WARNING! - Firewalls are useless

what is the remedy?

Don't install any software that are known to have bad behaviour... find the alternative, collect information as many as you can, from a good and trusted sources.

Last but not least, You .. yes, you as the user .. need to be alert... and answer all the warning dialog windows correctly.

See my reply to Alphalutra1.

We're in agreement that firewalls (the top-tier ones, anyway) prevent hackers from gaining access to your computer from the outside. I knew that when I wrote my post, but I wanted a subject title that would attract attention. In retrospect, I should have added that well-designed firewalls do protect you from malicious incoming traffic.

I have no proof, but I highly doubt that ZoneAlarm comes preconfigured to allow Real to access the Internet. I'd bet my bottom dollar that any program could duplicate what Real does with ZoneAlarm.

Your point about password-protecting ZoneAlarm is well taken, but the password feature is not available in the free version.

Your suggestion regarding HIPS also has merit, but let's bear in mind that that's an external solution. It doesn't change the fact that there's an inherent weakness in firewalls.

Lastly, you're in error when you say that "[t]he OS portion of ZoneAlarm and the advanced component control all would stop any local code from commmunicating out to the world." If you know someone who has ZoneAlarm Pro (the free version doesn't have the OS portion and advanced component control that the Pro version does), ask them to install Real Player. (We're discussing a situation where password protection is NOT enabled. We're simply interested in seeing whether ZoneAlarm will allow Real Player to communicate to the world.)

In summary, I stand by what I wrote. While ZoneAlarm Pro has the capability of being made safe via its password feature, it's not available in the free version, and it's probably safe to assume that the vast majority of ZoneAlarm Pro users don't make use of the feature, because they aren't aware that it's there, or because they're not aware of its significance.

Firewalls are an effective and essential security measure, but no single program is a substitute for good security practices. Firewalls are not magic bullets, but only part of a suite of thing you need to do.

Quote: We're discussing a situation where password protection is NOT enabled. We're simply interested in seeing whether ZoneAlarm will allow Real Player to communicate to the world.

That right there is your problem. If you do not use passwords (and good ones) your computer is vulnerable. Period. This is not the fault of the people who write firewalls it is your fault.

There are ways to password-protect things like firewall configuration files, and you should be doing this anyway: Namely, your operating system will do it for you. You need to set up seperate accounts for every-day use and system administration tasks. Empower only the administrator to do things like install and change software. Make sure that things like your firewall configuration files and virus definition files belong to the administrator and are read-only for everyone else. That will prevent malicious script from changing them but still allow the scanner to use them while you are logged in as a normal user.

Of course, this is no magic bullet either. You must do everything else that goes with good security:

1. Keep your computer patched (probably automatic updates is not the best way to do this, BTW)

2. Run a good firewall

3. Install good virus, anti-spyware, and rootkit binary scanners and run them frequently (based on your level of risk)

4. Limit your computer's exposure to the internet, or if you must have it up all the time disconnect and reconnect periodically to get different IP addresses, or if you need a static IP then get an actual dedicated firewall computer to put between your computer and the internet (an old 486 will do).

5. Have seperate user and administrator accounts. Only use the admisitrator account to do administrator things (like install programs) and use the user accounts for every-day stuff (like playing games, office tasks, and surfing the internet).

6. DONT CLICK ON THINGS IF YOU DO NOT KNOW WHAT THEY WILL DO.

my $0.02

The problem's not with me.

First, as I already pointed out, free ZoneAlarm doesn't have password protection.

Now, read over all your recommendations, but this time, keep in mind the following:

1) Most users don't have the knowledge to implement the procedures you mentioned. I can't tell you how many people I've installed ZoneAlarm for because they didn't know you need a firewall, or what a firewall even is!

2) Firewalls are promoted as protection against both incoming and outgoing traffic. If a firewall doesn't include password protection, or even if it does, but doesn't have you set one up (with an explanation as to why it's so important that you do) as part of its installation process, then it's leaving you vulnerable.

3) Computers are supposed to increase our productivity, but those of us who know enough to fortify our computer's security are spending an inordinate amount of time doing so. Even cars don't require the kind of maintenance that our computer systems do.

In conclusion, firewalls aren't doing their job, and what you're suggesting is way beyond the capability of most users.

I did read what i wrote.

