Zone Alarm (Freeware-) stopped reporting intrustions..

Despite considerable use of the internet since installing ZA, on the
main page it shows not a single attempt at intrusion, whereas in the
past there were hundreds/thousands after a while.

We have uninstalled and re-installed but the same situation remains.

One suspects that ZA cant be correctly working/configured if it does not
report having blocked intrusions?

It does indicate that it is (alledgely-) working - but at the same time
is apparently not finding a single intrusion?

Grateful for any tips...?

ron b

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

Ronald J. Bartle wrote:
> Despite considerable use of the internet since installing ZA, on the
> main page it shows not a single attempt at intrusion, whereas in the
> past there were hundreds/thousands after a while.
>
> We have uninstalled and re-installed but the same situation remains.
>
> One suspects that ZA cant be correctly working/configured if it does not
> report having blocked intrusions?
>
> It does indicate that it is (alledgely-) working - but at the same time
> is apparently not finding a single intrusion?
>
> Grateful for any tips...?
>
> ron b
Are you using a router with firewall? If so, it would be dropping all
unsolicited packets (intrusions) and they would never reach your computer.

--
Wilf

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

> One suspects that ZA cant be correctly working/configured if it does not
> report having blocked intrusions?
>
> It does indicate that it is (alledgely-) working - but at the same time
> is apparently not finding a single intrusion?
>
> Grateful for any tips...?

Deinstall ZA, it's useless.
See http://www.ntsvcfg.de/linkblock_eng.html

And if you think it can block malicious outbound traffic see Microsofts
statement at
http://www.microsoft.com/technet/technetmag/issues/2006/05/S ecurityMyths/default.aspx
the chapter "Myth: Host-Based Firewalls Must Filter Outbound Traffic to
be Safe. "

--
Ulf Leichsenring
ulf@leichsenring.net

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

Ulf Leichsenring wrote:

>>One suspects that ZA cant be correctly working/configured if it does not
>>report having blocked intrusions?
>>
>>It does indicate that it is (alledgely-) working - but at the same time
>>is apparently not finding a single intrusion?
>
> Deinstall ZA, it's useless.
> See http://www.ntsvcfg.de/linkblock_eng.html

Thanks for the link, Ulf. I have used Torsten's batch file for
shutting down XP services. Scrolling down his page (in English):

(http://www.ntsvcfg.de/ntsvcfg_eng.html)

Other contributions for computer security

Desktop/Personal Firewalls (PFW) - and why you don't need this stuff

Sorry. There is no actual translation available.

Would someone like to translate the same section on the German page
into English?

(http://www.ntsvcfg.de/)

ISTM that this discussion is too technical for Babelfish to be of much
use.

Ron :)

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

In article <45225C44.9030809@leichsenring.net>, ulf@leichsenring.net
says...
> > One suspects that ZA cant be correctly working/configured if it does not
> > report having blocked intrusions?
> >
> > It does indicate that it is (alledgely-) working - but at the same time
> > is apparently not finding a single intrusion?
> >
> > Grateful for any tips...?
>
> Deinstall ZA, it's useless.
> See http://www.ntsvcfg.de/linkblock_eng.html
>
> And if you think it can block malicious outbound traffic see Microsofts
> statement at
> http://www.microsoft.com/technet/technetmag/issues/2006/05/S ecurityMyths/default.aspx
> the chapter "Myth: Host-Based Firewalls Must Filter Outbound Traffic to
> be Safe. "
>
>
I wonder why microsoft vista firewall has been given the ability to block
outgoing applications if its such a myth?
http://www.infoworld.com/article/06/01/25/74788_HNvistafirew all_1.html
me

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

bassbag wrote:
: I wonder why microsoft vista firewall has been given the ability to block
: outgoing applications if its such a myth?

Probably the same reason why they introduced Active directory even if NT
directory was as advanced as NDS.
http://64.233.183.104/search?q=cache:eoHRh0T238AJ:www.micros oft.com/ntserver/docs/DS_tb.doc+ds_tb.doc&hl=no&gl=no&ct=cln k&cd=1&client=firefox-a

Lars

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

bassbag wrote:
> In article <45225C44.9030809@leichsenring.net>, ulf@leichsenring.net says...
>> And if you think it can block malicious outbound traffic see Microsofts
>> statement at
>> http://www.microsoft.com/technet/technetmag/issues/2006/05/S ecurityMyths/default.aspx
>> the chapter "Myth: Host-Based Firewalls Must Filter Outbound Traffic to
>> be Safe. "
>
> I wonder why microsoft vista firewall has been given the ability to block
> outgoing applications if its such a myth?

Because of popular demand. The point the Technet article makes still
stands.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

Ron Lopshire wrote:
> Other contributions for computer security
> Desktop/Personal Firewalls (PFW) - and why you don't need this stuff
> Sorry. There is no actual translation available.
> Would someone like to translate the same section on the German page
> into English?

We already discussed this topic here. Please feel free to use an usenet
archive of your choice. If you have questions, I'd be pleased to answer.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

In article <4ofhoqFebv1tU1@individual.net>, usenet-2006@planetcobalt.net
says...
> bassbag wrote:
> > In article <45225C44.9030809@leichsenring.net>, ulf@leichsenring.net says...
> >> And if you think it can block malicious outbound traffic see Microsofts
> >> statement at
> >> http://www.microsoft.com/technet/technetmag/issues/2006/05/S ecurityMyths/default.aspx
> >> the chapter "Myth: Host-Based Firewalls Must Filter Outbound Traffic to
> >> be Safe. "
> >
> > I wonder why microsoft vista firewall has been given the ability to block
> > outgoing applications if its such a myth?
>
> Because of popular demand. The point the Technet article makes still
> stands.
>
> cu
> 59cobalt
>
Does it?...id say its debateable or hypocritical.
me

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

bassbag wrote:
> usenet-2006@planetcobalt.net says...
>> bassbag wrote:
>>> ulf@leichsenring.net says...
>>>> And if you think it can block malicious outbound traffic see
>>>> Microsofts statement at
>>>> http://www.microsoft.com/technet/technetmag/issues/2006/05/S ecurityMyths/default.aspx
>>>> the chapter "Myth: Host-Based Firewalls Must Filter Outbound
>>>> Traffic to be Safe. "
>>>
>>> I wonder why microsoft vista firewall has been given the ability to
>>> block outgoing applications if its such a myth?
>>
>> Because of popular demand. The point the Technet article makes still
>> stands.
>
> Does it?...

Yes.

> id say its debateable or hypocritical.

You may want to support that opinion with some arguments.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

In article <4ofr0cFeeeajU2@individual.net>, usenet-2006@planetcobalt.net
says...
> bassbag wrote:
> > usenet-2006@planetcobalt.net says...
> >> bassbag wrote:
> >>> ulf@leichsenring.net says...
> >>>> And if you think it can block malicious outbound traffic see
> >>>> Microsofts statement at
> >>>> http://www.microsoft.com/technet/technetmag/issues/2006/05/S ecurityMyths/default.aspx
> >>>> the chapter "Myth: Host-Based Firewalls Must Filter Outbound
> >>>> Traffic to be Safe. "
> >>>
> >>> I wonder why microsoft vista firewall has been given the ability to
> >>> block outgoing applications if its such a myth?
> >>
> >> Because of popular demand. The point the Technet article makes still
> >> stands.
> >
> > Does it?...
>
> Yes.
>
> > id say its debateable or hypocritical.
>
> You may want to support that opinion with some arguments.
>
> cu
> 59cobalt
>
Not really...after all it wasnt me that said outbound application
filtering was a waste of time and then implemented it in my next
operating system.
me

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

bassbag wrote:
> usenet-2006@planetcobalt.net says...
>> bassbag wrote:
>>> usenet-2006@planetcobalt.net says...
>>>> bassbag wrote:
>>>>> ulf@leichsenring.net says...
>>>>>> And if you think it can block malicious outbound traffic see
>>>>>> Microsofts statement at
>>>>>> http://www.microsoft.com/technet/technetmag/issues/2006/05/S ecurityMyths/default.aspx
>>>>>> the chapter "Myth: Host-Based Firewalls Must Filter Outbound
>>>>>> Traffic to be Safe. "
>>>>>
>>>>> I wonder why microsoft vista firewall has been given the ability to
>>>>> block outgoing applications if its such a myth?
>>>>
>>>> Because of popular demand. The point the Technet article makes still
>>>> stands.
>>>
>>> Does it?...
>>
>> Yes.
>>
>>> id say its debateable or hypocritical.
>>
>> You may want to support that opinion with some arguments.
>
> Not really...after all it wasnt me that said outbound application
> filtering was a waste of time and then implemented it in my next
> operating system.

