Tag Archives: firewall

We’re Not in the Business of Understanding our User

Za-tray2

A few years ago I wrote about sometimes your product is useful to people in ways you didn’t know—and that you’d be smart to recognise that and capitalize on itn (What Your Product Does You Might Not Know About, 2007).

One of the examples I cited was ZoneAlarm, a very popular firewall that was bought by Check Point. The point I made with their product was how useful the Windows system tray icon was in that it doubled as a network activity monitor. The logo, in short, would switch to a twin gauge when there was traffic. Really useful: it wasn’t directly related to the actual function of the firewall, but for most people that’s academic. If the firewall’s up and running and traffic is showing through it, everything must be good.

The dual-purpose icon was a confidence-boosting measure, a symbol that the purpose of the product—to keep the network safe—was actually being fulfilled.

Not any more. A message on the ZoneAlarm User Community forum indicates that as of March this year the icon will not double as a network monitor. In response to questions from users a moderator wrote:

Its not going to be fixed in fact its going to be removed from up comming [sic] ZA version 10
So this will be a non issue going forward.
ZoneAlarm is not in the buiness [sic] of showing internet activity.
Forum Moderator

So there you have it. A spellchecker-challenged moderator tells it as it is. Zone Alarm is now just another firewall, with nothing to differentiate it and nothing to offer the user who’s not sure whether everything is good in Internet-land. Somebody who didn’t understand the product and the user saved a few bucks by cutting the one feature that made a difference to the user.

Check Point hasn’t covered itself in glory, it has to be said. I reckon one can directly connect the fall in interest in their product with the purchase by Check Point of Zone Labs in December 2003 (for $200 million). Here’s what a graph of search volume looks like for zonealarm since the time of the purchase. Impressive, eh?

image

Of course, this also has something to do with the introduction of Windows’ own firewall, which came out with XP SP2 in, er, 2004. So good timing for Zone Labs but not so great for Check Point.

Which is why they should have figured out that the one thing that separated Zone Alarm from other firewalls was the dual purpose icon. So yes, you are in the business of showing Internet activity. Or were.

(PS Another gripe: I tried the Pro version on trial and found that as soon as the trial was over, the firewall closed down. It didn’t revert to the free version; it just left my computer unprotected. “Your computer is unprotected,” it said. Thanks a bunch!)

What Your Product Does You Might Not Know About

Vodka

Empty vodka bottles used for selling petrol, Bali

Tools often serve purposes the designers didn’t necessarily intend — increasing their stickiness for users but in a way not clearly understood by the creator.

Take the System Tray in Windows for example (and in the bar, whatever it’s called, in Macs.) And this array currently sitting in my overburdened laptop:

Systray

These icons usually either notify the user if something happens, by changing color, animating itself or popping up some balloon message, or they will be quick launch icons: double click or right click to launch the program, or some function within it. Or they can be both. Or, sometimes neither, sitting there like lame ducks taking up screen real estate. (These ones should, like all lame ducks, be shot.)

Skype-tickBut the thing is that for users these icons actually sometimes do something else, acting as useful sources of more important information. I’ve noticed, for example, a lot of people — including myself — use the Skype icon (left) as the best, most visible way of telling whether their computer is connected.

First off, Skype is better and quicker at establishing a connection than most other connection-based programs with icons in the system tray. Secondly, the icon is a uncomplicated but appealing green, with tick in it — an obvious and intuitive signal to even the most untutored user. (It helps that the Skype icon is a dull gray when there’s no connection — once again, intuitive to most users.) When the Skype button turns green, users know they’re good to go.

Za-tray2Another good example of this is the Zone Alarm icon which alternates between the Zone Alarm logo and a gauge, red on the left and green on the right, to indicate traffic going in and out (see left). Another useful tool to see whether your computer is actually connected, and like the Skype icon, much more visible and obvious than the regular Windows connectivity icon — with the two computer screens flashing blue. I’ve gotten so used to having the Zone Alarm icon tell me what’s going on I have not been able to switch to other firewall programs, or Windows own, because they don’t have the same abundance of visual information to offer.

Za-logo3ZA-iconI’m not convinced that Zone Alarm’s new owners CheckPoint get this: They have dropped the disctinctive yellow and red ZA logo in the system tray for a bland and easily missable Z (left). The ZA icon  was an easy and prominent way to know your firewall was working and they’d be smart to resurrect it.

