Broadband Tech > Security > Security > Steve Gibson - All Bent out of Shape??

reply to pgm18

Re: Steve Gibson - All Bent out of Shape??

And I think you have just summed that up wonderfully rhaverly.

reply to Anon
I retract and have edited out my previous remark based on my own ignorance of the situation.

Steve - I laud you for jumping into the firepit with the knowledgeable leaders and moderators at DSLR! Your willingness to publicly address these issues is most admirable. Thank you.

reply to 2kmaro
We get security complaint emails often due the scan tools here. Our data center passes them on, and we generate an almost form letter reply which closes the ticket. They are almost always cut/paste from a zonealarm or norton log analyzer of some sort.

What is very irritating is that these many of these log checks or logs convert port numbers to "suspected virus names", thus causing users to also send angry emails "why did you send me NetBus" (my emphasis).

I can only hope that patient replies to the users of these programs will filter back to the authors and pressure them for change. Unfortunately they are in the business of hyping security logs, so this might take a long time and a lot of pressure.

reply to 2kmaro
Steve's point was wasted on the wrong people... His SheildsUp site should let the user know and understand that "attacks" will be made on their machines during the tests. Telling them the range of addresses used for the attacks would possibly be hazardous to Steve's own security but... for his own sanity he should.

C'mon, Steve... hammering on Brady was inexcuseable and quite unprofessional. Educate your site users instead.

reply to rtoday
Ultimately, like others, I believe that the solution to all this lies with the end user. Properly informing the users of Shields-Up and all the analyzers should go a long way to alleviate peoples fears.

Thank you Steve Gibson for replying to us here and giving us your side of the story. And I'm glad to see the tone has changed in this thread from the first two pages.

I wouldn't want to see any IP range hard coded into any of these analyzers for obvious reasons, so I hope that education of the ignorant will resolve this. Mr.Gibson, are you planning on posting a notice at your Shields-Up web site to address these false reportings? Maybe a warning of some kind explaining the "attacks" and how to react to them?

I don't use any of those log analyzers because they create a lot of paranoia. And since I'm not an expert at even understanding these log results, I don't bother. It would be a waste of my time unless there was some serious breach like my machines being used by a Trojan to infiltrate others. AS long as I'm doing all I can to secure my computers, I sleep just fine at night.

Justin makes a very good point in his above Post. Better to examine this whole issue with clear heads and find a resolution than to argue something without all the facts.

Hopefully, Steve Gibson and Ben Brady can come to a professional understanding. You don't have to be "Pals" but colleagues working together for the good of everyone. Aren't all these analyzers and ShieldsUp probes and the like meant for the end user's good? Make the sacrifice guys.

reply to MontyL3

said by MontyL:

---

C'mon, Steve... hammering on Brady was inexcuseable and quite unprofessional. Educate your site users instead.

---

reply to MontyL3
Maybe I was wrong in my first impression of Steve. I don't know.

But you say hammering on Brady, like that's what he was doing publicly. Steve stated the emails were private, and Brady still wants to talk to his lawyer.

His lawyer will tell him to get a life. There was no public defamation of any sort.

The fact that BlackIce is only half of a firewall at best, is a fact. Why anyone would pay for half of a product is beyond me. But that is another subject.

To get back to my response to MontyL.

It seems that Steve only went public after Brady posted his one-sided story in a newsgroup. Not once was $20,000 mentioned. IMO, that gives Brady a "STREET PUNK" mentality.

I do agree that Steve should put up warnings on his site about the "Attempts" it will make on your computer.

Steve, you need to talk to your attorney, or your ISP's attorney and see what action you can take. I believe what Brady's actions are doing is causing an undue burden on your company, and anything that might be considered slander in his posting.

All in all, the bottom line is Brady needs to do a lot of improving to his products, and Steve needs to make his users be aware of the "attempts". Then maybe we can all play nice together.

