZoneAlarm and use nothing. I say use it and in the moment when we found something better you should consider to try the better one. But of course it is always about what do you expect from your personal firewall. If you know that above mentioned threats can not affect you then there is no why to change it (maybe no why to use personal firewall).

 

matousec,

I think the reason why many people doubt your claims is that you don't release full deatails about all bugs that you have found, don't have a external source to verify how serious your bugs are like Secunia and you want to charge companies to buy the details of the 'supposed bugs'.

In your signature and website, you have the words 'Transparent Security'. 'Transparent' in my view means that the person has to be easily held accountable for any actions. A transparent government is a government that can be held responsible for the decisions they make by the people of the nation. And in many countries, governments do so by allowing documents to be easily accessible to the public, e.g. in Australia, we have the freedom of information act. Technically any citizen requesting for a set of documents should be easily able to get hold of these so they can verify what the government is doing.

Unfortunately in your case, its the other way round. You don't release full info about a bug so people don't know the details. You don't let people like Secunia verify these bugs and so we don't know if what you have found are legitimate bugs or not. And thirdly you ask security companies to pay for details of the bugs which is pretty absurd as you make yourself hard to be taken seriously especially when you are a new person in this field and don't even have a reputation to back yourself as a responsible individiual. I know companies often give out rewards (like free software or cash bounties) to people who submit bugs without demanding for some in advance.

Trust and repect needs to be earned but at the rate you are going, its gonna to take you a long time to build up sufficient trust and repect.

 

unhappy_viewer,
I think that your astute observations are right on the money. matousec would be in a better position if he were to have established himself and developed a reputation before utilizing his current modus operandi. His reputation cannot be relied upon to verify his claims because he has not established one. He refuses to prove his claims. How can he expect to be trusted on blind faith alone?

matousec,
You seem very nice and are always polite, even when faced with this sort of criticism. I respect that. Consider the following , this forum would not exist if it relied only on those computer users that possessed the sort of blind faith your methodology requires. As a population, Wilders Security Forum users are inherently vigilant and you should expect that the blind faith and trust your method requires would not be welcome here with open arms.

*This opinion is solely my own and I do not speak for Wilders Security Forums nor every user.

 

At the end of the day I just hope that ZoneLabs will fix all these bugs resulting in a more secure ZA Pro firewall. I will salute you for this Matousec, please keep us posted!

 

I will salute matousec as well, if the result of his efforts is that Zone Alarm is improved or that I discover a better firewall. In other words, I will salute matousec if, in any way, I benefit from his efforts.

That being said, at this time, I do not anticipate having to salute matousec. I hope I am wrong.