Zone alarm, you have failed me for the first time... and the last. (BLODA news)

  So, I went to reboot my machine the other day, for the first time in about a
month, and what should happen when it came back up but ZA (free, v6 from a few
years back) refusing to start, with an error message about not being able to
validate a couple of its DLLs and I'm probably missing a root cert.

  Actually, what it turned out to be was that one of Verisign's intermediate
certs ("Verisign Class 3 Code Signing 2004 CA", one level beneath VeriSign's
root and the issuer of Checkpoint's cert used to sign the files) had expired
since I last rebooted (on 16/07/09) and so the chain was invalid.  Had to set
the system clock back in order to get it running long enough to go online,
download a few replacement PFWs and uninstall it.  Newer versions of ZA don't
run on w2k and I'm sure not updating my entire OS just because someone else's
cert expired ...  Also, should I be able to undermine the whole of PKI just by
winding the clock back on my PC?  Expired should mean expired revoked deleted
and not available again even if you try IMO ...

  Anyway, the upshot of all this is that I've had the opportunity to check a
couple of BLODAs, and I can report:

 - (Agnitum) Outpost (Free) still screwy.  Left a gfortran testsuite running
overnight and when I came back to it, ...

  .... snip many thousands of similar ....

 [ ... etc ... ]

  Not just that but T'bird had hung so hard it couldn't respond or redraw its
window or exit, and ping and tracert died with abnormal hardware error codes
while the firewall requester was still asking me if I wanted to let them
through.  I had all the advanced features (behavioural blocking, component
control) switched off, so I figure that's leaking handles somewhere in the
core engine.

 - Sunbelt (formerly Kerio):  Running with it now.  Gfortran testsuite now way
beyond the point that Outpost failed at and showing no abnormalities, open
object and handles lists all looking reasonable in Process Explorer, it's
starting to look like it might just be Cygwin-friendly.  (All advanced
features turned off, no behavioural / NIDS / HIPS / etc.)

  So the score so far, Sunbelt one, Outpost nought, ZA minus about a million.
 Here's crossing all my fingers and thumbs and hoping I'm not about to get a
zillion mysterious fork errors cropping up ...

    cheers,
      DaveK

Dave Korn wrote:
> Newer versions of ZA don't run on w2k

Is Win2K still running on old time zone data, or did MS finally cave to
the pressure to release that patch without requiring a $1000 payment?

Anyway, that was enough of a scare for me.  No more Win2K on boxes that
have to remain patched.  I now use Win2K only to run IE6 in VMs for web
site testing.  (Could use old XP, but Win2K is more suited to VM use.)

> should I be able to undermine the whole of PKI just by
> winding the clock back on my PC?  Expired should mean expired revoked deleted
> and not available again even if you try IMO ...

Expiration is not the same thing as revocation.

Expiration just means you're delinquent on the Verisign Vig.  The cert
doesn't stop being useful.  The CA just stops certifying that the holder
is who he says he is.  A client in possession of such a cert should warn
you, but let you keep using it.  In your particular case, this means you
shouldn't have had to set your clock back, as you aren't actually
hacking anything by doing that.  More like working around a bug.

Revocation means the cert's fingerprint gets put on a CRL, which PKI
clients are supposed to download and use to reject certs, whether
expired or no.  This can happen, e.g., because the private key fell into
the wrong hands.  No one is supposed to trust anything signed by that
key any more, because we can't trust those who have the key.  The CA
doesn't get to do this on their own, it's something pushed to the CA on
behalf of their client.

Warren Young wrote:
> Dave Korn wrote:
>> Newer versions of ZA don't run on w2k
>
> Is Win2K still running on old time zone data, or did MS finally cave to
> the pressure to release that patch without requiring a $1000 payment?

  I have no idea.

>> should I be able to undermine the whole of PKI just by
>> winding the clock back on my PC?  Expired should mean expired revoked
>> deleted
>> and not available again even if you try IMO ...
>
> Expiration is not the same thing as revocation.

  I know.  I was suggesting it should be, otherwise there's simply no point
doing it at all.

    cheers,
      DaveK

Dave Korn wrote:
> Warren Young wrote:
>> Dave Korn wrote:
>>> Newer versions of ZA don't run on w2k
>> Is Win2K still running on old time zone data, or did MS finally cave to
>> the pressure to release that patch without requiring a $1000 payment?
>
>   I have no idea.