I still stand behind my view,but Thanks Steve for taking time out of your busy days.

reply to 2kmaro
Well said, Steve. Your replies reassure us that you are quite human, and do have the best of intentions, which I've never doubted. Certainly, having heard the full story, I can see that you have every right to be irritated with the nature of the reporting utility, as a security service purveyor, as well as to be frustrated by falling victim to the erroneous reports.

Sometimes we need to see the human side of our helpers on the other end. Your posts went a long way to sending that positive message to us. Again, it is evident that you took a lot of time and care responding clearly and in some detail to everyone's concerns. Thank you most kindly, and thank you for your ongoing support of users who need a clear, elementary explanation of security. I trust that you are, in fact, committed to improving and expanding your educational materials, and wish you well, in that regard.

To design a firewall reporting utility with built in autoresponder capability, aimed at the novice, which does not clearly and carefully explain, in a well written helpfile, an online support page or elsewhere, the basics of how the information should be analyzed by the user, and what constitutes an "attack" in a normal implementation, is not a responsible thing to do. To couch the autogenerated reports in reactionary, accusatory tones is even worse. It not only hasthe potential of misrepresenting the true situation to an ISP, it reinforces a reactionary, erroneously paranoid response and attitude to every "knock" at the door. Thinking about it, I simply can't imagine encouraging amateurs to report every single coincidental "hit"... it creates a stream of e-mail that ultimately makes legitimate complaints sound like a boy crying wolf, again, to the ISP's, and gets all reports from that software "blacklisted" at ISP security departments, eventually.

It's far more important to educate the user to recognize threats, and to implement rational, responsible safeguards to protect themselves from actual attacks. As I've repeatedly stressed, most of us "commoners" have a GREAT deal more to fear from trojans and virus code than from a skilled cracker targeting us directly; that doesn't mean it never happens, but we should recognize that, for the most part, a hit on our ports, unlike one at Microsoft or the DoD, is probably a port scanner trolling for victims, at worst, and a misdirected request, at best.

Yes, there are wolves in the woods. But the appropriate response is to learn as much as we can, within reason, and to implement rational security measures on our end. When we do get hit, the correct response is to keep a clear, level head, especially if our security measures have succeeded in protecting us. An actual penetration is pretty damning evidence, but a port hit can have many explanations... sort through them, in your mind, before resorting to wild eyed panic - which accomplishes nothing.

Steve, continue to do your best to provide good information to the people who need it most, and best wishes in the effort. Keep it straight, simple, non-reactionary, rational and even a lttle entertaining... education is the single best weapon we have against computer misusers, and reactionary tactics only dilute the effort, promote ignorance, and erode the credibility of legitimate complaints. Keep on providing good info, and thanks for your response. And, do... take care to present yourself with a balanced attitude. I realize that your site is intended for people who may not have access to or understanding of more "advanced" sites, so I suppose that some of the "hyperbole" is necessary to drive home the point to the target audience... but too much hyperbole can have the effect of making the presentation sound a little like a marketing presentation, or result in an unnecessary attitude of over paranoia... in essence, a hyperbolic presentation of risk can, however coincidentally, actually encourage precisely the reactionary response, in an unskilled user, that leads to hasty, overzealous responses to perceived threats. Best wishes.
--
Man will occasionally stumble over the truth, but most times he will pick himself up and carry on. - Sir Winston Churchill
[text was edited by author 2001-03-05 12:35:45]

reply to CJ
cestepp - good points and you provide a good lead in to this:

Wildcatboy had never seen Brady's ClearZone product, during all of this he downloaded a copy and compared it to ZoneLog Analyzer. To pull a Brady, I'll quote part of his IM to me about his impression: "It's a Mickey Mouse program ..." and compared to ZoneLog Analyzer, I completely agree. If ClearIce and ClearGuard are much the same, then they aren't full featured products either (as compared to ZLA).

