Epilogue

Unlike other personal firewalls, ZoneAlarm Pro includes Application Control to protect against known and unknown Internet threats. Application Control monitors all outbound traffic to prevent rogue applications from transferring your valuable data to a hacker. With ZoneAlarm Pro, you're in control with the ability to specify which applications, known or unknown, can be trusted to access the Internet.
  -- http://www.zonelabs.com November 2001

So Tom Liston finally tired of Gregor Freund and reported the matter to BugTraq. And although the ensuing mailing list discussion was feverish, the BugTraq editors, obviously feeling allegiance elsewhere, bowed to Zone Labs, allowing the publication of one very flimsy rebuttal by McAfee's appointed spin doctor Te Smith, and then dutifully killing the entire story.

At Intrusions Zone Labs did not fare as well, guru after network guru denouncing the 'smoke' they saw. In a startling attack, the editor of the Intrusions list came out in support of Tom Liston, citing Gregor Freund's attempted coverup as the best reason yet to defend full disclosure.

And as Matt Scarborough so elegantly put it - 'It seems to me that any Personal Firewall vendor making the claim that its product protects against 'known and unknown Internet threats' would have somehow stumbled across the capabilities of packet injection using alternative device drivers.' - Zone Labs could deny either incompetence or hypocrisy, but not both.

The ultimate irony - and perhaps the explanation of one of the more embarrassing moments in Internet history - is that Gibson's infamous 'raw sockets' may finally be stopped - on boxes running ZoneAlarm at least.

Perhaps there was another explanation for it all.

Note: As of June 2002, the Sygate, Look 'n' Stop, and Kerio (Tiny) firewalls all perform proper link layer filtering. The Look 'n' Stop people contacted the Hackbusters with a general proposal for handling packets 'outside the normal loop' and went on to implement it successfully. Sygate also took it upon themselves to contact the Hackbusters and get link layer filtering running correctly.

Zone Labs continues to stir the pot at GRC, while ZoneAlarm keeps on silently 'eating' the packets it cannot control.

Prev | TOC