The Technet article explains why outbound filtering is a waste of time.
I fail to see your arguments to prove their reasoning wrong. Whether you
consider it hypocrisy that Microsoft implements pointless features into
their OS, because their customers demand it, is of no concern here.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

Hi,

Click on the Alerts and Logs Tab. This is where you turn alerts on or
off. (at least it does on 4.5.594).

charlie R


"Ronald J. Bartle" wrote in
message news:45220b4f$0$15442$9b622d9e@news.freenet.de...
: Despite considerable use of the internet since installing ZA, on the
: main page it shows not a single attempt at intrusion, whereas in the
: past there were hundreds/thousands after a while.
:
: We have uninstalled and re-installed but the same situation remains.
:
: One suspects that ZA cant be correctly working/configured if it does
not
: report having blocked intrusions?
:
: It does indicate that it is (alledgely-) working - but at the same
time
: is apparently not finding a single intrusion?
:
: Grateful for any tips...?
:
: ron b

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

Ronald J. Bartle wrote:

> Despite considerable use of the internet since installing ZA, on the
> main page it shows not a single attempt at intrusion, whereas in the
> past there were hundreds/thousands after a while.
>
> We have uninstalled and re-installed but the same situation remains.
>
> One suspects that ZA cant be correctly working/configured if it does not
> report having blocked intrusions?
>
> It does indicate that it is (alledgely-) working - but at the same time
> is apparently not finding a single intrusion?
>
> Grateful for any tips...?
>
> ron b

As long as the firewall is working, it doesn't much matter whether it shows
a count of how many packets are blocked etc.

--
Kerodo

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

Wilf wrote:

> Are you using a router with firewall? If so, it would be dropping all
> unsolicited packets (intrusions) and they would never reach your computer.

Very easy to see on the "Firewall" log of ZA (always empty :-)

Too bad one can't install only the "program" monitor part of ZA
(since the router takes care of the "firewall" part anyway)
--
Lars-Erik - http://home.chello.no/~larse/ - ICQ 7297605

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

bassbag wrote:

> I wonder why microsoft vista firewall has been given the ability to block
> outgoing applications if its such a myth?

You can block "nice" software that follows the rules.
"bad" software should be caught my your a/v software anyway.

So I think it has a pupose. I can block most MS software from "calling
home". Only that is worth installing ZA (that's all I use it for :-)

The firwall bit is taken care of by my router...
--
Lars-Erik - http://home.chello.no/~larse/ - ICQ 7297605

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

Lars-Erik ?sterud <.@.> wrote:
> You can block "nice" software that follows the rules.
> "bad" software should be caught my your a/v software anyway.
> So I think it has a pupose. I can block most MS software from "calling
> home". Only that is worth installing ZA (that's all I use it for :-)

Why don't you just configure your MS software not to do so?

BTW: there is only one single software program, which you cannot
configure not to phone home; it's name is: Zone Alarm.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

> Why don't you just configure your MS software not to do so?

If it was that easy. Most of the software still try :-)

> BTW: there is only one single software program, which you cannot
> configure not to phone home; it's name is: Zone Alarm.

I guess that would be true for all firewalls, no way to keep them from
going passed their own defenses. Do you know what ZA is sending home
even when you have told it not to (and does it hide the IP address as
you have selected)?
--
Lars-Erik - http://home.chello.no/~larse/ - ICQ 7297605

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

Volker Birk wrote:

> Ron Lopshire wrote:
>
>>Other contributions for computer security
>> Desktop/Personal Firewalls (PFW) - and why you don't need this stuff
>> Sorry. There is no actual translation available.
>>Would someone like to translate the same section on the German page
>>into English?
>
> We already discussed this topic here. Please feel free to use an usenet
> archive of your choice. If you have questions, I'd be pleased to answer.

Thanks, VB. I must have missed it. I will post again if I have
problems/questions.

Ron :)

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

Lars-Erik ?sterud <.@.> wrote:
> > BTW: there is only one single software program, which you cannot
> > configure not to phone home; it's name is: Zone Alarm.
> I guess that would be true for all firewalls

No.

> Do you know what ZA is sending home
> even when you have told it not to

No. Only Zone Labs knows, what's encoded.

> (and does it hide the IP address as
> you have selected)?

Because it's not possible to "hide the IP address", of course it does
not.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

In article <4og3l2FegrpuU2@individual.net>, usenet-2006@planetcobalt.net
says...
> bassbag wrote:
> > usenet-2006@planetcobalt.net says...
> >> bassbag wrote:
> >>> usenet-2006@planetcobalt.net says...
> >>>> bassbag wrote:
> >>>>> ulf@leichsenring.net says...
> >>>>>> And if you think it can block malicious outbound traffic see
> >>>>>> Microsofts statement at
> >>>>>> http://www.microsoft.com/technet/technetmag/issues/2006/05/S ecurityMyths/default.aspx
> >>>>>> the chapter "Myth: Host-Based Firewalls Must Filter Outbound
> >>>>>> Traffic to be Safe. "
> >>>>>
> >>>>> I wonder why microsoft vista firewall has been given the ability to
> >>>>> block outgoing applications if its such a myth?
> >>>>
> >>>> Because of popular demand. The point the Technet article makes still
> >>>> stands.
> >>>
> >>> Does it?...
> >>
> >> Yes.
> >>
> >>> id say its debateable or hypocritical.
> >>
> >> You may want to support that opinion with some arguments.
> >
> > Not really...after all it wasnt me that said outbound application
> > filtering was a waste of time and then implemented it in my next
> > operating system.
>
> The Technet article explains why outbound filtering is a waste of time.
> I fail to see your arguments to prove their reasoning wrong. Whether you
> consider it hypocrisy that Microsoft implements pointless features into
> their OS, because their customers demand it, is of no concern here.
>
> cu
> 59cobalt
>
Well you might consider them pointless features ,but microsoft actually
calls it a "benefit" and "an important part of thier security
strategy".Of course the odd blogger or person such as yourself may
disagree ...just as many wouldnt.
me

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

In article <73a8b$45236777$54d05007$9255@news.chello.no>, .@. says...
> bassbag wrote:
>
> > I wonder why microsoft vista firewall has been given the ability to block
> > outgoing applications if its such a myth?
>
> You can block "nice" software that follows the rules.
> "bad" software should be caught my your a/v software anyway.
>
> So I think it has a pupose. I can block most MS software from "calling
> home". Only that is worth installing ZA (that's all I use it for :-)
>
> The firwall bit is taken care of by my router...
>
I agree ,though application firewalls can limit the effects of "bad"
software too in certain circumstances.
me

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

Volker Birk wrote:

> No.

Would you guarantee that othe forewalls do not send any info to the
author without my knowledge? Have you tested (I huess you have for ZA
since you know it sends info even if the user has "check" not to...)?

> Because it's not possible to "hide the IP address", of course it does

Then what does that option do? It might hide your actual IP (but
that's not a problem anyway as that is fake due to a router :-)
--
Lars-Erik - http://home.chello.no/~larse/ - ICQ 7297605

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

"And if you think it can block malicious outbound traffic see
Microsofts
statement at
http://www.microsoft.com/technet/technetmag/issues/2006/05/S ecurityMy...
the chapter "Myth: Host-Based Firewalls Must Filter Outbound Traffic to
be Safe. " "

Did you actually read the informtaion you're referring people to?
Basically some guy at MS deems the need for Outbound Traffic Filtering
as a myth because the majority of users are too stupid to understand
that's going on when prompted to allow/deny the traffic.

