About | Buy Stuff | News | Products | Rants | Search | Security
Home » Resources » Software » Reviews » ZoneAlarm Pro 3.0

20 Nov 2001 16:29:08

Tom trying to prove that patience is a virtue.

   From: Tom Liston
     To: Gregor Freund
   Date: Tuesday, November 20, 2001 16:29:08
Subject: OutBound / ZoneAlarm / LaBrea@Home


Mr. Freund,

The issues surrounding the development of 'OutBound' are somewhat 
complex. If you visit my website (http://www.hackbusters.net), you 
will find that I am the author of a program called LaBrea.

LaBrea is an application that creates a 'tarpit' or a 'sticky 
honeypot' using several 'tricks' of tcp/ip to cause connection 
attempts against unused IPs on a netblock to become 'stuck'.

It is a proactive network defense, and it has been enormously 
popular with systems administrators. When used without its 
'persist' mode capturing enabled, LaBrea actually reduces network 
traffic resulting from worms, port scans, and the like-- increasing 
available bandwidth. When 'persist mode' capture is enabled, 
connections are captured and held open for days and weeks at a time 
with very little impact on available bandwidth.

It was in the process of writing LaBrea for Win9x/ME/NT that I 
discovered the holes in ZoneAlarm. This new program (called 
LaBrea@Home) is complete, and I would like to be able to distribute 
it. Unfortunately, it is working proof that ZoneAlarm doesn't live 
up to its claims to block outbound traffic. It works without 
ZoneAlarm asking whether it should be allowed access to the 
internet.  It works while ZoneAlarm's 'InternetLock' is active. It 
works by sending out packets using the same packet libraries as 
OutBound. I use these libraries in order to craft the packets 
necessary to 'tarpit' inbound connections.

I have held off releasing LB@Home. I thought that I would give Zone 
Labs the opportunity to respond to the issues with ZoneAlarm. 
Unfortunately, since pointing out the flaws in your product, the 
chain of events has been as follows:

1) I was told that I didn't know what I was talking about. That I 
was 'incorrect' in my assessment that ZoneAlarm 'leaked'.
2) I was told that what I was seeing was a result of my system being 
'misconfigured'.
3) I was told that ZoneLabs and others had tested ZoneAlarm against 
the very 'issue' I described, and that it had always passed (and 
continues to pass) these tests.

All of this without running OutBound once.

4) Suddenly, after running OutBound, I was told that you had 'mixed 
results.' It was quite obvious from the 'OutBound' web page at 
HackBusters, and the amount of time that you spent working, what 
those 'mixed results' were.
5) Yesterday, you informed me that you 'had a fix', that it was 
'straight forward'. You said that 'the way the packet.vxd links to 
NDIS is a bit unusual and the code doesn't work on NT right now.' 
Imagine my surprise to find that you spent three hours doing what 
appeared to be a repeated test of OutBound against ZoneAlarm on a 
Win98 machine last night? Can you please explain why that testing 
gives every indication that you DON'T have a fix?

It seems obvious that you've been less that forthcoming ever since I 
initially pointed out the problems with ZoneAlarm. My patience with 
this situation is wearing thin. I am intentionally NOT releasing an 
application simply because it might cause your company 
embarrassment, but I am quite near to the point where I can no 
longer justify that decision. MY software works, yet it can't be 
released because YOUR software DOESN'T. Rather than 'keeping me 
informed' as you promised, you've done nothing but blow smoke. My 
suggestion to you would be this: tell me the FULL and unvarnished 
truth about the situation. After that, I can make an informed 
decision about whether to release LaBrea@Home.

If you haven't responded by the close of business today, I will 
release LaBrea@Home and leave it to ZoneLabs to come up with some 
'spin' to explain HOW it works.

-TL

Prev | TOC | Next

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.