You would know if it did, if you're in an area of the world where the
DST rules changed after MS declared "no more patches" for such things.
In most of the US, for instance, your system time would have been off by
an hour for several weeks during the year for the past two years.  If
your locale's DST rules did change recently and you didn't notice a time
problem, MS must have relented.  There was a huge stink over this.

>> Expiration is not the same thing as revocation.
>
>   I know.  I was suggesting it should be, otherwise there's simply no point
> doing it at all.

Sure there is.  It benefits the CA -- more $$ -- and it benefits the
rest of us by encouraging people to keep their certs current.  Which
cert would you trust more, one where the CA says it was current as of N
months ago (N < 12) or one where the CA says it was current 6 years ago
when it was first created?

Warren Young wrote:
  Well I'm in the UK, I dunno if the rules have changed at all recently, and
every once in a while I notice my PC has or hasn't got got a DST change right
or wrong, but never more than twice a year.

  My love of w2k is based on it being the most lightweight version of the OS
in years, and it having also had the longest time to get debugged and stable,
but obviously it's not suitable for a corporate environment.  It still WJFFM
in a home environment and there's still /quite/ a lot of new software coming
out that's compatible enough to run on it.

>>> Expiration is not the same thing as revocation.
>>
>>   I know.  I was suggesting it should be, otherwise there's simply no
>> point doing it at all.
>
> Sure there is.  It benefits the CA -- more $$ --

  That's precisely my idea of pointless: pointless churn for the sake of it!

> and it benefits the
> rest of us by encouraging people to keep their certs current.  

  Huh?  How does that help?

> Which
> cert would you trust more, one where the CA says it was current as of N
> months ago (N < 12) or one where the CA says it was current 6 years ago
> when it was first created?

  Well, I do maths, and in maths, what you just asked me was:

>  Which would you trust more, a statement from N months ago that a^y mod m
> = b, or a statement from 6 years ago that c^y mod m = d ?

  Why would how long ago the statement was made have any bearing on its truth
or falsity if maths hasn't changed in the mean time?

    cheers,
      DaveK

On Jul 22 10:47, Dave Korn wrote:
What I'm missing in W2K (and, FWIW, NT4) is the RDP server.  This means,
I can't use rdesktop on my Linux machine to connect to the W2K box.
Rather, I have to open the console, or I have to use VNC.  Neither the
console, nor VNC work as nice as rdesktop, for instance, for hardcore
copy/paste jobs.

I don't want to make free advertising, but it looks like W7 could become
my next favorite over XP for Cygwin bulk testing and package building.
Unfortunately they screwed up the NFS client and the fix will not be in
the W7 RTM version.  Grrr.  I hate it when marketing wins over technical
aspects.


Corinna

Corinna Vinschen wrote:
  Absolutely, rdp is significantly smoother in use than VNC.  According to a
post I found (http://www.tomshardware.co.uk/forum/page-172645_36_0.html), you
can install RDP on at least server versions of w2k.

> Grrr.  I hate it when marketing wins over technical aspects.

  Cue Bill: http://www.youtube.com/watch?v=gDW_Hj2K0wo

    cheers,
      DaveK

first, I've seen ZoneAlarm die in so many ways I dare not to count.
Second, I've got a few WinXP machines that run on 8gb harddrives and
have 7.3GB left, I've just stripped out the nasty bits i dont need
with nLite. I have a legit license for XP, So i just use it.
third, I've done some hardcore copy/paste jobs with TightVNC. UltraVNC
i'm never touching again. Never. never ever. it just broke too hard.

--
Morgan gangwere

"Space does not reflect society, it expresses it." -- Castells, M.,
Space of Flows, Space of Places: Materials for a Theory of Urbanism in
the Information Age, in The Cybercities Reader, S. Graham, Editor.
2004, Routledge: London. p. 82-93.

Dave Korn wrote:
>>  Which would you trust more, a statement from N months ago that a^y mod m
>> = b, or a statement from 6 years ago that c^y mod m = d ?
>
>   Why would how long ago the statement was made have any bearing on its truth
> or falsity if maths hasn't changed in the mean time?

The mathematics of crypto don't enter into it.  Cert expiration is
useful because the entities that acquire certificates -- individual
humans, corporations, fringe cults, hyperintelligent shades of the
colour blue... -- change over time.

