Zone Alarm Vs 180 Solutions: Zango hooks? 166
Sub-Seven writes "Found at Vitalsecurity.org, they detail how a Microsoft MVP pulled the Zango file to pieces, and discovered some interesting facts about exactly what a "simple" fun and games application does to a machine that its running on. Hooking into Windows OneCare and Microsoft Antispyware? What's that all about? "
Clever (rolleyes) (Score:4, Insightful)
Blogs are awesome.
Re:It's not just you (Score:5, Insightful)
No kidding. The blog article has ZERO content, apart from linking to two other sites about some program that purportedly is being flagged as spyware.
If slashdot is accepting lame "my blog entry" submissions like this (and what's with the "Microsoft MVP" comment in the submission? That's like trying to give credibility to a blog entry by purporting it to come from a "high school graduate"), then I'm going to start submitting every entry I make. Maybe I'll blog about this blog entry that blogs about a blog entry and submit that.
Ah well, like I - esteemed high school graduate and Blockbuster cardholder - said - most blogging is bloggers talking about blogging [yafla.com]. (Yes, hypocrisy runs deep with this)
Interesting little side not (Score:5, Insightful)
Well, if legitimate companies are afraid to associate with spyware companies, then I'd call that a good side-effect of the Sony malware mess.
Re:Oh my - A Microsoft MVP! (Score:5, Insightful)
What about all those people providing support on Linux/MySQL/Apache mailing lists/forums etc - what
are they? Unemployed losers or OSS champions?
Re:Software firewalls?! (Score:3, Insightful)
Sorry, good idea, but there's no real standard between OS's on reserved ports in the sub 1024 range. Ports which you may not want exposed to the world on a windows box could run a perfectly secure service on a *nix box. I don't think that is the case at the moment, but you get the idea.
Your ISP is a common carrier, they are not liable for what is transmitted over their network. I believe they are looking into attack mitigation for large scale DDoS and worm traffic, but if they start requiring me to use a firewall configured by them, I'll switch ISPs.
Then again, how about anti-cheat mechanisms? (Score:5, Insightful)
Don't get me wrong, cheating is a major (if not: the worst) problem in online games, but the lengths to which game providers go to assure (a) that you are using a legally bought version of the game (most important) and (b) that you are not using modified drivers, game libraries etc. in order to cheat (game company couldn't care less, but it costs them customers so they have to care..), could certainly make some of them be rated as 'spyware'. Then again, so can Windows XP itself. After users accepted that activation crap from Microsoft, where else could you expect this thing to go? If Microsoft is allowed to do it, then why not $small_corp_with_questionable_ethics?
(obviously, the answer is that Microsoft should not be allowed to do it in the first place, either. But as it is, this company might actually have a point - if Sony can do it and not be detected for over half a year, why can't they? The idea is ridiculous ofcourse, but hey...)
Re:Software firewalls?! (Score:3, Insightful)
That is not correct. Typical home routers are Network Address Port Translation (NAPT) devices that translate private internal addres to a singel public external address. Stopping unsolicited external connections is a beneficial side-effect of NAPT because there is no translation rule for the NAPT router to pass traffic inward. Now, many NAPT routers can't properly handle dynamic protocols like gaming protocoals (specirfically gaming protocols that use ephemeral ports from external hosts (VoIP suffers from this too, btw)), so without specific game support (on a per title or service basis), you essentially create a default inbound rule that says "any external unsolicted connection gets sent to this internal computer."
Software firewalls protect you against OUTBOUND connections you did not authorize.
Wrong again. Host firewalls will block unsolicted external connections to the host and in fact was the original design goal of BlackICE, Zone, and others. Check it out. Turn one on, scan it and see what happens. Then turn off the host firewall, scan it, and compare the results. The blocking of outbound connections came later, as a feature to stop worms and network viruses from spreading.
So if your doing on-line games and your router doesn't intelligently support the gaming protocol (assuming the gaming protocol uses ephemeral ports), then your host is a sitting duck.