What does all this mean? Well, Skype have been smart to create a simple icon that not only does things like tell you your online status (available, away) but has also become a tool to help folk know whether they’re online or not — not always clear in this world of WiFi and 3G connectivity. In fact, for many users I’m guessing the green tick is more recognisable a Skype logo than the blue S Skype logo itself.

I don’t know whether Skype knows this, or whether the Zone Alarm guys realise their icon and gauge are much more useful to users as a data transfer measure than Windows’ own. But it’s a lesson to other software developers that the system tray icon could do a whole lot more than it presently does, with a bit of forethought. And if it can’t justify its existence, just sitting there saying, then maybe it shouldn’t be there?

Beyond that, we’d be smart to keep an eye out for how folk use our products, and to build on the opportunities that offers.

The “Sharing Files Thing” Gets Cheaper

It’s a growing space, as the marketing types call it, and it’s not surprising that Laplink, best known for their linking of laps (shurely “laptops”? – ed), have decided to make the basic edition of their file sharing applications, ShareDirect, free. Previously available online for $40, the program can now be downloaded for nothing. It’s not a bad application — you just invite trusted contacts to view and download them from the folders you designate. “The files never leave the safety of your hard drive until you invite someone to download them from you directly. All files are protected by 128-bit encryption, and can securely travel through existing firewall settings,” as the blurb would have it.

The free version will allow unlimited ordinary transfers and 500 MB per month of what Laplink calls ’Premium Transfers’. These are transfers that pass through Laplink’s own servers without any need for altering your firewall and other connection settings. The Plus version, costing $70, lets you make 5 GB a month worth of Premium Transfers.

It doesn’t surprise me because Microsoft recently bought FolderShare and made that available for nothing. I’m working on a review of these various services so watch this space. Well, actually, this space.

A Lesson From the Underground

Security is as much about giving people information as it is about building security systems. That’s the message from the managing director of the London Undergound, Tim O’Toole, but it could as easily apply to personal computer security. Don Phillips’ piece in today’s International Herald Tribune could offer useful lessons to software developers and anyone trying to keep trojans, viruses and spyware at bay:

Tim O’Toole, the managing director of the London Underground, who said a terrorist attack last summer was the greatest Underground crisis since the Nazi blitz of World War II, was telling U.S. transit and rail officials they should avoid the temptation to spend lavishly on new security systems just to reassure the riding public.

Instead, he said, spend first on human resources, including constant training and a system to lavish fresh information continually on every employee in the system during a crisis, even if there is a chance some information could fall into the wrong hands.

O’Toole’s message may not have gone down very well since, “outside the hall where he spoke were many exhibits of expensive new equipment to battle terrorism on transit and rail systems.” One could imagine the same thing happening at a computer security conference. But here, I think, a difference emerges. What I think firewall and antivirus vendors need to think about is this: giving timely, useful and intelligible information to users so they can make good decisions. It’s not about locking everything out, because that’s clearly impossible.

Neither is it about ‘educating the user’. Vendors usually complain that they try to do this but fail, so go the other way — software that does everything silently, behind the scenes, and automatically, with an interface that gives only the barest information or choice to the user. Neither option — education or invisibility — works. Instead, the secret is like the Underground lesson: let people know what’s happening in the context of the situation and threat.

Back to Don’s piece:

O’Toole said the greatest mistake the London Underground had made after the bomb attacks of July 7 was its “poor performance” in keeping employees fully informed of everything that was happening even if that information is sensitive and could not be released to the public right away. In an information vacuum, employees may grow suspicious of authorities just at the time they need to be full members of a crisis team, he said. Management did a “poor job” of information flow during last summer’s attacks, he said. In the future, “We will be pumping everything we know out internally. Some of it may get out, but that’s O.K.”

There’s a clear parallel, in my mind, to Internet threats. Don’t hide knowledge about newly discovered vulnerabilities — newly found holes in existing software that might let bad guys in, if they knew about it — until a fix is found. It’s clear that attacks happen too quickly for antivirus vendors and software developers to be able to cover all contingencies, so better to inform customers and let them assess the risk. The trick is, how to do this?