Computers are great productivity tools and entertainment media, but you have to learn how to use them. It's like a car. It's a great transportation tool, but if you just get in and go, you really cannot blame the car maker if you have a smash-up. Despite all the microsoft marketing, you cannot just turn a computer on and let it go. This wide-spread belief that you can do that is what makes the internet such a cess-pool of theft. If you do not want to take the time to learn how to use your box, it is your own fault if it gets infested. It takes all of one evening to set up a properly secured windows computer, and then maybe as much as an hour a week to keep it secure. A google search for ''HOWTO secure windows PC'' turns up all the information that you need to create a secure PC. The bookstores are brimming with books on how to secure your computer, usually including some good software. I find a $10 book worth the price to protect my computer. It is not that hard to learn or to implement and most people can do it easily. Of course, both these options demand that you can read...

As for the zone-alarm firewall and security in general: if you are always running as the superuser (which is the default in windows), then any malicious code you download and run (or anything that gets in through a security hole) is going to be able to do whatever it wants it to whatever file it wants, including editing executables and security configuration files. Even if you do go get the ''pay-for'' version of zone alarm, malicious code can easily by-pass the password protection there if you are running as the superuser or did not password protect the superuser. You need to use password protection on an operating system level (and all the other good security practices mention previously).

Who to blame: Certainly not the firewall makers. There is simply nothing their programs can do if you are running as the superuser and download and run something that subverts their code. If you want to blame somebody, you should blame microsoft for designing an operating system that attempts to hide its workings from the user under the guise of ''ease of use'' so that even after years of computer use a windows owner can remain very ignorant about what is behind the GUI. Also, Microsoft made some very questionable design decisions as far as security is concerned (like making the superuser the default user).

Mostly, though, to blame are users who expect their computers to ''just work'' and do not take that one evening to read up on how to use it.

Sorry, but it simply is not so.

Maybe you don't deal with the typical novice (and that includes people who have been using computers for years, but still don't have a clue), but I do. There's no way they're going to become knowledgeable enough in one evening. These people need entire courses (emphasis on the plural). I'm speaking from experience. I've spent many hours helping these kinds of people, and I see their lack of knowledge, and how slowly they grasp what appear to us to be simple concepts, and how quickly they forget again.

There's no question that Microsoft bears the lion's share of the blame, but I still maintain that Zone Labs (and other firewall providers) can do better. At the very least, as I've already pointed out, setting up a password should be part of the installation procedure.

Again, the bottom line is that for many people, simply learning the basics of computer usage is a major challenge, let alone the complexities of securing their computers from all the different types of threats there are out there. Zone Labs and the others promote their products as being more secure and reliable than they are, and as a result, users are lulled into thinking that they're safe as long as they have an up-to-date antivirus program and a firewall.

1. I first purchased a computer two years ago, so i remember quite clearly what it is to be a typical novice. At that time, I also bought a couple books on basic computing (with windows) and security for a fraction of price of the computer itself. I read them. I now know how to secure a computer. It is not that hard. If you want an easier road, you can just go to a forum like this one and ask and somebody will tell you how to do it. Most people have problems with their computer because they do not bother to do this (aka they are lazy) not because it is hard to understand. All it requires is that the user take responsibility for his or her own computer rather than expecting to double click on an installer and have it just function.

2. A password for zone alarm itself would do absolutely no good; it is mostly a gimick. It is totally useless against any code executed by a user with administrator rights because code executed by that user can change anything on the system. There is nothing that any programmer can do to change this, including the good folks who give us zone alarm (at no cost). The user needs to set up the computer with a seperate administrator account and user accounts, and password protect the administrator account. That way, as long as you are running as a normal user (which you should do most of the time unless you are actively installing something) things like your firewall and virus scanner are password protected by the operating system itself. It does not cost a dime beyond what you paid for windows and is easily achieved with existing tools. I fail to see what is so hard about this concept. While this is not a default windows set up, there are tools in the GUI that will do it even after the installation. There is no reason to blame Zone Labs if the user does not set the conditions that create a secure computing environment. For example, i see nothing in their advertizing that says: ''once you install ZA you can download and run ANYTHING at no risk!'' Same thing here. The user needs to take the time (which is not that much) and read a book.

3. I revise the timeline: It took me a weekend to read the books and an evening to set up the computer. As a novice.

The average user doesn't even realize that there are many security issues which he needs to learn about and address. Even experts who dispense advice via their columns (and I'm including writers who work for CNET) often emphasize the need for good up-to-date antivirus software and a firewall - nothing more. That's what the public keeps hearing, so how would they know that that's not sufficient?

