Thanks for the info scotterpops...

seems its a never ending battle to stay above it all...first i find an infected computer than i hear ZA doesnt work and then i see another post that says none of my avs work...boy what a day..

Vitalt

Useful Team Info

Scotter. You stated:

Presumably, something didn't load correctly during boot-up. When I rebooted, and every time I've tested it since, ZoneAlarm passed the LeakTest with flying colors.

A few days ago, I checked my event log and found a few errors for ZA initiated right after boot up. I rebooted and checked again and the errors failed to appear. So as a practice, I now check the Event log each time I boot (thankfully with XP it's not that often) and if I find an error, I will reboot. So far I've only seen this behavior twice and have not persued it other than to reboot. Maybe this will be cleared up with the release of version 3.0.

Just another reason to practice safe computing and not wholy rely on ANY software.

I may own a pistol for home defense, but I still lock my doors. Same principal applies here.

>Just another reason to practice safe computing and not wholy
>rely on ANY software.
>
>I may own a pistol for home defense, but I still lock my
>doors. Same principal applies here.

Couldn't agree more!

The TooLeaky test shows that, if not backed up by safe practice, most security utilities are pretty much useless.

I have tried to exploit the leaks, but the leak test passed every time with flying colors.I do think that ZA will take a look at some of the findings,and try to do something about the program to make it even more secure.Tuff

An alternative leak test (which will also work with PF's other than ZAF/ZAP) can be found here:-

http://tooleaky.zensoft.com/tooleaky.exe

(I'd be interested to know if anyone's PF passes this test!)

Oops ... I meant to post the URL for the site rather than just the download. Here it is:-

http://tooleaky.zensoft.com/

>Of course, Internet Explorer is no more of a 'threat' in the hands of TooLeaky than it is under normal >circumstances.

Not quite right. Here's an extract from the information provided in TooLeaky's source code:-

This program will penetrate every firewall currently on the market that
claims to offer "outbound" protection, because it does not send or receive
data itself. Instead, it uses a hidden Internet Explorer window to do it.
And, of course, everybody allows Internet Explorer to send and receive data,
otherwise using the Internet would be a big pain in the you-know-what.

This program does two things:

(1) Transmits the string "PersonalInfoGoesHere" to Steve Gibson's web site.
(2) Retrieves a string back from Steve Gibson's web site, stored in the
<TITLE></TITLE> section of a web page.

For a programmer to use this method generically in their application, they
would simply need to replace the URL in this program with a URL from their
own site, change the outputString from "PersonalInfoGoesHere" to any
information they would like to transmit, and then set up their web server to
return the information they would like to retreive in the <TITLE></TITLE>
block of their page (the first few characters of the title are used as a
unique identifier so this program can find the window, since it doesn't
bother to keep track of the hidden IE window when it's first created). And of
course a programmer could repeat this process to transmit or receive as much
data as they'd like, or use the methods outlined in the code to send or
receive LARGE blocks of data in one fell swoop.

Agreed. But, alas, not everybody realises the importance of such actions. One of my gripes about PF products is that they DO tend to lull people into a somewhat false sense of security. There was a thread a short while ago in which somebody asked whether there was a need for them to use a PF on their computer. The answer given was simply, "yes". IMHO, the answer should have been, "Yes, but first do X,Y and Z otherwise the firewall will be useless." TooLeaky maybe proves this point.

I don't understand the techie stuff, but there's an aspect to Toolkey and the like that doesn't seem to get mentioned much. First you have to download it, then you have to run it - I mean, come on ...

I agree. Those tests always require our help to prove we have inferior stuff. How convenient. Kind of like a thief asking me for my house keys and then telling me my door is open once I've handed him the keys to use.

I think I disagree ... What they show is a weakness in Windows for allowing something to take over IE. I'd be curious if the same sort of thing would work with Linux.

