Home » Resources » Software » Reviews » ZoneAlarm Pro 3.0
20 Nov 2001 16:29:08
Tom trying to prove that patience is a virtue.
From: Tom Liston
To: Gregor Freund
Date: Tuesday, November 20, 2001 16:29:08
Subject: OutBound / ZoneAlarm / LaBrea@Home
Mr. Freund,
The issues surrounding the development of 'OutBound' are somewhat
complex. If you visit my website (http://www.hackbusters.net), you
will find that I am the author of a program called LaBrea.
LaBrea is an application that creates a 'tarpit' or a 'sticky
honeypot' using several 'tricks' of tcp/ip to cause connection
attempts against unused IPs on a netblock to become 'stuck'.
It is a proactive network defense, and it has been enormously
popular with systems administrators. When used without its
'persist' mode capturing enabled, LaBrea actually reduces network
traffic resulting from worms, port scans, and the like-- increasing
available bandwidth. When 'persist mode' capture is enabled,
connections are captured and held open for days and weeks at a time
with very little impact on available bandwidth.
It was in the process of writing LaBrea for Win9x/ME/NT that I
discovered the holes in ZoneAlarm. This new program (called
LaBrea@Home) is complete, and I would like to be able to distribute
it. Unfortunately, it is working proof that ZoneAlarm doesn't live
up to its claims to block outbound traffic. It works without
ZoneAlarm asking whether it should be allowed access to the
internet. It works while ZoneAlarm's 'InternetLock' is active. It
works by sending out packets using the same packet libraries as
OutBound. I use these libraries in order to craft the packets
necessary to 'tarpit' inbound connections.
I have held off releasing LB@Home. I thought that I would give Zone
Labs the opportunity to respond to the issues with ZoneAlarm.
Unfortunately, since pointing out the flaws in your product, the
chain of events has been as follows:
1) I was told that I didn't know what I was talking about. That I
was 'incorrect' in my assessment that ZoneAlarm 'leaked'.
2) I was told that what I was seeing was a result of my system being
'misconfigured'.
3) I was told that ZoneLabs and others had tested ZoneAlarm against
the very 'issue' I described, and that it had always passed (and
continues to pass) these tests.
All of this without running OutBound once.
4) Suddenly, after running OutBound, I was told that you had 'mixed
results.' It was quite obvious from the 'OutBound' web page at
HackBusters, and the amount of time that you spent working, what
those 'mixed results' were.
5) Yesterday, you informed me that you 'had a fix', that it was
'straight forward'. You said that 'the way the packet.vxd links to
NDIS is a bit unusual and the code doesn't work on NT right now.'
Imagine my surprise to find that you spent three hours doing what
appeared to be a repeated test of OutBound against ZoneAlarm on a
Win98 machine last night? Can you please explain why that testing
gives every indication that you DON'T have a fix?
It seems obvious that you've been less that forthcoming ever since I
initially pointed out the problems with ZoneAlarm. My patience with
this situation is wearing thin. I am intentionally NOT releasing an
application simply because it might cause your company
embarrassment, but I am quite near to the point where I can no
longer justify that decision. MY software works, yet it can't be
released because YOUR software DOESN'T. Rather than 'keeping me
informed' as you promised, you've done nothing but blow smoke. My
suggestion to you would be this: tell me the FULL and unvarnished
truth about the situation. After that, I can make an informed
decision about whether to release LaBrea@Home.
If you haven't responded by the close of business today, I will
release LaBrea@Home and leave it to ZoneLabs to come up with some
'spin' to explain HOW it works.
-TL
Prev | TOC | Next
|