And the reality is that many people simply don't have the time (not even "a weekend and an evening") to devote to becoming more knowledgeable. Just as the majority of people aren't inclined to learning the basics of electricity, plumbing and carpentry, and will pay professionals to perform the necessary repairs.

All I'm saying is that we've been led to believe that ZoneAlarm and other firewalls will protect you from rogue programs communicating to the outside world, and in truth, that protection is easily bypassed.

No idea that there are security issues in computers? Come on get real. Maybe if you lived on an island with no contact to the outside world you could have avoided hearing about computer viruses. If you never watched a movie. Many people are not aware of the nature of security threats to their computers, but just about everyone knows they exist.

No time? I am a professional soldier. I work upwards of 70 hours a week when i am not in the field or deployed. I have a family. Yet i found the time to read a book. I am not bragging, i am just trying to show from my personal experience how easy this stuff is. It is not that people do not have time, it is that they cannot avoid spending an hour or more a day watching TV (hell, you can even read in front of the TV if you want).

People who do not take time to learn about the tools they use are going to get screwed. While it is lamentable that people take advantage of each other it is also a feature of our society that you cannot forget. If you do not take the time to research your car purchase the dealer will screw you, as will the dude at the jiffy lube later on. If you do not know the basic concepts of wiring, plumbing, carpentry, and so on, the electricians, plumbers, and carpenters are going to screw you. And it would be your own fault. Same thing with your computer. You read more than a short column on CNET when you are learning about your car, same thing with your computer.

By the way, like I said before, the protection that zone alarm offers is not easily bypassed if you do not run as the administrator all the time. In fact, it is pretty rock solid.

I didn't say that people aren't aware of security issues. What I said is that they don't know that there's a need for more than an antivirus program and a firewall.

Not running as an administrator is a perfect example. Most people are simply unaware of the risks involved.

And, no, you're NOT typical. We're not discussing whether people SHOULD read up on computers. We're discussing what the reality is, and in that context, you're unusual. Right or wrong, most people are either not sufficiently motivated or lack the confidence to try to become knowledgeable about these issues. The situation is exacerbated by Microsoft, which provides the risky conditions under which we're forced to work, and by all the "experts" who assure us that all you need is antivirus and firewall software.

I think we've exhausted this subject. Time to move on to more productive activities.

You're both butting heads against one another. Truth is, I teach people "to become aware" of their computer's security.

Do they lack time or motivation? MOTIVATION is the problem, not time. When you talk about the average user, they will take all the time they need to run through a learning curve when some feature of Windows or a third party program intrigues them.

The old adage, "you've got to burn, to learn" proves itself correct, over and over. Once a person gets in a bind with home computer technology, either through apathy or a mistake, they will hone in (most of the time) on the subject and learn...

So you two are knowlegeable and can quell this spirited conversation. Bottom line: MOTIVATION.

Been using it for years. After the hit we all took from the "Blaster Worm" a couple years ago. I have found that www.antivirus.com has really tightened up their firewall/anti-virus combo. No one was protected against the Blaster Worm back then. I think MS took care such attacks on their end but so have the major Mfg's of firewalls.

Combine Trend Micros Suite with SP2, SpyBot Search and Destroy, SpyBlaster and a router. You got a darn good defense going...

Exactly. If people do not take responsibility for the tools they use then they deserve what they get.

And firewalls are not useless.

I love the way people who don't have a clue (not you, the original poster) about how the product works, what comes pre-configured out-of-the-box, or how to customize that configuration to their personal preference spout off about the product "not working" when they are simply too ignorant to understand it.

When I installed Real Player 10.5 Gold, there was no indication during installation (other than the EULA - and how many people read that? that it was setting itself up in ZoneAlarm with permission to access the Internet. And as I wrote in my original post, some of its components were set up with just that - automatic access to the Internet - no asking each time.

My title didn't disparage Real Player for precisely the reason you yourself provided: it's long been known for its ill behavior. ZoneAlarm and other firewalls, however, are trusted and relied upon by huge amounts of people to protect their computers. It's important that they be aware that that protection can easily be bypassed.