I would suggest the following guidelines:

  • Most people now have firewalls installed on their desktop computers. These programs — or anti-virus programs, or antispyware programs, or combinations thereof — could become a sort of signalling service giving timely information to the user. For example, the current Kama Sutra worm, Nyxem.E or Grew.A, could be flagged with a small pop-up message informing the user of the danger and offering suggestions.
  • Make the information relevant to the situation. How do I know whether the new updates to my firewall keep me safe from the WinAmp bug identified by Secunia? If something big is happening, letting people know quickly might be more worthwhile than feverishly working on an update which doesn’t reach the user in time. Worst case scenario, the user can just unplug their computer for the rest of the day. Let them make that decision, but give them the information first.
  • The text of such alerts or advisories has got to be useful and clear. ZoneAlarm and other vendors often leave their messages too vague to be meaningful for us ordinary folk, scaring us out of our wits the first few times and then, gradually, just like the wolf crying scenario, we get blasé.

Sadly we’ve become accustomed to ignoring messages we don’t understand. This needs to change. Just like in the ordinary world, we’ve become both numb and constantly terrorized at the same time because of poor or insufficient information. We need to learn lessons about security from other fields. I don’t recommend bombarding users with alerts, but if they are used sparingly, judiciously and with good solid guidance contained inside, I think they are the best way to keep the user in the loop.

Why Hasn’t China Cracked Down on Its Rainmen?

Another mainstream media look at the alleged “Titan Rain” cyberwar strategy of the Chinese, where organised, highly disciplined and experienced gangs ferret around in Western computers. This one is from today’s Guardian Unlimited — Smash and grab, the hi-tech way:

Sources involved in tracking down the gang say the Chinese group is just one of a number of organised groups around the world that are involved in a hi-tech crime wave, some working for governments, others highly organised criminal gangs. “We have seen three attacks a day from this group in the past week and there are a lot of other groups out there,” said the source. “You could say that the iceberg is now in view.”

That said, it seems clear that this kind of thing has some government sanction:

Privately, UK civil servants familiar with NISCC’s investigation agree that the attacks on the UK and US are coming from China. This almost certainly means some state sanction or involvement – perhaps even a “shopping list” of requirements. Some of the attacks have been aimed at parts of the UK government dealing with human rights issues – “a very odd target”, according to one UK security source.

The point is that Internet activity is heavily circumscribed in China:

There is another, more compelling reason. “Hacking in China carries the death penalty,” says Professor Neil Barrett, of the Royal Military College at Shrivenham. “You also have to sign on with the police if you want to use the internet. And then there is the Great Firewall of China, which lets very little through – and lets [the Chinese government] know exactly what is happening.” The internet traffic to the UK, and its origin, would all be visible to the Chinese government. Finding the culprits would, in theory, be a simple process.

So why are they still out there, and why can we narrow down their workplace to a single province?

When Firewalls Move

Here’s the details on the Zone Alarm deal I promised a couple of days back:

Effective immediately, Sygate and Kerio users switching to ZoneAlarm Pro will receive a $20 instant rebate, over 40% off the retail price of $49.95. “A firewall is the most essential, fundamental element of protection against hackers,” said Laura Yecies, general manager of Zone Labs and vice president at Check Point. “Innovation in firewall development is critical, because threats are dynamic and ever-changing. Consumers must seek a solution that is not only vendor-supported but has new features added regularly to protect against novel attack strategies.”

Of course, there’s still the free version.

And here’s details of the purchase by Sunbelt Software of Kerio:

Sunbelt Software and Kerio Technologies Inc. today announced that the parties have signed an agreement for Sunbelt to acquire the Kerio Personal Firewall. The acquisition is expected to be finalized by the end of the month.

The Kerio Personal Firewall will be re-branded on an interim basis as the “Sunbelt Kerio Personal Firewall”. All existing customers of the Kerio Personal Firewall will be able to receive support through Sunbelt once the acquisition is completed.

Upon the close of the deal, Sunbelt will also announce new reduced pricing for the full version of the product and a variety of special offers for both Kerio and Sunbelt customers. Additionally, Sunbelt will continue Kerio’s tradition of providing a basic free version for home users.

Zone Labs to Offer Sygate, Kerio Users a Deal

From a press release emailed to me by Zone Labs, makers of Zone Alarm:

The personal firewall market is currently undergoing a major shift, with Symantec set to retire the Sygate line of personal firewalls tomorrow (including the free version and Sygate Pro), and Kerio discontinuing its personal firewall at the end of December to pursue an enterprise strategy. […] In order to help consumers affected by recent events, Zone Labs will be announcing a new promotion to Sygate and Kerio users later this week to ensure that consumers have essential firewall protection available at an affordable price.

Not clear what kind of offer yet, but I’ll let you know.

