Jump to content

FIX for ZoneAlarm & KB951748 issue released


Recommended Posts

Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

PA Bear [MS MVP] wrote:

> CORRECTION:

>

>> The Windows Firewall [iN VISTA] is inbound/outbound.

 

Yup, that I can agree with :)

Guest Root Kit
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

On Thu, 17 Jul 2008 12:53:14 -0700, Paul (Bornival)

<PaulBornival@discussions.microsoft.com> wrote:

>"Root Kit" wrote:

>> Outbound protection (host based) is not for free. It comes at a cost

>> which can be hard for layman to asses. The added system complexity of

>> installing a bunch of potentially vulnerable code of questionable

>> quality and functionality and the cons that follow from that, must be

>> weighed against the possible pros.

>

>Can you be more specific in this. How much more resources are really needed

>to set up outbound protection in addition to inbound. What is the payload in

>terms of CPU and memory usage ?

 

I'm not addressing resource usage. I'm addressing system complexity.

You add a lot of highly questionable code to an already critical

network path. This leads to an increased risk of exploitable bugs as

well as risks of misconfigured. Complexity has always been an enemy of

computer security.

>> You make a computer secure by removing unnecessary stuff and fixing

>> what is broken - not by adding further potentially vulnerable code to

>> an already insecure code base.

>

>Again, not usre about that. If we were to follow you, the only solution is

>to stop using Windows at all and moving to Linux or Apple...

 

How can you draw that conclusion based on my statement? What I said is

true in general. Windows can be hardened, and if you believe apple

software is generally more secure, think again.

 

It's an indisputable fact that what isn't running can't be attacked.

The more code you set you run (including security software) the more

attack vectors you introduce. So the trick is to run only what is

needed and to make sure that "something" is robust (which rules out

software like IE) and kept patched.

Guest Root Kit
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

On Thu, 17 Jul 2008 13:07:01 -0700, Paul (Bornival)

<PaulBornival@discussions.microsoft.com> wrote:

>"Root Kit" wrote:

>

>> On Wed, 16 Jul 2008 00:07:46 -0700, Paul (Bornival)

>> <PaulBornival@discussions.microsoft.com> wrote:

>>

>> >The sucessfull attacks on WinXP computers I was were before the introduction

>> >of SP2. This was completely and effectively avoided after installing ZA.

>>

>> True - but could easily have been avoided by shutting down unnecessary

>> services, adding a simple packet filter or activating the build-in

>> one.

>

>- shutting down servies is nice ... but the trouble is that the MS

>documentatin is so poor that you never know what you really do when you shut

>down a service ...

 

Shutting down network services can be done in less than 1 minute using

the proper tools.

>untill someone comes and complain that things do not work

>any longer as they did before... Then you realize that you better not shut

>down any service ... (I could luch longer about that, but, believe me, ther

>are so many softwares that capitalize on existing "default" Windows services

>that you think twice before shutting one down...).

 

Well, I don't blindly shut down services....

>- packet filters are nice, but are you going to implement them on 30

>computers with different requirements ...

 

What makes you think it would be harder than implementing ZA on them?

>- the build-in firewall was so well hidden that I only discovered its

>existence by accident, and it was not very esay to master... I guess MS never

>advertised it because they knew how weak and inefficient it was. If what I

>say is not true, why did not advertise it ?

 

How did they not advertise it?

>> >When SP2 was introduced, I compared ZA with the SP2 firewall, and found that

>> >ZA was eventually easier to adjust to our needs. This is why I remained

>> >faithfl to ZA (and I'm not the only one...).

>>

>> I wonder what your needs are.

>

>Oh simple... a workgroup with 30 computers in peer-to-peer configuration and

>in a very open environment (each computer ahs a PUBLIC IP address - do not

>ask me why, this is so - but each needs to be reachable from outside by me

>and a few other authorized persons...;

 

For what purpose do you need access to them? And why would that

require public IP's?

 

Without knowing your exact setup, it sounds like a potentially very

insecure environment to me.

>no domain as we had no one to be its

>administrator and if the domain server fails, evryting fails ...). Seems

>crasy, but since we got ZA on all machines, we simply have no more any

>problem ...

 

None that you noticed, that is..

>> >Note that turning off WinXP network services was not possible (or largely

>> >unpractical) given our needs of communication between computers.

>>

>> How do you expect ZA to protect services you need to make available?

>

>Well, did YOU really tested ZA ?

 

Ohh, on several occasions. How about answering my question?

Guest Root Kit
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

On Thu, 17 Jul 2008 17:06:50 -0400, "H.S."

<hs.samREMOVEMEix@google.com> wrote:

>Kerry Brown wrote:

>> I don't think very many people that understand security think outbound

>> filtering is not a useful thing to do. Many people that understand how

>> computers work think that relying on a software firewall to stop

>> something that is running on the same computer and has the same or

>> higher privileges as the firewall isn't a good thing or even possible.

>> Outbound filtering is very useful for some situations. Outbound

>

>Here is another one: I do not like that every time I open an MS

>application (Word, Excel, Windows ... ), it tries to talk to Microsoft.

 

Then use something else.

>My firewall warns me about it and I deny it.

 

Yes. That's called self-denial-of-service.

>Now, I have no idea why the application is trying to phone home.

 

Exactly. So why assume it's bad? After all, since you installed and is

running it on your machine you must fully trust it.

