lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu Feb  9 16:55:55 2006
From: davek_throwaway at hotmail.com (Dave Korn)
Subject: Cringely's FUD-spreading leads to broken
	workarounds being suggested

[  For those who are getting bored and would like to know something 
interesting, there is some actual technical and security-related ON-TOPIC 
content toward the end of this post!  ]

Ivan . wrote:
> nice personal attacks, a great display of your intellect.

  I have little patience with anyone who repeatedly misrepresents what I 
have said and then proceeds to throw strawman arguments at me.

  You were the one who started with the patronising comments to "read the 
article again Dave" as if I was some kind of idiot who couldn't see what was 
in front of my eyes, but you then posted a link to a /different/ article 
which was by someone else, because the article that you originally posted a 
link to, and to which I was responding in my first post, had all the 
failings that I described of it, and did not have the evidence that you 
claimed it did.

  And you know, just because you posted a link here, and I posted something 
critical of that article, doesn't mean you should react as if I was 
criticising you, but you jump down my throat with a patronising and 
emotional overreaction.  Stop being so precious.

>> My first post in this thread claimed that Cringely was spreading
>> FUD, and had provided no evidence to back up his claim.
>
> No your first post was this
>
>> Without seeing the content of these packets, I don't see how
>> Cringely can claim to know whether there's anything spyware or not
>> about it.  There is no *evidence* for his claim.  I'm always
>> suspicious of people who claim to have observed 'spyware phoning
>> home' but who are then completely unable to give any details about
>> the contents or destination of the packets, since it means that they
>> are claiming something that they don't actually know at all.

  I don't understand why you don't see that that paragraph is accusing him 
of FUD-spreading.  What else is FUD but vague and unproven accusations of 
something-bad-going-on?

> His only claim was that zonealarm "phones home" even when all the
> communication options are disabled. I can't find any claim of spyware
> as you indicated.

  Well, you and me clearly read differently.  You can't find any claim of 
spyware.  Yet the article is titled "A perfect spy".  He describes ZA's 
perfectly ordinary auto-update function (which is in no way any different 
from any other auto-update function in any other 'net-enabled application) 
as "surreptitious" and "encrypted", and he ends with this throw-away line 
about how "there's no truth to the rumor that the NSA used ZoneAlarm to spy 
on U.S. citizens", when nobody has in fact been spreading any such rumour.

  To me, it's perfectly clear that he is spreading FUD.  Cringely is a 
journalist, a professional wordsmith, and he chooses his words carefully and 
deliberately according to the meaning he wants to convey to others.  If he 
titles the piece "A perfect spy", it's because he wants to raise suspicions 
of spyware in the backs of people's minds.  If he describes the 
communications as "surreptitious", it's because he wants you to think that 
steps have been taken to deliberately conceal them.  If he refers to a 
rumour that never existed, it's because he wants to start one.

  Please consider the article carefully.  Cringely doesn't claim to have 
discovered this himself, he is reporting at second-hand what he was told by 
one of his colleagues.  He then enhances and elaborates on that report with 
innuendo and hyperbole, and gives not even the basic details to back up the 
claims he is making.  I think that's a perfectly reasonable thing to 
describe as FUD and rumour-mongery.  I note that his colleague has been 
keeping his head down in all this and not making any exaggerated claims.

> His claim of a phone home bug has been vindicated by
> Zonelabs/Checkpoint's response to the list and the admission of the
> bug.

  Once more you raise this strawman.  We all know there's a bug in the 
auto-update.  That is not under debate.

> Like I said before, it's up to the people on the list to decide if
> this is a issue for them or not. Not for a arrogant fool like you to
> force his opinion onto people.

  See, there you go missing the point again.  I'm talking about whether 
Cringely is making unsubstantiated claims and spreading fud, and you persist 
in misrepresenting what I'm saying as being about whether or not ZA does or 
doesn't phone home and whether or not that matters to other people.  That is 
NOT what I'm saying, it's something that _you_ have misinterpreted.

[  ON-TOPIC bit begins here  ]

  And know what?  If you are as concerned with letting people make their own 
minds up whether it's an issue or not, and what to do with it, then it would 
be logical for you to want to see full details of what it is that is 
actually being claimed.  This partial report is bad for those people, 
because the inaccuracy/lack of detail makes it harder for them to make that 
judgement for themselves, since they haven't been given sufficient 
information.  It is as a *direct* result of his (Cringely's) failure to show 
packet logs and give the necessary details to substantiate his claims, that 
people have been mislead into using that bogus workaround that the guy from 
The Inq. posted.  Remember that link you gave a few posts back?

http://theinquirer.net/?article=29157
-----------------quote-----------------
 The company says it will fix the "bug" soon. In the meantime you can work 
around it by adding:
# Block access to ZoneLabs Server
127.0.0.1 zonelabs.com
to your Windows host file.
-----------------quote-----------------

  See, if Cringely had posted packet dumps, or indeed any information at 
all, everybody would have known that that workaround is no good.  After all, 
one glance at the packets,  and everyone would have known in an instant that 
the actual DNS name it looks up is "update.zonelabs.com", and adding an 
alias for "zonelabs.com" will FAIL to protect you in any way.

  Vital information that.  But because of Cringely's poor standards, nobody 
knew it.  This is at the heart of my complaint against Cringely and at the 
heart of the debate over full disclosure: without full information, people 
are unable to make informed decisions about the security issues that might 
or might not affect them.

> go ride your high horse over to letters@...oworld.com

  You posted a link to an article here, so here was where I thought was a 
reasonable place to discuss the article and the issues raised by it, and in 
particular how they relate to security reporting and disclosure.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