I'm currently using the Real Player Gold 10.5 build number 6.0.12.1465 which is much the same as yours. Unlike many others, I have learned to READ the license agreements. With adware/spyware being the problem that it is, I'm taking more time to find out exactly what's being installed. N

Your advice is good and it is important for users to understand their programs and tools so they know how to use them correctly. Many people aren't aware that most firewalls have the option to automatically enable ports for many other programs as well..Installing ZoneAlarm's defaults sets up ZA to automatically allow access to Internet Explorer and the Generic Host Process which are both potential problem areas. The "default" settings aren't always the best for all users in all programs.

Thanks for your tips.

Grif

To quote an old commercial:

An educated consumer is our best consumer.

Take care.

Sadly, most users are not I.T. educated and, if FREE is in the description, 98% of all users will turn a blind eye to weaknesses in the FREE program. I have a friend who is a lawyer and he proudly boasts that everything on his computer is FREE. If that is what education does for one then I am glad I am not 'educated'!

My contribution to the discussion is that, any firewall is better than no firewall - even the Microsoft Windows version. That practice applies to anti-spam, anti-virus and any other security measure.

Minimum sentences of 20 years incarceration should be mandatory for any so called educated programmer (virus writer) who distributes malicious software of any kind, including spam. It would be better for the World if those reprobates were re-educated into improving the quality of programs being written. Microsoft could do with taking that message on board.

Alan R Parsons

Free is not necessarily a bad thing, as far as software security is concerned.

Of course, you must differentiate between free as in ''land of the free'' and free as in ''costs no money.'' Software that is free (as in costs no money) is usually a promotion for another piece of software that is not free. For relatively simple programs, such as firewalls, this is perfectly acceptable. Zone Alarm is just as good as the Norton Firewall taken by itself.

However, i suspect that the software your lawyer friend boasts of is free as in land of the free. Software that is free (as in land of the) is released with its source code open for all to read, copy, distribute, audit, and submit changes to. By way of contrast, when you buy a non-free program, all you get is the binary executable and the right to use it under certain circumstances defined by the seller. As system administrators find flaws in the free software, they can write the fix to protect their own system and then submit this fix for others to use, and the fix in turn gets integrated into the software itself. This is an alternative software development model to the one where end users pay a group of computer savvy software developers to do everything for them. Instead, it assumes a community of users who are willing to take the time to really know their system and its weaknesses and then take the time to fix these weaknesses and make the fixes available to everyone else. It is a model with strengths and weaknesses; the key weakness being that for users who do not want to take the time to learn to use their computer it is not very accessible software.

However, it turns out this is not such a bad way to develop software, and especially secure software since so many people are constantly auditing it; Free, open source software has such big names as BSD and Linux to its credit. Between them, these two operating systems run over 3/4 of the servers on the internet and the Free, open source web server Apache (which runs on both of those OS's and others) is easily the most popular web server on the internet. Now, servers are usually run by businesses, and businesses spend so much money on their IT that a license fee for a non-free program is not going to give them pause... so why use the free programs? Because they are better. Linux and BSD and apache are more secure and more stable than anything offered in exchange for money, such as the windows or Macintosh servers. Even on desktop systems, Linux or BSD are much safer, and arguably just as usable, but does not come with the same support that pay-for programs have. The web browser Firefox is a perfect example of an open source program that outperforms any non-free alternative.

Given the success and quality of much FREE software, i do not understand your disdain for it. Could you explain?

I do agree with your sentiments entirely but my lawyer friend is definitely not interested in open source type free programs. I have been trying to tempt him away from Microsoft 'bells & whistles' type software for many years but, apart from Windows XP and Office 2003, he only posses the free (as in costs no money) software. Sad really.

Alan R Parsons

I bought and loaded the ZoneAlarm, I bought a ''Firewall for Dummies''. I read manuals. Thena message box comes up with one of those gobble-de-**** file names, nothing or place to translate where it comes from, what it does....

When in doubt I deny permission (genric host is one I deny) but I have not found and I have looked, what settings I can or should change/acceept. I don't even know where to find that listing that doniel cited.

It is not as doable as bulldogzerofive wants to hit us with. The ''world'' demands, ''you will pay bills on line, you will go on line if you want this info, you will bow down 3 times and kiss.'' We're dancing as fast as we can, but the technology changes faster than the lessor-beings learning curve. My other tech rant is the santimonious ''we can get rid of pay phones because EVERYBODY has cell phones'' yeah, but they may also have a dead battery.