>Why should it?

 

You better find that out instead of blindly shooting yourself in the

foot. When you have found out, you may even realize it's configurable.

>The only reason I would accept is if it is trying to find updates.

 

Finally some sense.

>Well, in that case, I would rather do that myself, thank you

>very much. Online help? No, don't need it. Any other reasons? Sorry, now

>you are invading my privacy.

 

The usual paranoid BS.. Unless you know exactly what data is sent back

and forth you have no reason to assume it's an invasion of privacy.

 

If you don't trust a product, you better not run it at all. It's that

simple.

Guest Kayman
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

On Thu, 17 Jul 2008 21:35:36 -0300, John John (MVP) wrote:

> Kayman wrote:

>

>> On Thu, 17 Jul 2008 17:39:08 -0500, Shenan Stanley wrote:

>>

>>

>>>Conversation in entirety:

>>>http://groups.google.com/group/microsoft.public.security/browse_frm/thread/f691e0bbe3886038/b3486be8412ee2af?lnk=st&q=#b3486be8412ee2af

>>>

>>>

>>>

>>><reference to the inbound/outbound argument parts only>

>>>

>>>This is one of those debates like *nix vs. Windows vs. OS X.

>>>

>>>Nothing is proven on any side, examples abound (some truthful and realistic

>>>from the single instance, some not so much) and nothing but emotions and

>>>egos get exposed.

>>>

>>>Personal experience and outside articles are quoted a lot. Some good for

>>>that single instance in time, others pulled from myth and legend and still

>>>others might actually hold up over scrutiny (the latter is often over-looked

>>>in the debate and glossed over at every turn by those opposed to the topic.)

>>>

>>>Ideas like "outbound only catches the stuff you already have and who says

>>>the application in question did not just change your outbound rules as you

>>>installed it so you still don't know you have it?" and "I like to know when

>>>something attempts to 'call home'" seem to cover most of the arguments.

>>>(Sound like "Windows has more security holes than other OSes" and "Macs just

>>>don't get viruses"...? Yeah - same type of arguments. heh)

>>>

>>>In the end - both are right, both are wrong. It's a personal preference.

>>>It's a way of computing, a mind-set, a need. I know many people who have

>>>ran many different OSes for many many years without a single instance of

>>>infection/infestation and they run no antivirus software and no antispyware

>>>software. They continuously (when someone finds out) get questions like

>>>"how do you know you actually don't have a virus or spyware/adware if you

>>>don't run anythign to prevent/check for it?"

>>>

>>>In the end - I just go by the idea that making things more complicated is

>>>seldom the proper course of action... Simplistic solutions are usually the

>>>most effective and the most eloquent.

>>>

>>>So which way do _I_ lean? Doesn't matter.

>>>

>>>Each person has their own reasoning behind whatever it is they do. I have

>>>used many different solutions (I do like to try things - see what I can

>>>learn and find) - and I do offer advice on the ones I tried that seemingly

>>>did their jobs without _over-complicating_ my life just to keep it working.

>>>However - I know that will be different for each person, and I cannot say

>>>which is less complicated for any one of them. Advice: Try each solution

>>>*if* this whole topic has any importance to you.

>>>

>>>All anyone here can offer is that someone practice some common sense. The

>>>world is dangerous - your computer gives you options the rest of the world

>>>does not (I cannot backup my car so that when I get in a wreck, I just

>>>reload for near instant recovery) - use them. Protect yourself when you can

>>>(Equate each of these to something on your computer: lock your doors to make

>>>it harder for intruders to get in while you are there *or* away, wear a coat

>>>when it is cold, wear sunglasses to protect your eyes, put on sunscreen to

>>>protect your skin, brush your teeth to prevent cavities, pick up 'your

>>>room', take out the garbage, cover your face when you cough/sneeze, store

>>>copies of important documents(life insurance, will, deeds, etc) far away

>>>from the originals, etc.)

>>>

>>>I know someone could pull one (or more) argument for one side or the other

>>>out of those - I could do it right now. heh

>>>

>>>The point - if the solution for everyone was obvious and one-sided - there

>>>would be no discussion. Being that each person is unique with differing

>>>experiences and external facts that help support their own experiences - the

>>>discussion is never-ending. Not one person here can definitively win their

>>>argument (even if you get rid of every actual 'crazy argument' -- although

>>>who decides that is yet another debate. hah)

>>>

>>>Interesting that a discussion about a particular patch that exasperated a

>>>problem in a particular piece of software could spawn a conversation along

>>>these lines... And the subject line stays the same through out. Amazing

>>>really.

>>>

>>

>>

>> Well, I don't think the discussion is about a particular software per se.

>> Rather the requirement of 'outbound control' after the introduction of NT.

>> Jesper M. Johansson wrote educational articles about this subject

>> extensively. It's an important security subject and the message is not easy

>> to convey, especially if one is blinded by the hype created by the makers

>> of 3rd party software.

>

> Before Windows XP what were people using?

 

I don't know but *I* was using a 3rd party (so-called) firewall application

and (incidentally) Registry Cleaner :-)

> What were they using on NT4 and on Windows 2000?

 

I don't know.

> Just because XP got a firewall now anything else has suddenly become

> unfit for use?