Steve Gibson had not heard of ZoneLog Analyzer until visiting this forum and this thread. Since that time, instead of waiting for ZLA's author to contact him, Steve contacted Matt!! I received email from Matt this morning telling me of it and he is very pleased with the initial contact, and it appears that Steve Gibson "approves" of ZLA - at least he is more favorable to it than ClearZone!

I'm going to try to go ahead with efforts to build a ZoneLog Analyzer look-alike for BlackICE Defender and hopefully WinGuard also. Somehow we'll make those freebees for any who want them. And once that's done, Matt (of ZLA) may work with me to incorporate all three front-ends into a single product that can handle all three log formats from a single application. Matt has already approached me on that one. Looks like my evenings and lunch hours will be spent somewhere other than at DSLR for a while.;)

One comment to JoWazzoo - most people visiting the DSLR Security forum realize by now that most of the probes they see coming at known Trojan use ports are from infected systems, not master hackers. Reporting those DOES do good because it helps get infected systems cleaned up. Most ISPs I've dealt with a few hundred times have indicated that they have taken action on those, and I know some have because myself and others have received very specific (non form email type stuff) telling exactly what happened and what was done. An educated report of abuse works wonders at times.

reply to rhaverly
Hello,
I think you would find this whole issue resolved if all port scanning services were to warn people that their security reporting software will issue an alert. This can be easily done in bold red letters at the start button. Also I still feel that Steve is never going to resolve his problem of people reporting to his ISP. Especially if the new product scans systems autonomously. That's just asking for more trouble? Especially if a problem like this has caused so much confusion. I certainly do agree with Steve about the way Bens product produces its complaints. That's just not acceptable! And I believe that Ben will see that and correct it himself. After people become more educated in respect to how it performs. There is alot of competition out there for security products.
As far as Steve goes I don't ever remember having to pay anything for his efforts in this technology. And praise everything he has done to enlighten us on the dangers of the internet. If Steve wanted to he could charge just like DSLR for his services. I just wanted to make my self clear on the last post. I dont have the answers for these problems this is just my point of view. Thank you Steve for your efforts and DSLR for a place where intelligent people can talk about these issues.

--
pat

reply to Anon

said by SteveGibson:

---

Notice that it's NOT "Source IP" "Source Port" "Destination IP" and "Destination Port" ... instead it's "Intruder" and "Victim".

---

quote:

---

I believe that Ben's program irresponsibly places a too-powerful eMail address lookup and generation tool into the hands of someone who is not sufficiently aware of its proper use.

---

reply to pgm18
pgm1 - clarification: Steve Gibson will be charging for the nanoprobe service. He has already stated that in the 'press releases' about it at his site.

reply to 2kmaro
Well said. I would actually prefer users to write their own reports, though, rather than rely on autogenerated responses, especially from a "lightweight" program. It's very simple to come up with a polite, non-inflamatory "template" to store in your mailer for those incidents that just NEED reporting. One of the upsides to this is that the ISP will take it a LOT more seriously, and might even, in my own experience, and, seemingly, yours, too, take time to send you a personal reply. For obvious reasons, a lot of security people just roll their eyes when they see obviously auto-generated reports, and not entirely without good reason. Again, rational thinking and education... we learn from our experiences; one of the side effects of the "MicroSoft" effect is to automate everything, and suggest that users don't need to understand the "magic box" on the desk... the result of that attitude is ignorance and fear, and those are our worst enemies. This has been an excellent thread. Thanks to everyone who has taken time to share their perceptions of this highly interesting, and educational, issue! And thanks to Steve Gibson, too, for including his side of the story. I remember during the late years of the Vietnam War, Art Buchwald once commented that he was a little disturbed at the thought of "dumb soldiers operating smart weapons;" on a whole, he opined, he would far rather have "smart soldiers manning dumb weapons." I think that's a very good metaphor to interject, here, and to close with.
--
Man will occasionally stumble over the truth, but most times he will pick himself up and carry on. - Sir Winston Churchill

reply to 2kmaro

That's good news 2K. I'm glad that both Matt and Steve had a chance to at least exchange ideas and hopefully this will continue.