That's like saying "Myth: Need for strong passwords including capital
letters". So because someone might not realize their caps key is on
then we shouldn't allow people to put capital letters in passwords.

Just because his grandmother likes "sexy dancing pigs" and clicks "ok"
without knowing what she's talking about doesn't mean that Outbound
Traffic filtering is a useless security feature to the rest of us. (As
demonstraighted my MSs inclusion of outbound filtering in Vista).

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

bassbag wrote:
> usenet-2006@planetcobalt.net says...
>> The Technet article explains why outbound filtering is a waste of
>> time. I fail to see your arguments to prove their reasoning wrong.
>> Whether you consider it hypocrisy that Microsoft implements pointless
>> features into their OS, because their customers demand it, is of no
>> concern here.
>
> Well you might consider them pointless features ,but microsoft
> actually calls it a "benefit" and "an important part of thier security
> strategy".

Well, it will help maximizing their sales, so it sure is a benefit. For
them. Anyway, you need to distinguish between what sales droids and
security professionals tell you. They won't necessarily tell you the
same.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

kingthorin@gmail.com wrote:
> "And if you think it can block malicious outbound traffic see
> Microsofts statement at
> http://www.microsoft.com/technet/technetmag/issues/2006/05/S ecurityMy...
> the chapter "Myth: Host-Based Firewalls Must Filter Outbound Traffic
> to be Safe. " "
>
> Did you actually read the informtaion you're referring people to?
> Basically some guy at MS deems the need for Outbound Traffic Filtering
> as a myth because the majority of users are too stupid to understand
> that's going on when prompted to allow/deny the traffic.

Apparently it's you who hasn't read the article. Users not being able to
understand what the firewall tells them is one argument against attempts
to filter outbound traffic. Another argument is that malware can most
easily remotely control applications that are *allowed* to communicate
outbound (e.g. the web browser), thus bypassing the application filter.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

In article <4oih88FesepvU1@individual.net>, usenet-2006@planetcobalt.net
says...
> bassbag wrote:
> > usenet-2006@planetcobalt.net says...
> >> The Technet article explains why outbound filtering is a waste of
> >> time. I fail to see your arguments to prove their reasoning wrong.
> >> Whether you consider it hypocrisy that Microsoft implements pointless
> >> features into their OS, because their customers demand it, is of no
> >> concern here.
> >
> > Well you might consider them pointless features ,but microsoft
> > actually calls it a "benefit" and "an important part of thier security
> > strategy".
>
> Well, it will help maximizing their sales, so it sure is a benefit. For
> them. Anyway, you need to distinguish between what sales droids and
> security professionals tell you. They won't necessarily tell you the
> same.
>
> cu
> 59cobalt
>
Why would it maximise thier sales if its a myth?...wont it be found
wanting?
me

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

In article <4oihlfFesepvU2@individual.net>, usenet-2006@planetcobalt.net
says...
> kingthorin@gmail.com wrote:
> > "And if you think it can block malicious outbound traffic see
> > Microsofts statement at
> > http://www.microsoft.com/technet/technetmag/issues/2006/05/S ecurityMy...
> > the chapter "Myth: Host-Based Firewalls Must Filter Outbound Traffic
> > to be Safe. " "
> >
> > Did you actually read the informtaion you're referring people to?
> > Basically some guy at MS deems the need for Outbound Traffic Filtering
> > as a myth because the majority of users are too stupid to understand
> > that's going on when prompted to allow/deny the traffic.
>
> Apparently it's you who hasn't read the article. Users not being able to
> understand what the firewall tells them is one argument against attempts
> to filter outbound traffic. Another argument is that malware can most
> easily remotely control applications that are *allowed* to communicate
> outbound (e.g. the web browser), thus bypassing the application filter.
>
> cu
> 59cobalt


Most modern firewalls are protected against this kind of circumvention.
me

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

kingthorin@gmail.com schrieb:

> Just because his grandmother likes "sexy dancing pigs" and clicks "ok"
> without knowing what she's talking about doesn't mean that Outbound
> Traffic filtering is a useless security feature to the rest of us.

I am certainly not a security specialist. But it seems ridiculous to me
to assume that software A could control software B on the exactly same
machine, if:

1. software A and software B run in the same user context (typically
admin)
2. software A does not know anything about software B, while B has been
tested against A

>(As
> demonstraighted my MSs inclusion of outbound filtering in Vista).

Obviously MSFT has spent their marketing dollars wisely. At the very
least, they fooled you.

Regards
Thomas

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

bassbag wrote:
> usenet-2006@planetcobalt.net says...
>> bassbag wrote:
>>> usenet-2006@planetcobalt.net says...
>>>> The Technet article explains why outbound filtering is a waste of
>>>> time. I fail to see your arguments to prove their reasoning wrong.
>>>> Whether you consider it hypocrisy that Microsoft implements point-
>>>> less features into their OS, because their customers demand it, is
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>> of no concern here.
>>>
>>> Well you might consider them pointless features ,but microsoft
>>> actually calls it a "benefit" and "an important part of thier
>>> security strategy".
>>
>> Well, it will help maximizing their sales, so it sure is a benefit.
>> For them. Anyway, you need to distinguish between what sales droids
>> and security professionals tell you. They won't necessarily tell you
>> the same.
>
> Why would it maximise thier sales if its a myth?

I underlined the (already given) answer for your convenience.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

bassbag wrote:
> usenet-2006@planetcobalt.net says...
>> kingthorin@gmail.com wrote:
>>> "And if you think it can block malicious outbound traffic see
>>> Microsofts statement at
>>> http://www.microsoft.com/technet/technetmag/issues/2006/05/S ecurityMy...
>>> the chapter "Myth: Host-Based Firewalls Must Filter Outbound
>>> Traffic to be Safe. " "
>>>
>>> Did you actually read the informtaion you're referring people to?
>>> Basically some guy at MS deems the need for Outbound Traffic
>>> Filtering as a myth because the majority of users are too stupid to
>>> understand that's going on when prompted to allow/deny the traffic.
>>
>> Apparently it's you who hasn't read the article. Users not being able
>> to understand what the firewall tells them is one argument against
>> attempts to filter outbound traffic. Another argument is that malware
>> can most easily remotely control applications that are *allowed* to
>> communicate outbound (e.g. the web browser), thus bypassing the
>> application filter.
>
> Most modern firewalls are protected against this kind of
> circumvention.

No.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

kingthorin@gmail.com schrieb:

> Just because his grandmother likes "sexy dancing pigs" and clicks "ok"
> without knowing what she's talking about doesn't mean that Outbound
> Traffic filtering is a useless security feature to the rest of us.

I am certainly not a security specialist. But it seems ridiculous to me
to assume that software A could control software B on the exactly same
machine, if:

1. software A and software B run in the same user context (typically
admin)
2. software A does not know anything about software B, while B has been
tested against A

>(As
> demonstraighted my MSs inclusion of outbound filtering in Vista).

Obviously MSFT has spent their marketing dollars wisely. At the very
least, they fooled you.