 

Well, these are throwaway words; If you were more open-minded' in relation

to OS's and read (*and* comprehend) through pertinent write-ups (even in

this thread), than it'd be obvious to you - and no, I am not a techie :)

> Geez, I guess next the hype will be that anything but One Care will

> be no good.

 

Irrelevant (but it's your guess, I guess). You may wish to communicate with

Carey Frisch on this particular issue.

 

What is relevant, noticeable and very encouraging is that some technically

savvy MVP's expressing their doubts and/or speaking against of the use of

3rd party (so-called) firewall software application on WinXP and Vista

platforms. I can only assume that the articles published by respected

authors with outstanding credentials such as Jesper Johansson and Steve

Riley may have triggered this recent phenomenon (though some articles are

relatively dated). Not so long ago, this issue was avoided/sidelined by

most MVP's.

(And no, I can't provide any statistics but as a frequent lurker, these are

my observations).

In fact, whenever B.Nice (aka Straight Talk and now Root Kit) was touching

this issue he was attacked from left, right and center, incl. MVP's; They

were over him like a bad rash!

I reiterate, the change of direction by some MVP's is a most welcome

development and will without any doubt be beneficial for all lurkers and

newcomers who'll be thinking twice before installing Illusion Ware :-)

Guest Kayman
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

On Thu, 17 Jul 2008 19:31:09 -0500, Shenan Stanley wrote:

> Conversation in entirety:

> http://groups.google.com/group/microsoft.public.security/browse_frm/thread/f691e0bbe3886038/b3486be8412ee2af?lnk=st&q=#b3486be8412ee2af

>

>

>

> Shenan wrote:

> <snip>

>> Interesting that a discussion about a particular patch that

>> exasperated a problem in a particular piece of software could

>> spawn a conversation along these lines... And the subject line

>> stays the same through out. Amazing really.

>

> Kayman wrote:

>> Well, I don't think the discussion is about a particular software

>> per se. Rather the requirement of 'outbound control' after the

>> introduction of NT. Jesper M. Johansson wrote educational articles

>> about this subject extensively. It's an important security subject

>> and the message is not easy to convey, especially if one is blinded

>> by the hype created by the makers of 3rd party software.

>

> Actually - if you read what I posted - this 'discussion' did start out as I

> stated...

> The subject line points this out quite readily. ;-)

>

> It "spawned" into what you are speaking of.

>

Yes Shenan, you're right actually!

Guest Root Kit
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

On Thu, 17 Jul 2008 17:02:23 -0400, "H.S."

<hs.samREMOVEMEix@google.com> wrote:

>Paul (Bornival) wrote:

>>

>> I am amazed by how strongly people linked to MS state that outbound

>> filtering is unecessary or even countreproductive. Yet, other people, not

>> linked to MS, think otherwise. Why is it so ?

 

Just for the record, I'm in no way connected to MS. I'm just able to

distinguish between what makes sense and what doesn't.

 

BTW, can someone point me to a list of personal firewalls for Linux?

>Looks like MS does not want to invest time and resources in developing a

>full firewall and is thus marketing and trying to convince its users

>that outbound control is unnecessary.

 

First of all, and once again for the record: Outbound control can make

good sense and is *not* considered unnecessary. Repeating this false

statement doesn't make it right. Host based outbound application

control on a windows OS as a security measure against malware on the

other hand is *nonsense*.

 

So to answer your question, a more likely but of course much less

exiting explanation is that MS actually know their own OS well enough

to know that such a thing as outbound application control would be

waste of code.

 

For such a concept to make sense it would have to be implemented as a

core integrated part of an OS with very strong restrictions on what

applications are allowed to do.

>Historically, MS has wanted their OS to be used by dumb average Joe

>users and thus tuned its system as such.

 

If you're unhappy about that feel free to use something else.

 

<snipped the usual MS bashing>

Guest Root Kit
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

On Thu, 17 Jul 2008 17:39:08 -0500, "Shenan Stanley"

<newshelper@gmail.com> wrote:

>In the end - both are right, both are wrong.

 

So there is no such things as indisputable facts?

>It's a personal preference.

 

A preference which should be based mainly on facts instead of gut

feelings.

Guest Root Kit
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

On Thu, 17 Jul 2008 21:35:36 -0300, "John John (MVP)"

<audetweld@nbnet.nb.ca> wrote:

>Before Windows XP what were people using? What were they using on NT4

>and on Windows 2000? Just because XP got a firewall now anything else

>has suddenly become unfit for use?

 

That hasn't really been the topic of discussion. The discussion has

been about the value of outbound control. To the best of my knowledge

no one has questioned the value of inbound protection.

>Geez, I guess next the hype will be

>that anything but One Care will be no good.

 

I doubt it. But a good technical discussion about the abilities of

security software in general would probably be of value.

Guest Shenan Stanley
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

Conversation in entirety:

http://groups.google.com/group/microsoft.public.security/browse_frm/thread/f691e0bbe3886038/b3486be8412ee2af?lnk=st&q=#b3486be8412ee2af

 

 

 

<actual posting being responded to in its whole form - as intended>

Shenan Stanley wrote:

> <reference to the inbound/outbound argument parts only>

>

> This is one of those debates like *nix vs. Windows vs. OS X.

>

> Nothing is proven on any side, examples abound (some truthful and

> realistic from the single instance, some not so much) and nothing

> but emotions and egos get exposed.