I would also like to clarify something. As I mentioned before I did pick up Clearzone and the major problem with it is that it offers no explanation as what those ports are and it also makes no effort in resolving the IP addresses to a domain names so users won't see all the information they need to make an informed decision. I still don't believe that the software producer should block any IP addresses however they do have an obligation to produce a better software. In the mean time I urge both parties to put warning signs on both sites and leave it at that. If Mr. Brady doesn't make an effort to improve his software so it can provide a better understanding of the whole process, it is obvious to me that he will lose his market to better products such as ZLA and newer ones to come.

I still honestly believe that there are annoying problems associated with any business, venture or hobby. We simply have to deal with them to the best of our ability and if others can help us reduce the level of annoyance, great and if not, well, that's the cost of doing business. I think by making sure that the IP addresses used for the shield probe have clearly identifiable domain names associated with them and by encouraging software that actually resolve those names before they generate a report, the problem can be addressed to a certain point. After all not many people would send a complaint email when they see the IP address is resolved to something like shieldprobe1.grc.com. Add to that the warnings on the web site and you are a few steps ahead in reducing those unwanted email messages.
--
You can catch the Devil, but you can't hold him long.

reply to 2kmaro

said by 2kmaro:

---

pchelp - The fact that the info has been 'one sided' has been noted elsewhere in this thread, please review this comment:
»Steve Gibson - All Bent out of Shape??

---

reply to 2kmaro
Hey Folks,

Just a short heads-up to mention that I have immediately added the "expect entries to appear in your firewall logs and they are (obviously) not attacks" in the most prominent place I could (without wrecking the pages' balances). And it provides the two IP's which might appear. The notice is right there where the user agrees to the testing and states that they have the electronic "right of way" to probe their own machine.

I agree that this has been missing, so I'm glad to have added it, but I know people and I don't believe that it is going to make one bit of difference.

I'm enjoying an eMail exchange with ZLA Matt and I've just downloaded his product so that I can check it out and familiarize myself with it. Wildcatboy's feedback from encountering Ben's "Mickey Mouse program" (his words) help to further differentiate these two offerings.

2k: Please *DO* pursue the development of the sort of utility you've been talking about. Pending my analysis of Matt's program, I intend to promote it strongly on my site and also to send a mailing to my half-a-million eMail subscribers so that everyone can gain the benefits -- and education -- it offers.

In the longer-term I *AM* going to create another entire "region" of my site for the express purpose of educating the growing number of Internet firewall users about the nature of what their logs contain -- as has been said here many times, and I completely agree -- education is the key. And all of these proper log interpreting utilities will fit there perfectly.

Finally, thank you -- everyone -- for providing me with the opportunity to explain my viewpoint. The change in the tone of this thread from before I was here, to after, clearly demonstrates the need for me to produce a formal public statement including a similar explanation on my web site. That's what I'm off to do now.

Best regards,

Steve.

reply to Zhen-Xjell
I own most of those programs and have dropped them all. Put in a good router and quit being caught in the crossfire of confusion..:(
--
Welcome to the Fold!! »Team Helix Remember we wouldn't dump you if your system crashed..:)

reply to 2kmaro
To 'pchelp' ...

Perhaps you misunderstand what I was asking from Ben since, in his one-sided disclosure, he misrepresented what I was asking for: As I have posted many times over on USENET and also here, I am NOT asking that any IP's be completely ignored and "dropped", only that a known-benign IP be brought to the user's attention with a simple dialog box asking whether they are sure that they want to generate an "I've been attacked" eMail for a believed-benign security testing site, e.g. ShieldsUP! at grc.com.

It's what my software would do. It's what ZLA can do, and it's the RIGHTEST solution if someone is going to automate the production of "attack reporting" eMail.