Regards
Thomas

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

In article <4oij51FesepvU4@individual.net>, usenet-2006@planetcobalt.net
says...
> bassbag wrote:
> > usenet-2006@planetcobalt.net says...
> >> bassbag wrote:
> >>> usenet-2006@planetcobalt.net says...
> >>>> The Technet article explains why outbound filtering is a waste of
> >>>> time. I fail to see your arguments to prove their reasoning wrong.
> >>>> Whether you consider it hypocrisy that Microsoft implements point-
> >>>> less features into their OS, because their customers demand it, is
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >>>> of no concern here.
> >>>
> >>> Well you might consider them pointless features ,but microsoft
> >>> actually calls it a "benefit" and "an important part of thier
> >>> security strategy".
> >>
> >> Well, it will help maximizing their sales, so it sure is a benefit.
> >> For them. Anyway, you need to distinguish between what sales droids
> >> and security professionals tell you. They won't necessarily tell you
> >> the same.
> >
> > Why would it maximise thier sales if its a myth?
>
> I underlined the (already given) answer for your convenience.
>
> cu
> 59cobalt
>
Im looking for an answer but cant see one given.I asked if application
firewalls are a myth ,then surely people would see through that (like
yourself of course).So why would blatant lies boost sales?
me

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

In article <1159992777.873597.112920@h48g2000cwc.googlegroups.com>,
thomas.hertel@gmx.net says...
>
> kingthorin@gmail.com schrieb:
>
> > Just because his grandmother likes "sexy dancing pigs" and clicks "ok"
> > without knowing what she's talking about doesn't mean that Outbound
> > Traffic filtering is a useless security feature to the rest of us.
>
> I am certainly not a security specialist. But it seems ridiculous to me
> to assume that software A could control software B on the exactly same
> machine, if:
>
> 1. software A and software B run in the same user context (typically
> admin)
> 2. software A does not know anything about software B, while B has been
> tested against A
>
> >(As
> > demonstraighted my MSs inclusion of outbound filtering in Vista).
>
> Obviously MSFT has spent their marketing dollars wisely. At the very
> least, they fooled you.
>
> Regards
> Thomas
>
>
Maybe they fooled you into thinking thier xp firewall, without outbound
application filtering was enough.
me

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

In article <4oij6vFesepvU5@individual.net>, usenet-2006@planetcobalt.net
says...
> bassbag wrote:
> > usenet-2006@planetcobalt.net says...
> >> kingthorin@gmail.com wrote:
> >>> "And if you think it can block malicious outbound traffic see
> >>> Microsofts statement at
> >>> http://www.microsoft.com/technet/technetmag/issues/2006/05/S ecurityMy...
> >>> the chapter "Myth: Host-Based Firewalls Must Filter Outbound
> >>> Traffic to be Safe. " "
> >>>
> >>> Did you actually read the informtaion you're referring people to?
> >>> Basically some guy at MS deems the need for Outbound Traffic
> >>> Filtering as a myth because the majority of users are too stupid to
> >>> understand that's going on when prompted to allow/deny the traffic.
> >>
> >> Apparently it's you who hasn't read the article. Users not being able
> >> to understand what the firewall tells them is one argument against
> >> attempts to filter outbound traffic. Another argument is that malware
> >> can most easily remotely control applications that are *allowed* to
> >> communicate outbound (e.g. the web browser), thus bypassing the
> >> application filter.
> >
> > Most modern firewalls are protected against this kind of
> > circumvention.
>
> No.
>
> cu
> 59cobalt
>
yes
me

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

bassbag wrote:
> usenet-2006@planetcobalt.net says...
>> bassbag wrote:
>>> usenet-2006@planetcobalt.net says...
>>>> Well, it will help maximizing their sales, so it sure is a benefit.
>>>> For them. Anyway, you need to distinguish between what sales droids
>>>> and security professionals tell you. They won't necessarily tell
>>>> you the same.
>>>
>>> Why would it maximise thier sales if its a myth?
>>
>> I underlined the (already given) answer for your convenience.
>
> Im looking for an answer but cant see one given.

I take it you need glasses then.

> I asked if application firewalls are a myth, then surely people would
> see through that (like yourself of course).

What makes you believe that?

> So why would blatant lies boost sales?

Because people fall for them?

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

bassbag wrote:
> usenet-2006@planetcobalt.net says...
>> bassbag wrote:
>>> Most modern firewalls are protected against this kind of
>>> circumvention.
>>
>> No.
>
> yes

Like which ones? The only one I've seen try (and fail at it) is
ZoneAlarm 6.5 Pro.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

In article <4oik3qFejqoaU1@individual.net>, usenet-2006@planetcobalt.net
says...
> bassbag wrote:
> > usenet-2006@planetcobalt.net says...
> >> bassbag wrote:
> >>> usenet-2006@planetcobalt.net says...
> >>>> Well, it will help maximizing their sales, so it sure is a benefit.
> >>>> For them. Anyway, you need to distinguish between what sales droids
> >>>> and security professionals tell you. They won't necessarily tell
> >>>> you the same.
> >>>
> >>> Why would it maximise thier sales if its a myth?
> >>
> >> I underlined the (already given) answer for your convenience.
> >
> > Im looking for an answer but cant see one given.
>
> I take it you need glasses then.
Thank you for being concerned ,the pair i have are fine.
>
> > I asked if application firewalls are a myth, then surely people would
> > see through that (like yourself of course).
>
> What makes you believe that?
Because you stated such.
>
> > So why would blatant lies boost sales?
>
> Because people fall for them?
you havent...have you

me

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

bassbag wrote:
> usenet-2006@planetcobalt.net says...
>> bassbag wrote:
>>> usenet-2006@planetcobalt.net says...
>>>> bassbag wrote:
>>>>> usenet-2006@planetcobalt.net says...
>>>>>> Well, it will help maximizing their sales, so it sure is a
>>>>>> benefit. For them. Anyway, you need to distinguish between what
>>>>>> sales droids and security professionals tell you. They won't
>>>>>> necessarily tell you the same.
>>>>>
>>>>> Why would it maximise thier sales if its a myth?
>>>>
>>>> I underlined the (already given) answer for your convenience.
>>>
>>> Im looking for an answer but cant see one given.
>>
>> I take it you need glasses then.
>
> Thank you for being concerned ,the pair i have are fine.

Quite obviously they are not.

>>> I asked if application firewalls are a myth, then surely people
>>> would see through that (like yourself of course).
>>
>> What makes you believe that?
>
> Because you stated such.

Ummm... no?

>>> So why would blatant lies boost sales?
>>
>> Because people fall for them?
>
> you havent...have you

And because I didn't fall for this particular lie noone will fall for
any lie ever? That's one hell of a claim you put up.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

In article <4oikbmFejqoaU2@individual.net>, usenet-2006@planetcobalt.net
says...
> bassbag wrote:
> > usenet-2006@planetcobalt.net says...
> >> bassbag wrote:
> >>> Most modern firewalls are protected against this kind of
> >>> circumvention.
> >>
> >> No.
> >
> > yes
>
> Like which ones? The only one I've seen try (and fail at it) is
> ZoneAlarm 6.5 Pro.
>
> cu
> 59cobalt
>
Just google for firewall component control,Anti leak...dll injection
etc.Theres quite a few of them.Of course if you are behind a router you
may wish to use SSM or similar rather than a software firewall with
application control.However if you are not ,the software firewall might
be a good all in one choice.If you are very careful you may not need
anything at all.
me

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

In article <4oikt9FejqoaU4@individual.net>, usenet-2006@planetcobalt.net
says...
> bassbag wrote:
> > usenet-2006@planetcobalt.net says...
> >> bassbag wrote:
> >>> usenet-2006@planetcobalt.net says...
> >>>> bassbag wrote:
> >>>>> usenet-2006@planetcobalt.net says...
> >>>>>> Well, it will help maximizing their sales, so it sure is a
> >>>>>> benefit. For them. Anyway, you need to distinguish between what
> >>>>>> sales droids and security professionals tell you. They won't
> >>>>>> necessarily tell you the same.
> >>>>>
> >>>>> Why would it maximise thier sales if its a myth?
> >>>>
> >>>> I underlined the (already given) answer for your convenience.
> >>>
> >>> Im looking for an answer but cant see one given.
> >>
> >> I take it you need glasses then.
> >
> > Thank you for being concerned ,the pair i have are fine.
>
> Quite obviously they are not.
On the contrary.
>
> >>> I asked if application firewalls are a myth, then surely people
> >>> would see through that (like yourself of course).
> >>
> >> What makes you believe that?
> >
> > Because you stated such.
>
> Ummm... no?
Well didnt you agree that the need for outbound application filtering was
a myth?
>
> >>> So why would blatant lies boost sales?
> >>
> >> Because people fall for them?
> >
> > you havent...have you
>
> And because I didn't fall for this particular lie noone will fall for
> any lie ever? That's one hell of a claim you put up.
Perhaps its you that need the services of an optician (or an
interpreter).I didnt claim any such thing.
me
>
> cu
> 59cobalt
>

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

Ansgar -59cobalt- Wiechers wrote:
> kingthorin@gmail.com wrote:
> > "And if you think it can block malicious outbound traffic see
> > Microsofts statement at
> > http://www.microsoft.com/technet/technetmag/issues/2006/05/S ecurityMy...
> > the chapter "Myth: Host-Based Firewalls Must Filter Outbound Traffic
> > to be Safe. " "
> >
> > Did you actually read the informtaion you're referring people to?
> > Basically some guy at MS deems the need for Outbound Traffic Filtering
> > as a myth because the majority of users are too stupid to understand
> > that's going on when prompted to allow/deny the traffic.
>
> Apparently it's you who hasn't read the article. Users not being able to
> understand what the firewall tells them is one argument against attempts
> to filter outbound traffic. Another argument is that malware can most
> easily remotely control applications that are *allowed* to communicate
> outbound (e.g. the web browser), thus bypassing the application filter.