>

> Personal experience and outside articles are quoted a lot. Some

> good for that single instance in time, others pulled from myth and

> legend and still others might actually hold up over scrutiny (the

> latter is often over-looked in the debate and glossed over at every

> turn by those opposed to the topic.)

>

> Ideas like "outbound only catches the stuff you already have and

> who says the application in question did not just change your

> outbound rules as you installed it so you still don't know you have

> it?" and "I like to know when something attempts to 'call home'"

> seem to cover most of the arguments. (Sound like "Windows has more

> security holes than other OSes" and "Macs just don't get

> viruses"...? Yeah - same type of arguments. heh)

>

> In the end - both are right, both are wrong. It's a personal

> preference. It's a way of computing, a mind-set, a need. I know

> many people who have ran many different OSes for many many years

> without a single instance of infection/infestation and they run no

> antivirus software and no antispyware software. They continuously

> (when someone finds out) get questions like "how do you know you

> actually don't have a virus or spyware/adware if you don't run

> anythign to prevent/check for it?"

>

> In the end - I just go by the idea that making things more

> complicated is seldom the proper course of action... Simplistic

> solutions are usually the most effective and the most eloquent.

>

> So which way do _I_ lean? Doesn't matter.

>

> Each person has their own reasoning behind whatever it is they do.

> I have used many different solutions (I do like to try things - see

> what I can learn and find) - and I do offer advice on the ones I

> tried that seemingly did their jobs without _over-complicating_ my

> life just to keep it working. However - I know that will be

> different for each person, and I cannot say which is less

> complicated for any one of them. Advice: Try each solution *if*

> this whole topic has any importance to you.

>

> All anyone here can offer is that someone practice some common

> sense. The world is dangerous - your computer gives you options

> the rest of the world does not (I cannot backup my car so that when

> I get in a wreck, I just reload for near instant recovery) - use

> them. Protect yourself when you can (Equate each of these to

> something on your computer: lock your doors to make it harder for

> intruders to get in while you are there *or* away, wear a coat when

> it is cold, wear sunglasses to protect your eyes, put on sunscreen

> to protect your skin, brush your teeth to prevent cavities, pick up

> 'your room', take out the garbage, cover your face when you

> cough/sneeze, store copies of important documents(life insurance,

> will, deeds, etc) far away from the originals, etc.)

>

> I know someone could pull one (or more) argument for one side or

> the other out of those - I could do it right now. heh

>

> The point - if the solution for everyone was obvious and one-sided

> - there would be no discussion. Being that each person is unique

> with differing experiences and external facts that help support

> their own experiences - the discussion is never-ending. Not one

> person here can definitively win their argument (even if you get

> rid of every actual 'crazy argument' -- although who decides that

> is yet another debate. hah)

>

> Interesting that a discussion about a particular patch that

> exasperated a problem in a particular piece of software could spawn

> a conversation along these lines... And the subject line stays the

> same through out. Amazing really.

<breaking it into fragments leave out the whole idea>

<which was done below>

 

Shenan Stanley wrote:

<extremely snipped>

> In the end - both are right, both are wrong.

<extremely snipped>

 

Root Kit wrote:

> So there is no such things as indisputable facts?

 

Shenan Stanley wrote:

<extremely snipped>

> It's a personal preference.

<extremely snipped>

 

Root Kit wrote:

> A preference which should be based mainly on facts instead of gut

> feelings.

 

 

Response to:

> So there is no such things as indisputable facts?

 

I covered that in the whole...

> Personal experience and outside articles are quoted a lot. Some

> good for that single instance in time, others pulled from myth and

> legend and still others might actually hold up over scrutiny (the

> latter is often over-looked in the debate and glossed over at every

> turn by those opposed to the topic.)

 

Whether or not a fact is *actually* indisputable seldom has the effect of

those emotional charged in the opposite manner stopping their refuting of

said fact.

 

In other words - no matter what you do, people will believe what people will

believe. Obstinance is a distinctly human trait. Seldom do you see other

animals refusing to believe that the mountain that lies before them actually

lies before them. ;-)

 

 

Response to:

> A preference which should be based mainly on facts instead of gut

> feelings.

 

Without a doubt and pretty much what I said.

> Advice: Try each solution *if*

> this whole topic has any importance to you.

 

--

Shenan Stanley

MS-MVP

--

How To Ask Questions The Smart Way

http://www.catb.org/~esr/faqs/smart-questions.html

Guest Root Kit
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

On Fri, 18 Jul 2008 15:24:04 +0700, Kayman

<kaymanDeleteThis@operamail.com> wrote:

>In fact, whenever B.Nice (aka Straight Talk and now Root Kit) was touching

>this issue he was attacked from left, right and center, incl. MVP's; They

>were over him like a bad rash!

 

"All truth goes through three stages. First it is ridiculed. Then it

is violently opposed. Finally, it is accepted as self-evident."

-Schoepenhouer

Guest Kayman
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

On Fri, 18 Jul 2008 10:20:55 GMT, Root Kit wrote:

> On Fri, 18 Jul 2008 15:24:04 +0700, Kayman

> <kaymanDeleteThis@operamail.com> wrote:

>

>>In fact, whenever B.Nice (aka Straight Talk and now Root Kit) was touching

>>this issue he was attacked from left, right and center, incl. MVP's; They

>>were over him like a bad rash!

