Steve Gibson is fundamentally flawed on his technical analysis of BlackIce. Let us examine Steve's "technical" interpretation.
He compares BlackIce (a network intrusion detection system w/some firewall capabilities) to a ZoneAlarm (a firewall). This is similar to comparing apples to oranges. Why doesn't he complain that ZoneAlarm doesn't determine that an incoming connection from a website is a trojan or buffer overflow code. He states BlackIce allows all outbound network connections. False, BlackIce denies outbound connections generated by known trojans Subseven and BackOrifice. In fact, Steve Gibson falsely reported BI didn't block Subseven. <snip> http://www.theregister.co.uk/content/8/19469.html It then goes on to say that BlackICE will detect the Sub7 virus - the one that Mr Gibson categorically said it didn't. The explanation of this dichotomy is as follows: "As far as I can tell from reading Mr. Gibson's description, he installed BlackICE on the infected machine AFTER the infection had occurred and AFTER the connection with the 'control program' had already been established. This is part of the reason for the supposed 'failure' of BlackICE. <snip> Steve complains BI doesn't protect against trojans. <snip> http://www.theregister.co.uk/content/8/19469.html "BlackICE has never claimed to be a virus protection product. If someone sends you the Trojan activation command, BlackICE will alert you. If you have accidentally downloaded the dormant Trojan, and it tries to respond to a Trojan activation command, BlackICE will alert you. However, BlackICE cannot protect you if you already have an ACTIVE Trojan on your system prior to installing BlackICE. It has never claimed to protect against this." <snip> Plus, to quote www.grcsucks.com "the system is already compromised when the user choose to ran the file, NOT when the program tries to connect to the Internet.". Steve's "technical" test, leaktest is also a farce. He has the user initiate an outbound connection (similar to what users do when using a search engine) and complains that BI doesn't prevent this. Strange, ZoneAlarm doesn't complain when I go to www.google.com and no complaint from Steve. Lastly BI can be configured to treat outbound traffic, the same as inbound traffic. So the capability is the there. Pat -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 30, 2002 10:01 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Feedback on BlackICE... Its not a matter of believing Steve or not. Its objective technical facts and I agree with Steve's interpretation of these facts. Regarding Steve's understanding of IDS: your arguments are personal and not technical (reminds me political discussions). I think that I understand architecture and security and in my opinion NIDS can't detect most professional attacks by cyber-criminals. The reason: NIDS scanning for signatures is not related to content format and context. Mike On Tue, 29 January 2002, "Kevin Brown" wrote: > > BlackICE is a robust and useful personal FW/IDS. The IDS sigs are more > robust than the logging features offered by other personal FW vendors. With > the recent changes they've made over the last year or so, you can crank the > security level up and open up specific ports, rather than lowering your > security settings so some apps will work. Also, you can add and remove > individual IPs or entire subnets. This ultimately gives you much more > flexibility for Internet facing PCs. > > It does not do outbound blocking like Tiny or Zone Alarm. This is a > complaint many people have, but I find that to be a more annoying than > useful feature anyway. And it's important to understand the nature of IDS > before freaking out over what you see in your logs. Many people claim that > BI overreacts with all the alerts, but if you don't worry over every port > scan, it shouldn't bother you. > > Other negatives are that you can't turn off any of the sigs (for repeated > false positives). And some sigs are a little vague in their description, so > it won't tell you the difference between a Code Red or a Nimda scan for > example, but you probably don't need that much granularity for a personal FW > anyway. At that point you'd probably want a dedicated IDS system. > > FYI, don't believe anything Steve Gibson says about the software > (www.grc.com). He has no idea what an IDS is and therefore has no idea how > to use BI. > > Brownfox > > > -----Original Message----- > From: garren [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, January 29, 2002 1:41 AM > To: [EMAIL PROTECTED] > Subject: Feedback on BlackICE... > > > Hi all, > > I am looking at BlackICE and wondering if anyone has good/bad feedback on > the tool. Do you think it does a good job of the combined Firewall/IDS/etc > security that it claims it does? I have it installed and running and it has > caught a few port scans and a DoS on my system but that could be just window > dressing. > > Feedback is a good think... looking forward to yours. > > Cheers...