Let's continue thinking mathematically about it.

A cert lets us assign a probability and confidence interval to the
statement that blob N was signed by entity X.  That is, we can imagine a
statistical algorithm that takes various facts about the cert, the CA,
etc. and comes up with a probability that we can trust that the blob
came from the entity it claims to, and a confidence interval for that
probability.  We can call this our trust statistic.

One of these facts must include how long ago the cert was assigned to
entity X, because the chance that entity X has changed in some way which
means we can no longer trust blobs claiming to be signed by it increases
over time.  Our trust statistic is highest at the instant the cert is
issued, and declines over time as the chances increase that the entity
changes in some way harmful to the trust statistic.

Example: An employee of a company buys a certificate, then later gets
fired for some violation of trust within the organization.  If we were
to learn this fact, it would certainly damage our trust statistic for
that cert.  We normally will not learn about such things, but we must
assume they will happen, so we have to work out some kind of probability
that this has happened, which must be an increasing function of time.

A CA makes a decision about the maximum amount of time it is willing to
assume that the details about the entity it is certifying do not change,
and sets the cert's expiration time accordingly.  The certification fee
is really a side issue; many CAs charge nothing, directly, as in the
case of a large organization that runs an internal CA.  Every CA has an
incentive to put a lower threshold on the trust statistic, because our
trust of the CA is bound up in how much we trust the certs it issues.
If it issues 5-year certs, we know the chances that some of them certify
things that are no longer true is higher than a CA that only issues
1-year certs.  (Assuming a large enough sample size, similar population
distributions, etc.)

You are quite free to choose a trust statistic threshold lower than that
of the CA.  You can decide to trust a blob signed by an "expired" cert.

Dave Korn wrote:

>  - Sunbelt (formerly Kerio):  Running with it now.  Gfortran testsuite now way
> beyond the point that Outpost failed at and showing no abnormalities, open
> object and handles lists all looking reasonable in Process Explorer, it's
> starting to look like it might just be Cygwin-friendly.  (All advanced
> features turned off, no behavioural / NIDS / HIPS / etc.)
>
>   So the score so far, Sunbelt one, Outpost nought, ZA minus about a million.

  And now a late update to that scoreline:

  Outpost nought, ZA minus about a million, Sunbelt DRAGGED OUT THE BACK BY AN
ANGRY MOB AND SAVAGELY BEATEN TO DEATH USING A PLANK WITH A RUSTY NAIL THROUGH IT.

  Bah :-(

    cheers,
      DaveK

Have you tried Komodo? Its got a super-paranoid firewall, but as long
as you remember to check the "let this app through in the future and i
know what the hell i'm doing you tard" button you're good.

--
Morgan gangwere

"Space does not reflect society, it expresses it." -- Castells, M.,
Space of Flows, Space of Places: Materials for a Theory of Urbanism in
the Information Age, in The Cybercities Reader, S. Graham, Editor.
2004, Routledge: London. p. 82-93.

Morgan Gangwere wrote:
> Have you tried Komodo? Its got a super-paranoid firewall, but as long
> as you remember to check the "let this app through in the future and i
> know what the hell i'm doing you tard" button you're good.

  I would have tried it but according to their website it only runs on Vista
and XP.  It's starting to get tricky finding a PFW that will still support W2k.

  BTW, in case anyone's interested, I've been looking at the Matousec
leak-testing results list and working downwards:

http://www.matousec.com/projects/proactive-security-challenge/results.php


  Sunbelt scores pretty badly there.  All the best-ranking ones are either on
BLODA or not available for 2k, sigh.

    cheers,
      DaveK

On Sun, Jul 26, 2009 at 3:03 PM, Dave
Korn<dave.[lulz].cygwin@[lolwut].com> wrote:
>  I would have tried it but according to their website it only runs on Vista
> and XP.  It's starting to get tricky finding a PFW that will still support W2k.

I forget... does that even get updates anymore?

>  BTW, in case anyone's interested, I've been looking at the Matousec
> leak-testing results list and working downwards:

PC Tool's looks *decent* though i cant say anything for quality?


--
Morgan gangwere

"Space does not reflect society, it expresses it." -- Castells, M.,
Space of Flows, Space of Places: Materials for a Theory of Urbanism in
the Information Age, in The Cybercities Reader, S. Graham, Editor.
2004, Routledge: London. p. 82-93.