>

> "All truth goes through three stages. First it is ridiculed. Then it

> is violently opposed. Finally, it is accepted as self-evident."

> -Schoepenhouer

 

Very true indeed :)

Guest Leonard Grey
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

And then the fourth stage: "What were we thinking?!"

 

---

Leonard Grey

Errare humanum est

 

Kayman wrote:

> On Fri, 18 Jul 2008 10:20:55 GMT, Root Kit wrote:

>

>> On Fri, 18 Jul 2008 15:24:04 +0700, Kayman

>> <kaymanDeleteThis@operamail.com> wrote:

>>

>>> In fact, whenever B.Nice (aka Straight Talk and now Root Kit) was touching

>>> this issue he was attacked from left, right and center, incl. MVP's; They

>>> were over him like a bad rash!

>> "All truth goes through three stages. First it is ridiculed. Then it

>> is violently opposed. Finally, it is accepted as self-evident."

>> -Schoepenhouer

>

> Very true indeed :)

Guest Kayman
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

On Fri, 18 Jul 2008 10:02:00 -0400, Leonard Grey wrote:

> And then the fourth stage: "What were we thinking?!"

 

I wouldn't know, now would I?

Do you consider your thoughts to be important?

Do organized beliefs of a group or individual supercede facts?

Guest Root Kit
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

On Thu, 17 Jul 2008 06:24:00 -0700, "Kerry Brown"

<kerry@kdbNOSPAMsys-tems.c*a*m> wrote:

>The flaw was in the way DNS worked. The fact that your 3rd party application

>couldn't deal with the fact that an OS update changed some system files says

>a lot about how well it's programmed.

 

Indeed.

Guest John John (MVP)
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

Kayman wrote:

> On Thu, 17 Jul 2008 21:35:36 -0300, John John (MVP) wrote:

>

>

>>Kayman wrote:

>>

>>

>>>On Thu, 17 Jul 2008 17:39:08 -0500, Shenan Stanley wrote:

>>>

>>>

>>>

>>>>Conversation in entirety:

>>>>http://groups.google.com/group/microsoft.public.security/browse_frm/thread/f691e0bbe3886038/b3486be8412ee2af?lnk=st&q=#b3486be8412ee2af

>>>>

>>>>

>>>>

>>>><reference to the inbound/outbound argument parts only>

>>>>

>>>>This is one of those debates like *nix vs. Windows vs. OS X.

>>>>

>>>>Nothing is proven on any side, examples abound (some truthful and realistic

>>>

>>>>from the single instance, some not so much) and nothing but emotions and

>>>

>>>>egos get exposed.

>>>>

>>>>Personal experience and outside articles are quoted a lot. Some good for

>>>>that single instance in time, others pulled from myth and legend and still

>>>>others might actually hold up over scrutiny (the latter is often over-looked

>>>>in the debate and glossed over at every turn by those opposed to the topic.)

>>>>

>>>>Ideas like "outbound only catches the stuff you already have and who says

>>>>the application in question did not just change your outbound rules as you

>>>>installed it so you still don't know you have it?" and "I like to know when

>>>>something attempts to 'call home'" seem to cover most of the arguments.

>>>>(Sound like "Windows has more security holes than other OSes" and "Macs just

>>>>don't get viruses"...? Yeah - same type of arguments. heh)

>>>>

>>>>In the end - both are right, both are wrong. It's a personal preference.

>>>>It's a way of computing, a mind-set, a need. I know many people who have

>>>>ran many different OSes for many many years without a single instance of

>>>>infection/infestation and they run no antivirus software and no antispyware

>>>>software. They continuously (when someone finds out) get questions like

>>>>"how do you know you actually don't have a virus or spyware/adware if you

>>>>don't run anythign to prevent/check for it?"

>>>>

>>>>In the end - I just go by the idea that making things more complicated is

>>>>seldom the proper course of action... Simplistic solutions are usually the

>>>>most effective and the most eloquent.

>>>>

>>>>So which way do _I_ lean? Doesn't matter.

>>>>

>>>>Each person has their own reasoning behind whatever it is they do. I have

>>>>used many different solutions (I do like to try things - see what I can

>>>>learn and find) - and I do offer advice on the ones I tried that seemingly

>>>>did their jobs without _over-complicating_ my life just to keep it working.

>>>>However - I know that will be different for each person, and I cannot say

>>>>which is less complicated for any one of them. Advice: Try each solution

>>>>*if* this whole topic has any importance to you.

>>>>

>>>>All anyone here can offer is that someone practice some common sense. The

>>>>world is dangerous - your computer gives you options the rest of the world

>>>>does not (I cannot backup my car so that when I get in a wreck, I just

>>>>reload for near instant recovery) - use them. Protect yourself when you can

>>>>(Equate each of these to something on your computer: lock your doors to make

>>>>it harder for intruders to get in while you are there *or* away, wear a coat

>>>>when it is cold, wear sunglasses to protect your eyes, put on sunscreen to

>>>>protect your skin, brush your teeth to prevent cavities, pick up 'your

>>>>room', take out the garbage, cover your face when you cough/sneeze, store

>>>>copies of important documents(life insurance, will, deeds, etc) far away

>>>

>>>>from the originals, etc.)

