mailing list archives
Cringely's FUD-spreading leads to broken workarounds being suggested
From: "Dave Korn" <davek_throwaway () hotmail com>
Date: Thu, 9 Feb 2006 16:51:25 -0000
[ For those who are getting bored and would like to know something
interesting, there is some actual technical and security-related ON-TOPIC
content toward the end of this post! ]
Ivan . wrote:
nice personal attacks, a great display of your intellect.
I have little patience with anyone who repeatedly misrepresents what I
have said and then proceeds to throw strawman arguments at me.
You were the one who started with the patronising comments to "read the
article again Dave" as if I was some kind of idiot who couldn't see what was
in front of my eyes, but you then posted a link to a /different/ article
which was by someone else, because the article that you originally posted a
link to, and to which I was responding in my first post, had all the
failings that I described of it, and did not have the evidence that you
claimed it did.
And you know, just because you posted a link here, and I posted something
critical of that article, doesn't mean you should react as if I was
criticising you, but you jump down my throat with a patronising and
emotional overreaction. Stop being so precious.
My first post in this thread claimed that Cringely was spreading
FUD, and had provided no evidence to back up his claim.
No your first post was this
Without seeing the content of these packets, I don't see how
Cringely can claim to know whether there's anything spyware or not
about it. There is no *evidence* for his claim. I'm always
suspicious of people who claim to have observed 'spyware phoning
home' but who are then completely unable to give any details about
the contents or destination of the packets, since it means that they
are claiming something that they don't actually know at all.
I don't understand why you don't see that that paragraph is accusing him
of FUD-spreading. What else is FUD but vague and unproven accusations of
His only claim was that zonealarm "phones home" even when all the
communication options are disabled. I can't find any claim of spyware
as you indicated.
Well, you and me clearly read differently. You can't find any claim of
spyware. Yet the article is titled "A perfect spy". He describes ZA's
perfectly ordinary auto-update function (which is in no way any different
from any other auto-update function in any other 'net-enabled application)
as "surreptitious" and "encrypted", and he ends with this throw-away line
about how "there's no truth to the rumor that the NSA used ZoneAlarm to spy
on U.S. citizens", when nobody has in fact been spreading any such rumour.
To me, it's perfectly clear that he is spreading FUD. Cringely is a
journalist, a professional wordsmith, and he chooses his words carefully and
deliberately according to the meaning he wants to convey to others. If he
titles the piece "A perfect spy", it's because he wants to raise suspicions
of spyware in the backs of people's minds. If he describes the
communications as "surreptitious", it's because he wants you to think that
steps have been taken to deliberately conceal them. If he refers to a
rumour that never existed, it's because he wants to start one.
Please consider the article carefully. Cringely doesn't claim to have
discovered this himself, he is reporting at second-hand what he was told by
one of his colleagues. He then enhances and elaborates on that report with
innuendo and hyperbole, and gives not even the basic details to back up the
claims he is making. I think that's a perfectly reasonable thing to
describe as FUD and rumour-mongery. I note that his colleague has been
keeping his head down in all this and not making any exaggerated claims.
His claim of a phone home bug has been vindicated by
Zonelabs/Checkpoint's response to the list and the admission of the
Once more you raise this strawman. We all know there's a bug in the
auto-update. That is not under debate.
Like I said before, it's up to the people on the list to decide if
this is a issue for them or not. Not for a arrogant fool like you to
force his opinion onto people.
See, there you go missing the point again. I'm talking about whether
Cringely is making unsubstantiated claims and spreading fud, and you persist
in misrepresenting what I'm saying as being about whether or not ZA does or
doesn't phone home and whether or not that matters to other people. That is
NOT what I'm saying, it's something that _you_ have misinterpreted.
[ ON-TOPIC bit begins here ]
And know what? If you are as concerned with letting people make their own
minds up whether it's an issue or not, and what to do with it, then it would
be logical for you to want to see full details of what it is that is
actually being claimed. This partial report is bad for those people,
because the inaccuracy/lack of detail makes it harder for them to make that
judgement for themselves, since they haven't been given sufficient
information. It is as a *direct* result of his (Cringely's) failure to show
packet logs and give the necessary details to substantiate his claims, that
people have been mislead into using that bogus workaround that the guy from
The Inq. posted. Remember that link you gave a few posts back?
The company says it will fix the "bug" soon. In the meantime you can work
around it by adding:
# Block access to ZoneLabs Server
to your Windows host file.
See, if Cringely had posted packet dumps, or indeed any information at
all, everybody would have known that that workaround is no good. After all,
one glance at the packets, and everyone would have known in an instant that
the actual DNS name it looks up is "update.zonelabs.com", and adding an
alias for "zonelabs.com" will FAIL to protect you in any way.
Vital information that. But because of Cringely's poor standards, nobody
knew it. This is at the heart of my complaint against Cringely and at the
heart of the debate over full disclosure: without full information, people
are unable to make informed decisions about the security issues that might
or might not affect them.
go ride your high horse over to letters () infoworld com
You posted a link to an article here, so here was where I thought was a
reasonable place to discuss the article and the issues raised by it, and in
particular how they relate to security reporting and disclosure.
Can't think of a witty .sigline today....
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Re: Re: Re: ZoneAlarm phones home, (continued)