ZoneAlarm’s Impressive About-turn, Or How To Do Blog PR Right

A day ago I vented my disappointment at a sneaky marketing gambit inside ZoneAlarm’s otherwise excellent free firewall software, which scared the user into running an external spyware scanner in the hope of getting them to upgrade. This morning I received word from their PR department that this promotion “has been turned off. The wording was not optimal, and we sincerely regret any inconvenience or frustrations it caused our users. Also, your story has prompted us to create a new approval process for any outbound promotions including multiple departments, to ensure that we maintain the highest integrity in our marketing efforts.”

I’m very impressed. I’m not suggesting my post prompted this — it sounds like it was in the works anyway — but this kind of close and timely monitoring of blogs is just the kind of iniatitive PR departments should be involved in, and just what I was going on about in a recent diatribe about Nokia, who seem little interested in customers who have less than perfect experience in the company’s ‘Care Centres’.

Good work, ZoneAlarm.

ZoneAlarm’s Sneaky Spyware Scare?

(See a more recent post on this for an update. ZoneAlarm no longer has this ‘feature’.)

I’m a big fan, and user, of ZoneAlarm firewalls. Their interface is clean, clear and I like the system tray icon which doubles as a traffic monitor. But sometimes they do things that don’t, in my view, help educate and simplify things for the ordinary user. After all, Internet security is already baffling enough.

I use the free version of ZoneAlarm firewall and usually it works fine and unobtrusively. But just now I got a popup window like this:

Za

At first glance it looks like an ordinary update reminder, which would be fine. But it’s not. It seems to suggest, to the casual user, that something bad is happening to your computer. To the more experienced user it looks like one of those naff anti-spyware ads that appear on websites with a faux Windows-dialog suggesting you’re infected with spyware. (Notice there’s no option along the lines of ‘Never remind or show me this popup again. I have enough on my plate, thanks.’)

Click on ‘update now’ and you’re taken, surprise surprise, to a ZoneAlarm promotions page. To be fair to ZoneAlarm, if you’re running IE a scan will kick in (it won’t if you’re using Opera, Netscape or Mozilla as it’s an ActiveX application). Once spyware is detected, it’s not quite clear what you’re supposed to do next. Click on a ‘Remove Spyware Now’ link and you’re faced with a pop-up link pitching a ‘featured bundle’ of ZoneAlarm Internet Security Suite and TurboBackup for $50. Click on a red button marked ‘REMOVE SPYWARE with ZoneAlarm’ and you’re taken to the same pop-up (Yes, they seem to somehow get around the builtin IE popup blocker.) As far as I can see there is no other way to remove the alleged spyware.

This is all, I believe, part of ZoneAlarm’s new product,  ZoneAlarm Anti-Spyware, which it launched recently. I just wish that ZoneAlarm, which I’ve had quarrels with before, didn’t stoop to such befuddling scare tactics to tout a new product.  

Fame At Last, Or Under Attack?

Here’s an example of how social engineering can be more important than technical sophistication.

It’s an email with a credible from address, credible header, credible subject line, credible contents:

From: john@flexiprint.co.uk
Subject: Photo Approval Needed

Hello,

Your photograph was forwarded to us as part of an article we are publishing for our May edition of Business Monthly.  Can you check over the format and get back to us with your approval or any changes you would like.  If the photograph is not to your liking then please attach a preferred one.

Kind regards,

John Andrews
Dept Marketing
Flexiprint.co.uk

Attached is a zip file, photo-approval-needed.zip. Inside the zip file is a screen-saver executable, which, according to CodePhish’s Daniel McNamara, is an IRC trojan for building a botnet. In English this means compromising the victim’s computer so it can be controlled remotely to send spam, viruses and stuff. The compromised computer is called a zombie and the big collection of remotely controlled zombies is called a botnet.

While Daniel says the trojan is not that sophisticated it does do a pretty good job of turning off Windows XP’s firewall turning it, in his words, “into Swiss cheese”.

I’m more impressed, however, at the social engineering. Who wouldn’t wonder whether the picture might contain a picture of them, and why wouldn’t they be written up in Flexiprint’s Business Monthly? Only by opening the zip file, or by checking out Flexiprint’s website (which resolves to business Internet solutions provider altoHiway), would the recipient start sniffing a rat.

This goes to underline a point that is sometimes skated over in advice given to the casual Internet user: It’s not enough to scour a suspicious email for bad grammar, odd formatting or strange header fields. Sometimes these give up few clues. Best rule of thumb is: If you’re not expecting an email from the sender, be suspicious.