>>>

>>>>I know someone could pull one (or more) argument for one side or the other

>>>>out of those - I could do it right now. heh

>>>>

>>>>The point - if the solution for everyone was obvious and one-sided - there

>>>>would be no discussion. Being that each person is unique with differing

>>>>experiences and external facts that help support their own experiences - the

>>>>discussion is never-ending. Not one person here can definitively win their

>>>>argument (even if you get rid of every actual 'crazy argument' -- although

>>>>who decides that is yet another debate. hah)

>>>>

>>>>Interesting that a discussion about a particular patch that exasperated a

>>>>problem in a particular piece of software could spawn a conversation along

>>>>these lines... And the subject line stays the same through out. Amazing

>>>>really.

>>>>

>>>

>>>

>>>Well, I don't think the discussion is about a particular software per se.

>>>Rather the requirement of 'outbound control' after the introduction of NT.

>>>Jesper M. Johansson wrote educational articles about this subject

>>>extensively. It's an important security subject and the message is not easy

>>>to convey, especially if one is blinded by the hype created by the makers

>>>of 3rd party software.

>>

>>Before Windows XP what were people using?

>

>

> I don't know but *I* was using a 3rd party (so-called) firewall application

> and (incidentally) Registry Cleaner :-)

 

What do registry cleaners have to do with firewalls? Why are you even

mentioning them here, if only as a feeble attempt to muddle the issue?

If third party firewalls are only "so-called firewalls" then the Windows

XP firewall is no different, it too is nothing more than a personal

firewall.

 

>> What were they using on NT4 and on Windows 2000?

>

>

> I don't know.

 

That doesn't surprise me.

 

>>Just because XP got a firewall now anything else has suddenly become

>>unfit for use?

>

>

> Well, these are throwaway words; If you were more open-minded' in relation

> to OS's and read (*and* comprehend) through pertinent write-ups (even in

> this thread), than it'd be obvious to you - and no, I am not a techie :)

 

I am more open minded than you are! I have no quibbles about which

firewall people decide to use, if they want to use the Windows firewall

that is fine, the Windows firewall offers protection for what it was

design to do, there is nothing wrong with it at all. If users want to

use other good firewalls that offer different features that is fine too,

many of these other firewalls are also good and they do everything that

the Windows firewall does plus they give users additional features that

users have asked for. That is fine by me, I don't care what they use

providing that they use something! You on the other hand think that you

should dictate your views onto others and that you should be telling

them what to do. You are on a religious zeal to convert the masses.

 

When users tell you they want other features all you can do is berate

them and try to impose your views on them. The fact is that there is

nothing wrong with many of the third party firewalls out there and if

users want to use them it really is none of your business. You're

attempt to discredit all third party firewalls is plainly misguided, the

facts are that many of these other products are also good products and

many are free.

 

The bottom line is that you and others in your camp simply cannot back

that notion that you perpetuate that all third party firewalls are

incapable of protecting users. That is untrue, it is a lie, plain and

simple, there is no other way to put it.

 

John

Guest PA Bear [MS MVP]
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

[This has got to be one of the longest & most crossposted 'Threads That Will

Not Die' I've seen in quite some time. Now I wish I'd set the Followup-To

in my original post for alt.zonies.misc_rant newsgroup! <eg>]

Guest Stinger
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

 

 

"Kerry Brown" wrote:

> "Stinger" <Stinger@discussions.microsoft.com> wrote in message

> news:B7A45133-F148-4507-85CB-> Bottom line, this update is important since

> it was a gapping hole in Windows

> > for quite some time. Great that Windows decided to do something about it.

> > Bad it renders tried and true helper 3rd party software that has been used

> > for years by the general public trying its best to close that huge hole in

> > Windows (with what is considered "overkill) and at the same time

> > consumers

> > are unable to even get on the internet without a single word of caution

> > from

> > the makers of the operating system. Ironically, they left it up to the

> > geeks

> > of the world to figure it out. Nice from a company that assumes it's the

> > industry leader.

>

>

> You should do a bit of research before you post. The gaping hole was in the

> way DNS worked. It was not Windows specific. Almost every OS was affected.

> In fact almost everything that interacted with DNS in any way was affected.

>

> http://www.securityfocus.com/news/11526

>

> Take a look at some of the affected products.

>

> http://www.kb.cert.org/vuls/id/800113

>

> We can debate the effectiveness of software firewalls all day. I don't think

> at the end of the debate either of us would change their mind. You think

> they're great. I think they're mostly hype and snake oil. There is no

> debating the fact that this flaw in the DNS system needed to be patched and

> it needed to be patched immediately. This has nothing to do with Windows.

> The flaw was in the way DNS worked. The fact that your 3rd party application

> couldn't deal with the fact that an OS update changed some system files says

> a lot about how well it's programmed. It wasn't any changes in the files

> that broke your software. It was just the fact that the files changed that

> broke it. If an application can't deal with the fact that an OS may update

> itself it's not an application I would want on my computer.

>

> --

> Kerry Brown

> MS-MVP - Windows Desktop Experience: Systems Administration

> http://www.vistahelp.ca/phpBB2/

> http://vistahelpca.blogspot.com/

>

>

>

>

>

Simply amazing to me how many of you responders hold such a cavalier

attitude toward security. I challenge any of you to publicly post a static

IP address available you can monitor, turn on that wonderful Windows firewall

(since that's all you believe is needed) and sit back for a few days and

watch what happens. You'll soon discover how vital a security becomes in

your computer world. Do it the right way, like MOST consumers do without the

aid of any router or other bandwidth protectors.