Ok I set myself up for that one I should have said "Chapter" per the
OPs post instead of article (my bad).

However to your point. Yes a malicious piece of software "could" just
use port 80 which is bound to be allowed by my egress rules, however
malicious code writters aren't always "SMRT" (as Homer would say).

The assumption of stupid users and smart "attackers" is a mistake
(myth), not the requirement for outbound filtering.

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

bassbag wrote:
> usenet-2006@planetcobalt.net says...
>> bassbag wrote:
>>> usenet-2006@planetcobalt.net says...
>>>> bassbag wrote:
>>>>> I asked if application firewalls are a myth, then surely people
>>>>> would see through that (like yourself of course).
>>>>
>>>> What makes you believe that?
>>>
>>> Because you stated such.
>>
>> Ummm... no?
>
> Well didnt you agree that the need for outbound application filtering
> was a myth?

Yes. Where exactly does that imply any claim on my part that everyone
will see through it?

>>>>> So why would blatant lies boost sales?
>>>>
>>>> Because people fall for them?
>>>
>>> you havent...have you
>>
>> And because I didn't fall for this particular lie noone will fall for
>> any lie ever? That's one hell of a claim you put up.
>
> Perhaps its you that need the services of an optician (or an
> interpreter).I didnt claim any such thing.

So you didn't reply "you haven't ... have you" when I stated that lies
may boost sales because of people falling for the lies?

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

bassbag wrote:
> usenet-2006@planetcobalt.net says...
>> bassbag wrote:
>>> usenet-2006@planetcobalt.net says...
>>>> bassbag wrote:
>>>>> Most modern firewalls are protected against this kind of
>>>>> circumvention.
[...]
>> Like which ones? The only one I've seen try (and fail at it) is
>> ZoneAlarm 6.5 Pro.
>
> Just google for firewall component control,Anti leak...dll injection
> etc.Theres quite a few of them.

I'll take that as an "I don't know any either".

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

kingthorin@gmail.com wrote:
> Ansgar -59cobalt- Wiechers wrote:
>> kingthorin@gmail.com wrote:
>>> "And if you think it can block malicious outbound traffic see
>>> Microsofts statement at
>>> http://www.microsoft.com/technet/technetmag/issues/2006/05/S ecurityMy...
>>> the chapter "Myth: Host-Based Firewalls Must Filter Outbound Traffic
>>> to be Safe. " "
>>>
>>> Did you actually read the informtaion you're referring people to?
>>> Basically some guy at MS deems the need for Outbound Traffic
>>> Filtering as a myth because the majority of users are too stupid to
>>> understand that's going on when prompted to allow/deny the traffic.
>>
>> Apparently it's you who hasn't read the article. Users not being able
>> to understand what the firewall tells them is one argument against
>> attempts to filter outbound traffic. Another argument is that malware
>> can most easily remotely control applications that are *allowed* to
>> communicate outbound (e.g. the web browser), thus bypassing the
>> application filter.
>
> Ok I set myself up for that one I should have said "Chapter" per the
> OPs post instead of article (my bad).
>
> However to your point. Yes a malicious piece of software "could" just
> use port 80 which is bound to be allowed by my egress rules, however
> malicious code writters aren't always "SMRT" (as Homer would say).

So what? A smart attacker is the worst case, which you have to take into
consideration as well. Any measure can only count as a SECURITY measure
if it will defeat the smart attacker as well as the stupid attacker.

> The assumption of stupid users and smart "attackers" is a mistake
> (myth), not the requirement for outbound filtering.

You still fail to understand the points the article makes. With a smart
attacker it's irrelevant whether the users are stupid or smart, they
will never notice, because the malware bypasses the outbound traffic
control so that no notification whatsoever is generated. And with the
uneducated users not being able to understand what the personal firewall
is telling them, they still are more likely to allow than to deny access
when in doubt. So outbound filtering MAY work when you'll ALWAYS have
DUMB attackers AND educated users. Which is a rather bold assumption
from a security PoV.

What is so hard to understand about this?

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

Lars-Erik ?sterud <.@.> wrote:
> Volker Birk wrote:
> > No.
> Would you guarantee that othe forewalls do not send any info to the
> author without my knowledge?

No.

But I will guarantee, that I don't need a product, which "phones home",
and it's purpose is to prevent from "phoning home".

BTW: many people think, that of security software, one needs the source
code to evaluate.

> > Because it's not possible to "hide the IP address", of course it does
> Then what does that option do?

Ridiculous nonsense.

> It might hide your actual IP

No. You may want to read RFC 791 and 792 (STD 5) to understand, why this
never can work. It's just advertizing nonsense.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

kingthorin@gmail.com wrote:
> Did you actually read the informtaion you're referring people to?
> Basically some guy at MS deems the need for Outbound Traffic Filtering
> as a myth because the majority of users are too stupid to understand
> that's going on when prompted to allow/deny the traffic.

You need more arguments? Here they are:

1. Problem: popups are a b0rken concept, people chose the false option
------------------------------------------------------------ ----------

This is one practial problem of "outbound filtering". And one of the
worst. It's idiotic to ask the user for protection relevant decisions,
because the user is the person to be protected, not the person who
should protect.

In most cases, she/he does not know the correct answer (if there is
one), and this was the reason, why this user bought the "security
product", to be protected without any deep knowledge about computer
security.

2. Technical problems
---------------------

I showed some with my PoC code at http://www.dingens.org/breakout.c and
http://www.dingens.org/breakout-wp.cpp

BTW: the "manufacturers of security software" are taking this so
serious, that they're lying that this would be malware, not proof of
concept ;-) Obviously they're taking fright of such proofs, that their
"outbound filtering" is just a tasteless joke.

You can test, what your "Virus Scanner" says to
http://www.dingens.org/breakout.exe and
http://www.dingens.org/breakout-en.exe - both _do_ _not_ _contain_ _any_
_malware_.

3. Outbound filtering is counterproductive, not helpful for security
------------------------------------------------------------ --------

Most "phoning home" is for online software updates of useful programs.
Everybody should permit this, because online software updates protect
you from being attacked by older malware (and there is enough of this
kind in the wild).

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

kingthorin@gmail.com wrote:
> The assumption of stupid users and smart "attackers" is a mistake
> (myth), not the requirement for outbound filtering.

The assumption of incurious users and smart attackers is the only
assumption, which is valid for a scenario of protecting home users.

"Security systems", whose concepts are not based on this assumption, are
of no value for home users.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

"With a smart attacker it's irrelevant whether the users are stupid or
smart, they will never notice, because the malware bypasses the
outbound traffic control so that no notification whatsoever is
generated."

So protection from the dumb attackers is pointless? I'm sorry but I
disagree. My bandwidth, CPU cycles, memory usage, and storage are not
pointless things to protect. I agree that outbound filtering won't
protect everyone from smart attackers but it can protect you and your
valuable resources fromt he dumb ones.

I'm not claiming that outbound filtering is a perfect solution by any
means, however, I still maintain that it's ridiculous to call it's
usefulness a myth.

