Full Disclosure mailing list archives
Cringely's FUD-spreading leads to broken workarounds being suggested
From: "Dave Korn" <davek_throwaway () hotmail com>
Date: Thu, 9 Feb 2006 16:51:25 -0000
[ For those who are getting bored and would like to know something interesting, there is some actual technical and security-related ON-TOPIC content toward the end of this post! ] Ivan . wrote:
nice personal attacks, a great display of your intellect.
I have little patience with anyone who repeatedly misrepresents what I have said and then proceeds to throw strawman arguments at me. You were the one who started with the patronising comments to "read the article again Dave" as if I was some kind of idiot who couldn't see what was in front of my eyes, but you then posted a link to a /different/ article which was by someone else, because the article that you originally posted a link to, and to which I was responding in my first post, had all the failings that I described of it, and did not have the evidence that you claimed it did. And you know, just because you posted a link here, and I posted something critical of that article, doesn't mean you should react as if I was criticising you, but you jump down my throat with a patronising and emotional overreaction. Stop being so precious.
My first post in this thread claimed that Cringely was spreading FUD, and had provided no evidence to back up his claim.No your first post was thisWithout seeing the content of these packets, I don't see how Cringely can claim to know whether there's anything spyware or not about it. There is no *evidence* for his claim. I'm always suspicious of people who claim to have observed 'spyware phoning home' but who are then completely unable to give any details about the contents or destination of the packets, since it means that they are claiming something that they don't actually know at all.
I don't understand why you don't see that that paragraph is accusing him of FUD-spreading. What else is FUD but vague and unproven accusations of something-bad-going-on?
His only claim was that zonealarm "phones home" even when all the communication options are disabled. I can't find any claim of spyware as you indicated.
Well, you and me clearly read differently. You can't find any claim of spyware. Yet the article is titled "A perfect spy". He describes ZA's perfectly ordinary auto-update function (which is in no way any different from any other auto-update function in any other 'net-enabled application) as "surreptitious" and "encrypted", and he ends with this throw-away line about how "there's no truth to the rumor that the NSA used ZoneAlarm to spy on U.S. citizens", when nobody has in fact been spreading any such rumour. To me, it's perfectly clear that he is spreading FUD. Cringely is a journalist, a professional wordsmith, and he chooses his words carefully and deliberately according to the meaning he wants to convey to others. If he titles the piece "A perfect spy", it's because he wants to raise suspicions of spyware in the backs of people's minds. If he describes the communications as "surreptitious", it's because he wants you to think that steps have been taken to deliberately conceal them. If he refers to a rumour that never existed, it's because he wants to start one. Please consider the article carefully. Cringely doesn't claim to have discovered this himself, he is reporting at second-hand what he was told by one of his colleagues. He then enhances and elaborates on that report with innuendo and hyperbole, and gives not even the basic details to back up the claims he is making. I think that's a perfectly reasonable thing to describe as FUD and rumour-mongery. I note that his colleague has been keeping his head down in all this and not making any exaggerated claims.
His claim of a phone home bug has been vindicated by Zonelabs/Checkpoint's response to the list and the admission of the bug.
Once more you raise this strawman. We all know there's a bug in the auto-update. That is not under debate.
Like I said before, it's up to the people on the list to decide if this is a issue for them or not. Not for a arrogant fool like you to force his opinion onto people.
See, there you go missing the point again. I'm talking about whether Cringely is making unsubstantiated claims and spreading fud, and you persist in misrepresenting what I'm saying as being about whether or not ZA does or doesn't phone home and whether or not that matters to other people. That is NOT what I'm saying, it's something that _you_ have misinterpreted. [ ON-TOPIC bit begins here ] And know what? If you are as concerned with letting people make their own minds up whether it's an issue or not, and what to do with it, then it would be logical for you to want to see full details of what it is that is actually being claimed. This partial report is bad for those people, because the inaccuracy/lack of detail makes it harder for them to make that judgement for themselves, since they haven't been given sufficient information. It is as a *direct* result of his (Cringely's) failure to show packet logs and give the necessary details to substantiate his claims, that people have been mislead into using that bogus workaround that the guy from The Inq. posted. Remember that link you gave a few posts back? http://theinquirer.net/?article=29157 -----------------quote----------------- The company says it will fix the "bug" soon. In the meantime you can work around it by adding: # Block access to ZoneLabs Server 127.0.0.1 zonelabs.com to your Windows host file. -----------------quote----------------- See, if Cringely had posted packet dumps, or indeed any information at all, everybody would have known that that workaround is no good. After all, one glance at the packets, and everyone would have known in an instant that the actual DNS name it looks up is "update.zonelabs.com", and adding an alias for "zonelabs.com" will FAIL to protect you in any way. Vital information that. But because of Cringely's poor standards, nobody knew it. This is at the heart of my complaint against Cringely and at the heart of the debate over full disclosure: without full information, people are unable to make informed decisions about the security issues that might or might not affect them.
go ride your high horse over to letters () infoworld com
You posted a link to an article here, so here was where I thought was a reasonable place to discuss the article and the issues raised by it, and in particular how they relate to security reporting and disclosure. cheers, DaveK -- Can't think of a witty .sigline today.... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Re: Re: ZoneAlarm phones home, (continued)
- Re: Re: Re: ZoneAlarm phones home Ivan . (Feb 05)
- According to Ivan, the secret ZA phone-home server is located at 127.0.0.1 [was Re: Re: Re: ZoneAlarm phones home] Dave Korn (Feb 06)
- Re: According to Ivan, the secret ZA phone-home server is located at 127.0.0.1 [was Re: Re: Re: ZoneAlarm phones home] Frank Knobbe (Feb 06)
- Re: According to Ivan, the secret ZA phone-homeserver is located at 127.0.0.1 [was Re: Re: Re: ZoneAlarm phones home] Dave Korn (Feb 06)
- Re: Re: According to Ivan, the secret ZA phone-homeserver is located at 127.0.0.1 [was Re: Re: Re: ZoneAlarm phones home] Ivan . (Feb 06)
- RE: Re: According to Ivan, the secret ZA phone-homeserver is located at 127.0.0.1 [was Re: Re:Re: ZoneAlarm phones home] Greg (Feb 06)
- Re: Re: According to Ivan, the secret ZA phone-homeserver is located at 127.0.0.1 [was Re: Re:Re: ZoneAlarm phones home] Ivan . (Feb 06)
- Re: Re: According to Ivan, the secret ZA phone-homeserver is located at 127.0.0.1 [was Re: Re:Re: ZoneAlarm phones home] Ivan . (Feb 07)
- According to Ivan, the secret ZA phone-home server is located at 127.0.0.1 [was Re: Re: Re: ZoneAlarm phones home] Dave Korn (Feb 06)
- Re: Re: According to Ivan, the secret ZA phone-homeserver is located at 127.0.0.1 [was Re: Re:Re: ZoneAlarm phones home] Dave Korn (Feb 07)
- Re: Re: Re: According to Ivan, the secret ZA phone-homeserver is located at 127.0.0.1 [was Re: Re:Re: ZoneAlarm phones home] Ivan . (Feb 07)
- Cringely's FUD-spreading leads to broken workarounds being suggested Dave Korn (Feb 09)
- Re: Re: Re: ZoneAlarm phones home Ivan . (Feb 05)