Alan R Parsons is right, many people are not IT brain-wired. Just because someone makes ''it'' does not mean ''it'' is universally used/understood/wanted. But there are those who snap their fingers and declare ''it shall be so'' and cut off those of us who are still 3 OSes back. This is the technology divide, not that people don't have the hard equipment but also the mindset. There is a host of info out there but how to find it and use it and then there is a little thing called the rest of our lives to earn a living, care for others etc. Some people can devote the time, and maybe understand, then there are the rest of us. We try and try again.

Grif, you and the other moderators are the best source I have. The forums are my front line warning system but even this is not enough.

Thanks for being there.

I work in tech support and deal with all levels of knowledge. Most are aware of viruses and have anti-virus software. Many also have a firewall and some also have anti-spyware programs. They think they are covered. I would add that most users of Windows XP use the admin login for everything and most of the ones who have guest users do this so their kids can't change things, but still use their admin account for everything.

Since most people don't even know the vulnerabilities exist, until they find they have been compromissed or have a false sense of security with a firewall, why would they try to educate themselves. Once they find they have a problem, the many of the customers called tech support had their computer restored. I am amazed at how many customers have actually bought new computers, because they thought the other could not be fixed or it would cost too much.

To you or I, we might think that is foolish, but if you don't know how to fix something, you take it in or replace it. To put in in a different perspective, let's say your car suddenly starts losing anti-freeze. You have someone look at it and they tell you it is leaking into the cylinders and it might cost $1200 if it is a gasket or up to $2500 if they have to replace the engine. Would you be able to go buy a book, learn how to pull the engine find out where the problem is and fix it or replace the engine?

Since cars are one of my other hobbies, I didn't even need a book, except for torque specs. To me, it was easy and something others might be able to learn. I have tried to show my brother how to do simple tasks, like change spark plugs or brake pads, but I usually have to step in.

Most people would not take the time to learn how to do this, because it is not something that interests them and they do not want to take the time to learn. It does not mean they are lazy. They just want it to work and will gladly pay someone else to diagnose and fix it. For many, computers are the same way. They just want to be able to access e-mail, go shopping or pay their bills on line. They do not want to understand it, they just want it to work.

Right and wrong are so relative...

It is a matter of belief, but in my mind there is no way running as the admin all the time is secure.

I would not know how to fix the anti-freeze problem, but a second opinion is not hard to get. I had a mechanic tell me once that i needed a new transmission. I got a second opinion and it was just a bad sensor. Not that hard. You just have to use the resources at hand.

I still don't buy that "but people don't know there are threats" argument. You would have to live on an island.

Of course people just want to work. When i drill a hole in my wall i just want to hang something. That does not mean i don't have to check for studs and wires behind the drywall.

Then please answer to me as I want to know more abt cars and which is ur fav car?

If you try but are still lost, then ask for help in a forum like this one. People will point you in the right direction.

In your case:

A google search for ''zone alarm generic host alert'' and about 15 minutes of perusing links reveals that what you are blocking is anything launched from the windows dynamic link library. Probably it is windows update trying to phone home or IE trying to talk to your DNS server. On the other hand, it could be a trojan trying to phone home. A firewall, after all, is not a magic bullet, just one indicator that you may have a problem. So, how can you tell?

First step would be to allow the services that should get through access to the internet so that you know alerts you are getting are more or less real. Within 5 minutes, a Google search for ''howto configure zonealarm'' and about 5 minutes of perusing the links reveals a couple of guides on how to do this.

Now, logically, if you are not infected the alerts should stop. If they do not, then click the ''more information button'' and do a google search on what comes out of that. If it is dangerous, i am sure that danger will pop up immediately. And for good measure you can run your virus scanner and spybot scanner.


By the way, when your computer tries to tell you something, you should try to figure out what it means, or else you will not learn to understand the next message, either. When you get the gobble-de-**** file name, write it down, go on google, and search for ''gobble-de-**** ZoneAlarm'' and peruse the links for a while. Also, technology does not change that quickly; nothing we have discussed here is newer than five years.

45 minutes (max) and your problem is solved.


Rather than buying a firewall for dummies, try buying ''firewalling for dummies,'' the book. It's cheaper and the knowledge you gain will save you time in the long run. I bought ''PC Security for Dummies'' and have not had a problem since.

If you do not want to put out the effort required to use this particular tool, there is nothing preventing you from paying your bills in person and using services that allow you to do this. Paying bills on line is much more convienient, though, isn't it?