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

kingthorin@gmail.com wrote:
> So protection from the dumb attackers is pointless?

No. Secure protection is a good thing. "Protection" like "does only
work if the attacker is a muppet" is ridiculous.

> I'm not claiming that outbound filtering is a perfect solution by any
> means, however, I still maintain that it's ridiculous to call it's
> usefulness a myth.

It's not useful at all. If it ever could work, it's even
counterproductive.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

Volker Birk wrote:

> Why don't you just configure your MS software not to do so?

In some cases, that's simply not possible. Take the MS installer for
example. Sometimes during installation of a program or driver, the
installer itself (not related to said program or driver) tries to
contact a microsoft server.
Also, the "new hardware" wizard has an option to check with Windows
Update for updated drivers, but even if you tell it NOT to do so, it
sometimes still wants to make an outbound connection.

Just my two cents.

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

Volker Birk wrote:
> kingthorin@gmail.com wrote:
> > So protection from the dumb attackers is pointless?
>
>> No. Secure protection is a good thing. "Protection" like "does only
>> work if the attacker is a muppet" is ridiculous.
>

Sadly a lot of attackers = muppets = script kiddies

Think of it like phishing emails. Some are obvious to spot with
spelling mistakes or old methods of hiding URLs from dumb users. Some
are hard to spot with no typos, good gramar, and well hidden URLs. Just
because some of them are good doesn't mean I don't want to be or should
be interested in being protected from the bad (obvious) ones.

Maybe we'll have to agree to disagree ;)

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

Ansgar -59cobalt- Wiechers wrote:

>>>> Most modern firewalls are protected against this kind of
>>>> circumvention.
>>> No.
>> yes
>
> Like which ones? The only one I've seen try (and fail at it) is
> ZoneAlarm 6.5 Pro.

I'd say Sygate 5.x does a pretty good job.
Whenever an untrusted program starts a trusted program to make an
outbound connection on its behalf, Sygate blocks the connection and
informs the user.

This can be reproduced by simply clicking a URL in an email message.
Sygate will inform the user that the default browser wants to connect to
a server, and that this was initiated by the default mailclient. Even if
there already are "allow" rules for both programs seperately. Of course,
another rule for this particular combination of programs can be created,
so you're not confronted with these popups in the future.

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

prophet wrote:
> I'd say Sygate 5.x does a pretty good job.
> Whenever an untrusted program starts a trusted program to make an
> outbound connection on its behalf, Sygate blocks the connection and
> informs the user.

Sygate failed on both of my leak tests.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

kingthorin@gmail.com wrote:
> Sadly a lot of attackers = muppets = script kiddies

Yes. And the scripts (aka tool"z") they're using, are not ridiculous
at all, sadly.

> Maybe we'll have to agree to disagree ;)

If "outbound filtering" would not be counterproductive, maybe we could
agree. If it would be harmless, then it would get a "why not, does not
matter" from me.

Unfortunately, the opposite is true; maybe you will comment the "online
software update" problem, before we agree to disagree.

And even if this problem would not exist, most "Personal Firewalls"
would get a "don't use them", since I had a look on a bunch of such
tools - most of them are endangering their users.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

Volker Birk wrote:
> kingthorin@gmail.com wrote:
> > Sadly a lot of attackers = muppets = script kiddies
>
> Yes. And the scripts (aka tool"z") they're using, are not ridiculous
> at all, sadly.

I sitll don't agree with this, yes some are not ridiculous, but
definately not all. I could probably even be convinced that the
majority "are not ridiculous" but that still doesn't mean that I don't
want to be protected from those that are.

> > Maybe we'll have to agree to disagree ;)
>
> If "outbound filtering" would not be counterproductive, maybe we could
> agree. If it would be harmless, then it would get a "why not, does not
> matter" from me.
>
> Unfortunately, the opposite is true; maybe you will comment the "online
> software update" problem, before we agree to disagree.

I don't see the issue here, yes software must be able to update. The
majority of updates are accomplished on standard ports. It's obvious to
even dumb users to click yes here. "Your AV wants to access the
internet" (if they even get prompted).

Goto Windows Update website, it wants to install an activeX control, do
the majority of users say "No" and end up without updates? Even most
dumb grandmothers that like "sexy dancing pigs" know that when they go
for updates, YES they actually want them.

> And even if this problem would not exist, most "Personal Firewalls"
> would get a "don't use them", since I had a look on a bunch of such
> tools - most of them are endangering their users.

I can agree that currently available software firewalls "are
endangering their users" in the majority of cases.

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

kingthorin@gmail.com wrote:
> Volker Birk wrote:
>> Yes. And the scripts (aka tool"z") they're using, are not ridiculous
>> at all, sadly.
>
> I sitll don't agree with this, yes some are not ridiculous, but
> definately not all.

Yes, several attacks may be detected by outbound control. However, since
you have to depend on luck for not getting hit by a smart one this has
nothing to do with security.

>> If "outbound filtering" would not be counterproductive, maybe we
>> could agree. If it would be harmless, then it would get a "why not,
>> does not matter" from me.
>>
>> Unfortunately, the opposite is true; maybe you will comment the
>> "online software update" problem, before we agree to disagree.
>
> I don't see the issue here, yes software must be able to update.

Most users are not able to distinguish between "good" (e.g. automatic
software updates) and "bad" (malware) outbound connections. So they'll
either allow everything (which is bad because malware will be able to
communicate outbound) or deny everything (which is bad because their
software will remain vulnerable).

> The majority of updates are accomplished on standard ports. It's
> obvious to even dumb users to click yes here. "Your AV wants to access
> the internet" (if they even get prompted).

It's obvious that jusched.exe will update the Java Virtual Machine that
they don't even know they had installed in the first place? IBTD.

> Goto Windows Update website, it wants to install an activeX control,
> do the majority of users say "No" and end up without updates? Even
> most dumb grandmothers that like "sexy dancing pigs" know that when
> they go for updates, YES they actually want them.

Volker was talking about automatic updates, not about manual updates.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

"Yes, several attacks may be detected by outbound control. However,
since you have to depend on luck for not getting hit by a smart one
this has nothing to do with security."

So you're saying that because something might get through I shouldn't
care about any of it? I should be completely willing to sacrifice any
and all CPU cycles, bandwidth, storage etc?

My AV software is completely pointless because while it stops known
attacks it can't/won't stop unknown attacks. (Smart/Dumb, New/Old same
thing).

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

kingthorin@gmail.com wrote:
> > maybe you will comment the "online
> > software update" problem, before we agree to disagree.
> I don't see the issue here, yes software must be able to update. The
> majority of updates are accomplished on standard ports. It's obvious to
> even dumb users to click yes here. "Your AV wants to access the
> internet" (if they even get prompted).

I'm not talking about "Anti Virus" programs. I'm talking about people
preventing their PDF viewer, their wordprocessor, their video player,
their MP3 player, their %WHATEVER_USER_PROGRAM% from "phoning home",
which in reality only prevents them from getting online software
updates, and so prevents the user from being protected.

> Goto Windows Update website, it wants to install an activeX control, do
> the majority of users say "No" and end up without updates? Even most
> dumb grandmothers that like "sexy dancing pigs" know that when they go
> for updates, YES they actually want them.

Interesting. This is exactly the point, why "preventing from phoning
home" by offering popups never will work: because every user will chose
"Yes", at least at the second time she/he tries to use %FEATURE%.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

kingthorin@gmail.com wrote:
> So you're saying that because something might get through I shouldn't
> care about any of it? I should be completely willing to sacrifice any
> and all CPU cycles, bandwidth, storage etc?

You should not try to "outbound filter phoning home" then. You should
flatten and rebuild.

> My AV software is completely pointless because while it stops known
> attacks it can't/won't stop unknown attacks. (Smart/Dumb, New/Old same
> thing).

AV software for sure finds every virus it knows (if it's well
implemented), *BEFORE* the malware can do harm.

"Outbound filtering" is too late - it should work, when malware already
broke every security provision you have taken, and your box is already
0wned.