Yeah, I had Toolkey on my mind because that's the one that seems to raise alarms the most, and it was mentioned here (and it's not the firewall's fault if Windows allows your browser to be hijacked.) As to the others, failing leaktest is a fluke (makes you wonder though,) the click through thing failed on mine (because it's specific to ZA which I don't use?) so I forgot about it as just another silly bit of fluff, and the Mutex thing is over my head. As I understand it, it's a Windows exploit that targets ZA - so it's Windows' problem (since NT/2K is immune it has to be a Windows thing it seems to me.) There's an NT vulnerability as well where winsock can be shut down, but I don't know the relevance of that in this discussion, but again it's a Windows thing.

You're right about the user involvement though. But, what chance does the user have besides being utterly paranoid? My dental hygienist (been seeing her exclusively for about 10 years,) who has had a computer much longer than me, recently asked me about a "fire alarm" because someone told her she needed one. She also said something about having two worms, and how she needed to replace McAfee. I said something about keeping her AV updated, and she replied, "Updated?"

The fundamental point I think is that firewalls are just like everything else, a tool. They certainly don't make you immune, and it would be nice if their marketing reflected this a bit more. I also don't understand the popularity of ZA. It's no better than Outpost or Tiny, and I'd rather use either of those alternatives. Maybe it's like a Windows thing ... ZA gets targeted more because of its popularity.

>I don't understand the techie stuff, but there's an aspect
>to Toolkey and the like that doesn't seem to get mentioned
>much. First you have to download it, then you have to run it
>- I mean, come on ...

How do you think viruses spread?

Exactly the point. Those in the know are suspicious of anything that has to be downloaded and clicked on. Viruses are spread by incompetent users who click on anything willy nilly and who think an Anti Virus is a flu shot. }>

Like many other items that come to mind a computer is just another tool and is only as good as the operator. Using a tool efficiently requires practise and familiarization with its powers. That's why I began frequenting this forum. Sadly the same person who would not dream of starting up a brand new power saw because of the noise and potential danger, tends to not give a second thought to sitting down at a PC without reading a manual or software installation instructions when they want to install something etc. etc........

I find it quite frustrating how difficult it is to try and teach friends the importance of keeping Anti Virus definitions up to date. I mean how hard is it to check for updates daily? These then are the very same people who complain incessantly about the computers poor performance or odd behavior or call the Anti Virus program inefficient when all the while they did not do their part to protect themselves and have as a result become host to the latest virus, worm or whatever.

As others have said many times the best defence against viruses and other undesirables is US.

Shit, now I have to go re-do my ftp rules.

I'm not suggesting such tools be ignored however I am suggesting they be taken with a grain of salt. The one you posted did in fact make ZA pop up a box but also made ZA crash. The one about the mutex test happens to be one that I ran across many months back and I posted about it as I was concerned that ZA had been compromised and at the time Alex pretty much chided me for giving credence to a test that required my help. I am assuming nothing has changed since then? If it has I missed the post.

>I'm not suggesting such tools be ignored however I am suggesting they be taken with a grain of salt.

;~* ... Scotterpops

Yes I copy that.

> And, of course, everybody allows Internet Explorer to send
>and receive data,
> otherwise using the Internet would be a big pain in the
>you-know-what.

Funny you should mention this... IE is the only program for which I have permanently revoked internet access! A lot of my emails started generating pop-up windows -- which I find incredibly annoying and invasive -- and oddly enough, they were all in IE. But since I don't use IE, I got the pleasure of waiting through the program launch before I could manually reject the attempt at internet access. Granted, revoking access only removes the last step... but it made the whole process go remarkably faster.

As for the "necessity" of IE... if a site can't be viewed in Opera or Netscape, I don't need to go there. I can only think of two reasons to code a site IE-specific: laziness or snoopiness. (I usually try not to be so strongly worded about my opinions on here, but browser exclusiveness is one of my pet peeves!!) Anyhow, thanks for giving me another reason NOT to use IE! (as if I needed one LOL)

I routinely block port 80 out for email, I'm guessing that would kill your popups, if you don't mind losing the ads.