 

Firewalls are mostly hype and snake oil. Thanks for that little chuckle.

You don't mind if I share that statement with others in the real world

outside of the protection of this forum? Sure, most computer users are small

fish in a big see but not all of us....obviously. I for one would rather be

safe with my firewall protection than to take the word of someone that

discounts security as easliy as the like of this group.

 

Oh and let's be real honest about something here. Internet Explorer is

"bundled" with Windows, has been for a long time. Windows is also the most

common OS in the world. But IE is nothing more than a GUI for viewing web

pages. Saying the DNS problem wasn't related to Windows (did you really say

that??) is laughable. Perhaps a better understanding of the actual DNS issue

should be on your todo list. And on top of all that even implying a firewall

isn't involved in this DNS issue is blasphemy. What conduit is being used

for this communication between your computer and web pages if it's not via

ports? I'll quote a single line explaining part of the DNS process for those

reading this that are tired of being directed to web sites --> "If the

records are not stored locally, your computer queries (or contacts) your

ISP's recursive DNS servers." Doesn't take a rocket scientist to understand

the Windows operating system does indeed have a major stake in this DNS

problem. If you still are riding on the boat down the river of denial, ask

yourself one question.... Why was the patch even produced by MS if there

wasn't a "problem" with the OS, hmm?

 

Yea, firewalls are all hype and snake oil. That's an instant classic!

 

You folks need to get out of the Microsoft world and step intto the real

world every once in a while or you're limiting yourself.

Guest Root Kit
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

On Fri, 18 Jul 2008 13:20:01 -0700, Stinger

<Stinger@discussions.microsoft.com> wrote:

>Simply amazing to me how many of you responders hold such a cavalier

>attitude toward security. I challenge any of you to publicly post a static

>IP address available you can monitor, turn on that wonderful Windows firewall

>(since that's all you believe is needed) and sit back for a few days and

>watch what happens.

 

So - what's going to happen? Please enlighten us.

>You'll soon discover how vital a security becomes in

>your computer world.

 

I don't recall anyone claiming security isn't important.

>Do it the right way, like MOST consumers do without the

>aid of any router or other bandwidth protectors.

>

>Firewalls are mostly hype and snake oil. Thanks for that little chuckle.

 

Do you have any technical arguments to prove otherwise, or are you

just babbling?

>You don't mind if I share that statement with others in the real world

>outside of the protection of this forum?

 

Feel free.

>Sure, most computer users are small fish in a big see but not all of us..

>..obviously. I for one would rather be safe with my firewall protection

>than to take the word of someone that discounts security as easliy as the

>like of this group.

 

No one here forces you to stop using pseudo-security software.

>Oh and let's be real honest about something here. Internet Explorer is

>"bundled" with Windows, has been for a long time.

 

Really? - I guess that comes as a major chock to all of us...

>Windows is also the most common OS in the world.

 

It is? - You continue to surprise...

>But IE is nothing more than a GUI for viewing web

>pages.

 

Well... it's also an ActiveX rich web client if you ask me.

>Saying the DNS problem wasn't related to Windows (did you really say

>that??) is laughable.

 

I don't honestly think you understood what he said.

>Perhaps a better understanding of the actual DNS issue

>should be on your todo list. And on top of all that even implying a firewall

>isn't involved in this DNS issue is blasphemy.

 

Blasphemy? - Holy sh...

>What conduit is being used for this communication between your computer and web pages if it's not via

>ports? I'll quote a single line explaining part of the DNS process for those

>reading this that are tired of being directed to web sites --> "If the

>records are not stored locally, your computer queries (or contacts) your

>ISP's recursive DNS servers." Doesn't take a rocket scientist to understand

>the Windows operating system does indeed have a major stake in this DNS

>problem.

 

Do you even understand the problem?

>If you still are riding on the boat down the river of denial, ask

>yourself one question.... Why was the patch even produced by MS if there

>wasn't a "problem" with the OS, hmm?

>

>Yea, firewalls are all hype and snake oil. That's an instant classic!

>

>You folks need to get out of the Microsoft world and step intto the real

>world every once in a while or you're limiting yourself.

 

It's hard to avoid MS products also in the real world ;-)

 

 

BTW, what you provided here lacks any technical arguments which makes

you sound more like a salesman than anything else. So what security

software company do you represent?

Guest Kerry Brown
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

"Stinger" <Stinger@discussions.microsoft.com> wrote in message

news:64031966-D4CF-4748-8D5D-A691A4F4D6C3@microsoft.com...

>

>

> "Kerry Brown" wrote:

>

>> "Stinger" <Stinger@discussions.microsoft.com> wrote in message

>> news:B7A45133-F148-4507-85CB-> Bottom line, this update is important

>> since

>> it was a gapping hole in Windows

>> > for quite some time. Great that Windows decided to do something about

>> > it.

>> > Bad it renders tried and true helper 3rd party software that has been

>> > used

>> > for years by the general public trying its best to close that huge hole

>> > in

>> > Windows (with what is considered "overkill) and at the same time

>> > consumers

>> > are unable to even get on the internet without a single word of caution

>> > from

>> > the makers of the operating system. Ironically, they left it up to the

>> > geeks

>> > of the world to figure it out. Nice from a company that assumes it's

>> > the

>> > industry leader.