The first is useful. The latter is b0rken by concept.

I don't know, why people don't see the one and only advantage of most
common "Personal Firewalls": to work as a little IDS. OK, maybe IDSes
should be implemented in better ways, but this is the only point I can
see, where one could use a "Personal Firewall" in theory.

Unfortunately, for home users this is not suitable at all in practice,
because all "Personal Firewalls" I know have really terrible false
positives, and are flooding users with useless popups, so nobody will
notice the real important popups any more.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

In article <4oj02cFf0lnbU1@individual.net>, usenet-2006@planetcobalt.net
says...
> bassbag wrote:
> > usenet-2006@planetcobalt.net says...
> >> bassbag wrote:
> >>> usenet-2006@planetcobalt.net says...
> >>>> bassbag wrote:
> >>>>> I asked if application firewalls are a myth, then surely people
> >>>>> would see through that (like yourself of course).
> >>>>
> >>>> What makes you believe that?
> >>>
> >>> Because you stated such.
> >>
> >> Ummm... no?
> >
> > Well didnt you agree that the need for outbound application filtering
> > was a myth?
>
> Yes. Where exactly does that imply any claim on my part that everyone
> will see through it?
>
> >>>>> So why would blatant lies boost sales?
> >>>>
> >>>> Because people fall for them?
> >>>
> >>> you havent...have you
> >>
> >> And because I didn't fall for this particular lie noone will fall for
> >> any lie ever? That's one hell of a claim you put up.
> >
> > Perhaps its you that need the services of an optician (or an
> > interpreter).I didnt claim any such thing.
>
> So you didn't reply "you haven't ... have you" when I stated that lies
> may boost sales because of people falling for the lies?
>
> cu
> 59cobalt
>
yes.....but what has that got to do with YOUR comment stating that
because, you didnt fall for a "lie"... no one will fall for any lie
ever?,and attributing that "claim" to me?
me

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

In article <4oj0buFf0lnbU2@individual.net>, usenet-2006@planetcobalt.net
says...
> bassbag wrote:
> > usenet-2006@planetcobalt.net says...
> >> bassbag wrote:
> >>> usenet-2006@planetcobalt.net says...
> >>>> bassbag wrote:
> >>>>> Most modern firewalls are protected against this kind of
> >>>>> circumvention.
> [...]
> >> Like which ones? The only one I've seen try (and fail at it) is
> >> ZoneAlarm 6.5 Pro.
> >
> > Just google for firewall component control,Anti leak...dll injection
> > etc.Theres quite a few of them.
>
> I'll take that as an "I don't know any either".
>
> cu
> 59cobalt
>
Take it any way you want.It seems many here (including yourself )are just
too bone idol to use a search engine....and im afraid i wont do it for
you.
me

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

bassbag wrote:
> usenet-2006@planetcobalt.net says...
>> bassbag wrote:
>>> usenet-2006@planetcobalt.net says...
>>>> bassbag wrote:
>>>>> usenet-2006@planetcobalt.net says...
>>>>>> bassbag wrote:
>>>>>>> Most modern firewalls are protected against this kind of
>>>>>>> circumvention.
>> [...]
>>>> Like which ones? The only one I've seen try (and fail at it) is
>>>> ZoneAlarm 6.5 Pro.
>>>
>>> Just google for firewall component control,Anti leak...dll injection
>>> etc.Theres quite a few of them.
>>
>> I'll take that as an "I don't know any either".
>
> Take it any way you want.It seems many here (including yourself )are
> just too bone idol to use a search engine....and im afraid i wont do
> it for you.

It's not me who put up the claim, so it's not my job to bring the proof,
but yours. Plain and simple.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

kingthorin@gmail.com wrote:
> "Yes, several attacks may be detected by outbound control. However,
> since you have to depend on luck for not getting hit by a smart one
> this has nothing to do with security."
>
> So you're saying that because something might get through I shouldn't
> care about any of it?

I'm saying that because you can't rely on it it doesn't count as a
security measure. Whether you want to use such measures despite of that
is up to you.

> My AV software is completely pointless because while it stops known
> attacks it can't/won't stop unknown attacks. (Smart/Dumb, New/Old same
> thing).

No, it's not the same thing. AV software is supposed to detect known
malware patterns and block access to files where it detects them. That
it can do reliably.

And will you please learn how to quote sensibly?

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

bassbag wrote:
> usenet-2006@planetcobalt.net says...
>> bassbag wrote:
>>> usenet-2006@planetcobalt.net says...
>>>> bassbag wrote:
>>>>> usenet-2006@planetcobalt.net says...
>>>>>> bassbag wrote:
>>>>>>> I asked if application firewalls are a myth, then surely people
>>>>>>> would see through that (like yourself of course).
>>>>>>
>>>>>> What makes you believe that?
>>>>>
>>>>> Because you stated such.
>>>>
>>>> Ummm... no?
>>>
>>> Well didnt you agree that the need for outbound application
>>> filtering was a myth?
>>
>> Yes. Where exactly does that imply any claim on my part that everyone
>> will see through it?

No comment here, so I take it you agree that I did never state any such
thing.

>>>>>>> So why would blatant lies boost sales?
>>>>>>
>>>>>> Because people fall for them?
>>>>>
>>>>> you havent...have you
>>>>
>>>> And because I didn't fall for this particular lie noone will fall
>>>> for any lie ever? That's one hell of a claim you put up.
>>>
>>> Perhaps its you that need the services of an optician (or an
>>> interpreter).I didnt claim any such thing.
>>
>> So you didn't reply "you haven't ... have you" when I stated that
>> lies may boost sales because of people falling for the lies?
>
> yes.....but what has that got to do with YOUR comment stating that
> because, you didnt fall for a "lie"... no one will fall for any lie
> ever?,and attributing that "claim" to me?

You may want to explain then what you intended to express with that
reply of yours, unless you just meant to make a remark that was entirely
unrelated to what was discussed before.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

Ansgar -59cobalt- Wiechers wrote:
> kingthorin@gmail.com wrote:
> > > "Yes, several attacks may be detected by outbound control. However,
> > > since you have to depend on luck for not getting hit by a smart one
> > > this has nothing to do with security."
> >
> > So you're saying that because something might get through I shouldn't
> > care about any of it?
>
> I'm saying that because you can't rely on it it doesn't count as a
> security measure. Whether you want to use such measures despite of that
> is up to you.
>
>
> > My AV software is completely pointless because while it stops known
> > attacks it can't/won't stop unknown attacks. (Smart/Dumb, New/Old same
> > thing).
>
> No, it's not the same thing. AV software is supposed to detect known
> malware patterns and block access to files where it detects them. That
> it can do reliably.

So because it doesn't protect you from unknown attacks "you can't rely
on it it doesn't count as a security measure."

It exactly the same thing, outbound filtering can stop some threats
(the software may land on your sys but if it is not allowed to
communicate it can't fulfill it's goal), AV can stop some threats (the
software may land on your sys but if it is quaruntined or removed it
can't fulfill it's goal).

>
> And will you please learn how to quote sensibly?

Sorry about that, I hate those >>>, but if it makes life easier for you
(everyone else) I'll try to leave them in.

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

kingthorin@gmail.com wrote:
> Ansgar -59cobalt- Wiechers wrote:
>> kingthorin@gmail.com wrote:
>>>> "Yes, several attacks may be detected by outbound control. However,
>>>> since you have to depend on luck for not getting hit by a smart one
>>>> this has nothing to do with security."
>>>
>>> So you're saying that because something might get through I
>>> shouldn't care about any of it?
>>
>> I'm saying that because you can't rely on it it doesn't count as a
>> security measure. Whether you want to use such measures despite of
>> that is up to you.
>>
>>> My AV software is completely pointless because while it stops known
>>> attacks it can't/won't stop unknown attacks. (Smart/Dumb, New/Old
>>> same thing).
>>
>> No, it's not the same thing. AV software is supposed to detect known
>> malware patterns and block access to files where it detects them.
>> That it can do reliably.
>
> So because it doesn't protect you from unknown attacks "you can't rely
> on it it doesn't count as a security measure."