Re:Removing spyware in applications (Score:4, Insightful)
I agree with everything you said, but especially this:
As a sidenote -- the reason for training my customers in smart browsing techniques is a selfish one. As we reduce a company's cost of doing business, our referral rate skyrockets. The less we work/bill, the more work we have to bill. If you're a consultant and you're not seeing a decent increase in your customer base every year, you're not doing a good enough job. There is more work in the U.S. than is being tapped, and it is usually because companies aren't seeing things getting better.
I've found this applies to whatever business you're in. I've started, grown, and sold 4 different companies, in completely unrelated industries. The more we were able to make ourselves unnecessary, the more work we got.
Re:Oh my - A Microsoft MVP! (Score:5, Insightful)
Those active in other communities (ie Linux) are not told that they are unemployed losers for helping people out. So what if a bunch of us want to actually help people by making use of our expertise?
Not every MVP is an expert in every area, but they are an expert in the area that they were awarded in. For example, my award is in Mobile Devices, but I'm far from being an expert in FoxPro.
The lesson? Never trust a company... (Score:4, Insightful)
It will only lead to great suffering.
Yes. And also: (Score:4, Insightful)
Re:Why the blog? (Score:5, Insightful)
This is the principle of the "Möbius [wikipedia.org] blog", whereby the information is wholly one-sided and is repeated so often that it is taken for fact by anoyone reading it. As they move from link to link, their indoctrination in the rhetoric increases, with the theoretical maximum value being reached when they return to the original "source" blog. Once a "Möbius blog" is entered, the ability of the reader to avoid reading the next blog in the series decreases proportionately.
The "Möbius blog" is also know as "Internet journalism".
180 Solutions and Sony do not respect (Score:3, Insightful)
Sony has displayed for all to see that they do not respect their users or their computer systems. 180 Solutions, as much as they have tried to deny their intent, have been shown to write code that does things that... well, it "shouldn't." Again, more than a casual or accidental display of disrespect or even contempt for the user.
"Tarred and feathered" would be the treatment they'd recieve not too many decades ago -- their leaders would be grabbed by anonymous people, put on public display and humiliated. Now that we are somehow beyond this horrible behavior in today's more civilized society, I guess these fraudsters have a lot less to fear from the anonymous public at large.
In my view, there will probably always be these types of people. I truly fail to understand where these people come from, what they are thinking and why they think it's okay. These types of people are truly troubling to me and to my conscience somehow -- perhaps I don't feel as if I am personally doing enough... perhaps my own vigilante drive not being acted upon has something to do with it -- I suspect so. I wish and hope and dream all of the worst for these types of people since it seems these types never quite reap what they sew.
Check again (Score:3, Insightful)
The answer - it can't.
Your handy http/ssl proxy will just merrily forward that traffic on to the companies CGI webserver and they've got through again.
Your comments about "service level attacks" that break the protocol specification are out of place here too. The malware can post totally legitimate http/ssl to a parent company server and communicate all the information it needs to.
Lawsuit will lead to discovery (Score:3, Insightful)
First, of course, they'll want to see all of 180 Solutions' source code, so the objective validity of the "trade libel" claim can be tested. (Truth is an absolute defense to libel under US law.) Then, they'll want to depose key programmers under oath. 180 Solutions has some unpleasant disclosures coming up.
Zone Labs is owned by Check Point Software, which had income of $280 millon on revenues of $500 million last year. They can afford litigation.
Further research and logging should ensue (Score:3, Insightful)
It seems that it might be valuable research to take the logging to the next level. Speficically, he should setup a packet sniffer, either on the host itself or on the host's subnet and monitor the payload of the spyware packets as it calls home.
Not only would it prove interesting information to write about on his blog, but couldn't this, then, be definate proof that malevolent monitoring is actually taking place? It also seems to me that he should be called as a technical witness in the civil case against ZA.
In addition, armed with with this information it might be fun if someone in the community wrote a distributed application that would poison 180Solutions (non existant) databases with bogus data.
*grumblecakes*