ZoneAlarm phoning home

C

Craig

Fwiw;
Last fall, InfoWorld Senior Contributing Editor James Borck
discovered ZA 6.0 was surreptitiously sending encrypted data back to
four different servers, despite disabling all of the suite’s
communications options.
and...

Zone Labs denied the flaw for nearly two months, then eventually
chalked it up to a “bug” in the software -- even though instructions
to contact the servers were set out in the program’s XML code.
Click to expand...

<http://www.infoworld.com/article/06/01/13/73792_03OPcringley_1.html>

The Inquirer's take on it:
you can work around it by adding: # Block access to ZoneLabs Server
127.0.0.1 zonelabs.com to your Windows host file.
Click to expand...

http://www.theinquirer.net/?article=29157

-Craig
 
K

Kerodo

I'm puzzled by this...
Afaik the HOSTS file is only read in by your browser when it's loaded.
If that's the case, adding a line "127.0.0.1 zonelabs.com" wouldn't
prevent ZA from calling home when it felt like it.

If anybody can add anything more to this, I'd appreciate it.
Click to expand...

I'm not sure, but I thought that an entry in the HOSTS file just keeps
Services.exe (win2k) or Svchost.exe (XP) from doing DNS lookups on that
address/item, thereby effectively blocking it. So it would work for any
software trying to resolve the address.
 
C

Craig

Kerodo said:
I'm not sure, but I thought that an entry in the HOSTS file just
keeps Services.exe (win2k) or Svchost.exe (XP) from doing DNS lookups
on that address/item, thereby effectively blocking it. So it would
work for any software trying to resolve the address.
Click to expand...
The /first/ place the os looks to resolve an address is in the hosts
file. Failing that, it'll ask the DNS of record. Whether that's your
browser or other (read: ZA) app.

The Cringely article asserts:
the instructions to contact the servers were set out in the program’s
XML code.
Click to expand...

I'd be interested if someone in this group can verify this (v6.0).

tia,
Craig
 
K

Kerodo

The /first/ place the os looks to resolve an address is in the hosts
file. Failing that, it'll ask the DNS of record. Whether that's your
browser or other (read: ZA) app.
Click to expand...

Ok, fine, then that makes sense. The system looks to the HOSTS file
first to resolve the address and finds out that the zonelabs site is
127.0.0.1, which then effectively directs it to nowhere (localhost).
Problem solved..
 
H

hummingbird

Ok, fine, then that makes sense. The system looks to the HOSTS file
first to resolve the address and finds out that the zonelabs site is
127.0.0.1, which then effectively directs it to nowhere (localhost).
Problem solved..
Click to expand...

Looks like it. I'm updating my HOSTS file as I write...
Thanks guys.
 
A

Aaron

What if the dns record is already cached?

Ok, fine, then that makes sense. The system looks to the HOSTS file
first to resolve the address and finds out that the zonelabs site is
127.0.0.1, which then effectively directs it to nowhere (localhost).
Problem solved..
Click to expand...

Honestly, if you don't trust the security software you use, you are better
off ditching it.

Let's hope ZA doesn't change the way it phones home , by hard coding the ip
address next... Among other sneaky things it can do .
 
D

David

What if the dns record is already cached?
Click to expand...
Please reread the first paragraph.
Honestly, if you don't trust the security software you use, you are better
off ditching it.

Let's hope ZA doesn't change the way it phones home , by hard coding the ip
address next... Among other sneaky things it can do .
Click to expand...

That can also be negated by use of the HOSTS file. Just insert the
address in place of the hostname.
--
David
Remove "farook" to reply
At the bottom of the application where it says
"sign here". I put "Sagittarius"
E-mail: justdas at iinet dot net dot au
 
E

elaich

LOL. I have been posting that I suspect ZA of being spyware for several
years. Before this, I was only laughed at.

What does it take to wake people up?
 
G

Gary R. Schmidt

elaich said:
LOL. I have been posting that I suspect ZA of being spyware for several
years. Before this, I was only laughed at.

What does it take to wake people up?
Click to expand...
If you post a packet trace which shows ZA sending user data somewhere,
and it's not just asking the ZA server if there is a new version, and
you post the instructions on how to do it, _and_ someone else can
reproduce your data, then you will be taken seriously.

Just saying "I suspect ZA is spyware" is pointless.

Note that I do not recall you mentioning this before in acf. Which
doesn't mean you haven't, I've just not seen it.

Cheers,
Gary B-)
 
E

elaich

Dude, we're still laughing.
Click to expand...

Laugh all you want. The people who were laughing at me for telling them not
to trust Outlook Express were the same ones crying the blues when they got
hit with the Sasser worm. Guess who laughed last (and was safe from the
worm?)
 
A

Azzman

elaich said:
Laugh all you want. The people who were laughing at me for telling
them not to trust Outlook Express were the same ones crying the blues
when they got hit with the Sasser worm. Guess who laughed last (and
was safe from the worm?)
Click to expand...

People using win98 ?
 
A

Aaron

That can also be negated by use of the HOSTS file. Just insert the
address in place of the hostname.
Click to expand...

Huh? I must be misunderstanding what you are saying. Are you saying that
adding the following

127.0.0.1 208.185.174.44

Would block apps that connected to that site even if it connected directly
without going through domain name resolution?

That's not correct, since the HOSTs file is only used if you need to
resolve the dns to an ip address. If it already has the ip address, the
host file isn't consulted.

Just to be sure i tested it with a application that connected directly via
ip addresses, the hosts file didn't block it.
 
D

David

Huh? I must be misunderstanding what you are saying. Are you saying that
adding the following

127.0.0.1 208.185.174.44

Would block apps that connected to that site even if it connected directly
without going through domain name resolution?

That's not correct, since the HOSTs file is only used if you need to
resolve the dns to an ip address. If it already has the ip address, the
host file isn't consulted.

Just to be sure i tested it with a application that connected directly via
ip addresses, the hosts file didn't block it.
Click to expand...

My apologies for misleading people. I was under the impression that
behaviour happened.
--
David
Remove "farook" to reply
At the bottom of the application where it says
"sign here". I put "Sagittarius"
E-mail: justdas at iinet dot net dot au
 
A

Azzman

elaich said:
No, people using Eudora.
Click to expand...

I was using OE on win98 at the time, didn't laugh, didn't cry either.
Still very content with OE as my email-client on win2k, preview off, common
sense on.
 
H

hummingbird

Huh? I must be misunderstanding what you are saying. Are you saying that
adding the following

127.0.0.1 208.185.174.44

Would block apps that connected to that site even if it connected directly
without going through domain name resolution?

That's not correct, since the HOSTs file is only used if you need to
resolve the dns to an ip address. If it already has the ip address, the
host file isn't consulted.

Just to be sure i tested it with a application that connected directly via
ip addresses, the hosts file didn't block it.
Click to expand...

Ah!, so if the ZA IP address is somehow hardcoded into the application
it might by-pass the HOSTS altogether.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

OpenOffice.org Newsletter (02/2004) 3

Top