Wrong. No measure will protect you from unknown attacks, because one
needs to know the attack vector to implement the countermeasure. The
attack vectors malware can use to communicate outbound are well known,
but they can't be mitigated easily without breaking lots of stuff in
Windows because of the way Windows works.

[...]
>> And will you please learn how to quote sensibly?
>
> Sorry about that, I hate those >>>, but if it makes life easier for you
> (everyone else) I'll try to leave them in.

Thank you. It does make life a lot easier.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

kingthorin@gmail.com wrote:
> > No, it's not the same thing. AV software is supposed to detect known
> > malware patterns and block access to files where it detects them. That
> > it can do reliably.
> So because it doesn't protect you from unknown attacks "you can't rely
> on it it doesn't count as a security measure."

Anti Virus software does not protect from viruses. You may not rely on
it.

Anti Virus software does filter out already known viruses. You may rely
on it.

"Personal Firewalls" don't prevent malware from "phoning home", which is
already running on a machine. You cannot rely on it.

"Personal Firewalls" prevent legal software from doing online software
updates. You can rely on it.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

In article <4okrmvFdqv1eU1@individual.net>, usenet-2006@planetcobalt.net
says...
> bassbag wrote:
> > usenet-2006@planetcobalt.net says...
> >> bassbag wrote:
> >>> usenet-2006@planetcobalt.net says...
> >>>> bassbag wrote:
> >>>>> usenet-2006@planetcobalt.net says...
> >>>>>> bassbag wrote:
> >>>>>>> Most modern firewalls are protected against this kind of
> >>>>>>> circumvention.
> >> [...]
> >>>> Like which ones? The only one I've seen try (and fail at it) is
> >>>> ZoneAlarm 6.5 Pro.
> >>>
> >>> Just google for firewall component control,Anti leak...dll injection
> >>> etc.Theres quite a few of them.
> >>
> >> I'll take that as an "I don't know any either".
> >
> > Take it any way you want.It seems many here (including yourself )are
> > just too bone idol to use a search engine....and im afraid i wont do
> > it for you.
>
> It's not me who put up the claim, so it's not my job to bring the proof,
> but yours. Plain and simple.
>
> cu
> 59cobalt
>
I dont need to proove anything as you havent disprooved anything that im
aware of.
me

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

In article <4oksfuFdqv1eU3@individual.net>, usenet-2006@planetcobalt.net
says...
> bassbag wrote:
> > usenet-2006@planetcobalt.net says...
> >> bassbag wrote:
> >>> usenet-2006@planetcobalt.net says...
> >>>> bassbag wrote:
> >>>>> usenet-2006@planetcobalt.net says...
> >>>>>> bassbag wrote:
> >>>>>>> I asked if application firewalls are a myth, then surely people
> >>>>>>> would see through that (like yourself of course).
> >>>>>>
> >>>>>> What makes you believe that?
> >>>>>
> >>>>> Because you stated such.
> >>>>
> >>>> Ummm... no?
> >>>
> >>> Well didnt you agree that the need for outbound application
> >>> filtering was a myth?
> >>
> >> Yes. Where exactly does that imply any claim on my part that everyone
> >> will see through it?
>
> No comment here, so I take it you agree that I did never state any such
> thing.
>
> >>>>>>> So why would blatant lies boost sales?
> >>>>>>
> >>>>>> Because people fall for them?
> >>>>>
> >>>>> you havent...have you
> >>>>
> >>>> And because I didn't fall for this particular lie noone will fall
> >>>> for any lie ever? That's one hell of a claim you put up.
> >>>
> >>> Perhaps its you that need the services of an optician (or an
> >>> interpreter).I didnt claim any such thing.
> >>
> >> So you didn't reply "you haven't ... have you" when I stated that
> >> lies may boost sales because of people falling for the lies?
> >
> > yes.....but what has that got to do with YOUR comment stating that
> > because, you didnt fall for a "lie"... no one will fall for any lie
> > ever?,and attributing that "claim" to me?
>
> You may want to explain then what you intended to express with that
> reply of yours, unless you just meant to make a remark that was entirely
> unrelated to what was discussed before.
>
> cu
> 59cobalt
An explanation of the remark is not nessacary because its self evident.
me

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

bassbag schrieb:

> Maybe they fooled you into thinking thier xp firewall, without outbound
> application filtering was enough.

In my environment, it is even more than enough.

Regards
Thomas

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

bassbag wrote:
> usenet-2006@planetcobalt.net says...
>> It's not me who put up the claim, so it's not my job to bring the
>> proof, but yours. Plain and simple.
>
> I dont need to proove anything as you havent disprooved anything that
> im aware of.

You just proved rather clearly that you're just another troll.

*plonk*

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

In article <4ol60fFf4efuU1@individual.net>, usenet-2006@planetcobalt.net
says...
> bassbag wrote:
> > usenet-2006@planetcobalt.net says...
> >> It's not me who put up the claim, so it's not my job to bring the
> >> proof, but yours. Plain and simple.
> >
> > I dont need to proove anything as you havent disprooved anything that
> > im aware of.
>
> You just proved rather clearly that you're just another troll.
>
> *plonk*
>
> cu
> 59cobalt
>
Why should I continue to respond to something, that you yourself, have
not prooven?
Plonk?....is that what you are drinking?
me

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

In article <4okui5Ff40egU1@individual.net>, usenet-2006@planetcobalt.net
says...
> kingthorin@gmail.com wrote:
> > Ansgar -59cobalt- Wiechers wrote:
> >> kingthorin@gmail.com wrote:
> >>>> "Yes, several attacks may be detected by outbound control. However,
> >>>> since you have to depend on luck for not getting hit by a smart one
> >>>> this has nothing to do with security."
> >>>
> >>> So you're saying that because something might get through I
> >>> shouldn't care about any of it?
> >>
> >> I'm saying that because you can't rely on it it doesn't count as a
> >> security measure. Whether you want to use such measures despite of
> >> that is up to you.
> >>
> >>> My AV software is completely pointless because while it stops known
> >>> attacks it can't/won't stop unknown attacks. (Smart/Dumb, New/Old
> >>> same thing).
> >>
> >> No, it's not the same thing. AV software is supposed to detect known
> >> malware patterns and block access to files where it detects them.
> >> That it can do reliably.
> >
> > So because it doesn't protect you from unknown attacks "you can't rely
> > on it it doesn't count as a security measure."
>
> Wrong. No measure will protect you from unknown attacks, because one
> needs to know the attack vector to implement the countermeasure. The
> attack vectors malware can use to communicate outbound are well known,
> but they can't be mitigated easily without breaking lots of stuff in
> Windows because of the way Windows works.
>
> [...]
> >> And will you please learn how to quote sensibly?
> >
> > Sorry about that, I hate those >>>, but if it makes life easier for you
> > (everyone else) I'll try to leave them in.
>
> Thank you. It does make life a lot easier.
>
> cu
> 59cobalt
>
Utter Rubbish !!
The use of HIPS can prevent many unknown attacks ,throgh api calling
,behavior blocking,integrity analysis.
me

Re: Zone Alarm (Freeware-) stopped reporting intrustions..

Volker Birk wrote:
> kingthorin@gmail.com wrote:
> > > No, it's not the same thing. AV software is supposed to detect known
> > > malware patterns and block access to files where it detects them. That
> > > it can do reliably.
> > So because it doesn't protect you from unknown attacks "you can't rely
> > on it it doesn't count as a security measure."
>
> Anti Virus software does not protect from viruses. You may not rely on
> it.
>
> Anti Virus software does filter out already known viruses. You may rely
> on it.
>
> "Personal Firewalls" don't prevent malware from "phoning home", which is
> already running on a machine. You cannot rely on it.

Hence the need for outbound filtering is not a myth.

> "Personal Firewalls" prevent legal software from doing online software
> updates. You can rely on it.

I still disagree with this statement. As I have many times previously.
I think we're going to have to agree to disagree.