>>

>>

>> You should do a bit of research before you post. The gaping hole was in

>> the

>> way DNS worked. It was not Windows specific. Almost every OS was

>> affected.

>> In fact almost everything that interacted with DNS in any way was

>> affected.

>>

>> http://www.securityfocus.com/news/11526

>>

>> Take a look at some of the affected products.

>>

>> http://www.kb.cert.org/vuls/id/800113

>>

>> We can debate the effectiveness of software firewalls all day. I don't

>> think

>> at the end of the debate either of us would change their mind. You think

>> they're great. I think they're mostly hype and snake oil. There is no

>> debating the fact that this flaw in the DNS system needed to be patched

>> and

>> it needed to be patched immediately. This has nothing to do with Windows.

>> The flaw was in the way DNS worked. The fact that your 3rd party

>> application

>> couldn't deal with the fact that an OS update changed some system files

>> says

>> a lot about how well it's programmed. It wasn't any changes in the files

>> that broke your software. It was just the fact that the files changed

>> that

>> broke it. If an application can't deal with the fact that an OS may

>> update

>> itself it's not an application I would want on my computer.

>>

>> --

>> Kerry Brown

>> MS-MVP - Windows Desktop Experience: Systems Administration

>> http://www.vistahelp.ca/phpBB2/

>> http://vistahelpca.blogspot.com/

>>

>>

>>

>>

>>

> Simply amazing to me how many of you responders hold such a cavalier

> attitude toward security. I challenge any of you to publicly post a

> static

> IP address available you can monitor, turn on that wonderful Windows

> firewall

> (since that's all you believe is needed) and sit back for a few days and

> watch what happens. You'll soon discover how vital a security becomes in

> your computer world. Do it the right way, like MOST consumers do without

> the

> aid of any router or other bandwidth protectors.

>

> Firewalls are mostly hype and snake oil. Thanks for that little chuckle.

> You don't mind if I share that statement with others in the real world

> outside of the protection of this forum? Sure, most computer users are

> small

> fish in a big see but not all of us....obviously. I for one would rather

> be

> safe with my firewall protection than to take the word of someone that

> discounts security as easliy as the like of this group.

>

> Oh and let's be real honest about something here. Internet Explorer is

> "bundled" with Windows, has been for a long time. Windows is also the

> most

> common OS in the world. But IE is nothing more than a GUI for viewing web

> pages. Saying the DNS problem wasn't related to Windows (did you really

> say

> that??) is laughable. Perhaps a better understanding of the actual DNS

> issue

> should be on your todo list. And on top of all that even implying a

> firewall

> isn't involved in this DNS issue is blasphemy. What conduit is being used

> for this communication between your computer and web pages if it's not via

> ports? I'll quote a single line explaining part of the DNS process for

> those

> reading this that are tired of being directed to web sites --> "If the

> records are not stored locally, your computer queries (or contacts) your

> ISP's recursive DNS servers." Doesn't take a rocket scientist to

> understand

> the Windows operating system does indeed have a major stake in this DNS

> problem. If you still are riding on the boat down the river of denial,

> ask

> yourself one question.... Why was the patch even produced by MS if there

> wasn't a "problem" with the OS, hmm?

>

> Yea, firewalls are all hype and snake oil. That's an instant classic!

>

> You folks need to get out of the Microsoft world and step intto the real

> world every once in a while or you're limiting yourself.

 

 

I live in the real world. I manage networks for a living. This includes

managing the network security for a government contractor who gets audited

for security yearly. I use real firewalls (not software firewalls) every

day. The networks I manage use many products and OS's, other than

Microsoft's, that do DNS lookups. Here's what happened with the DNS changes.

Windows was using DNS as it was supposed be used. A flaw was found in the

way DNS communications work. This flaw had nothing to do with Windows. All

of the major networking hardware and software developers were made aware of

this and as a group decided to make a change in the way DNS communications

worked to close this possible exploit. This change in the way DNS

communications worked meant some low level system files in Windows needed to

be updated. FWIW my Linux computers and some of the hardware firewall

appliances I manage also had some low level changes because of this as well.

The change was made and some Windows files were updated via Windows Updates.

At this point some versions of Zone Alarm barfed. I don't use Zone Alarm so

the rest of the story I gleaned from reading Zone Alarm forums and official

announcements. The Zone Alarm application noticed that some Windows files

had changed and decided not to allow these files to communicate to the

Internet. It wasn't anything in the way the files worked, merely that they

had changed, that caused the problem. Because these are system files Zone

Alarm doesn't ask about them. Clearing the Zone Alarm database so that it

would not think the files were changed fixed the problem. How is an OS

supposed to update itself if it can't change files? The way that Zone Alarm

monitors and responds to system file changes is flawed.

 

You have misquoted me. I never said "firewalls are all hype and snake oil".

I said "We can debate the effectiveness of software firewalls all day."

followed by "I think they're mostly hype and snake oil." Of course not all

firewalls are hype and snake oil. Software firewalls that advertise they can

stop malicious outbound traffic are. If you want to quote me anywhere,

including this forum, please quote me verbatim without changes.

 

Oh and by the way, I know of of many people using both XP and Vista with

only the Windows firewall running on their computer. What am I supposed to

see happen? They have no more problems with malware than anyone else. In

fact the ones that I set up have almost no malware problems at all. Many of

them don't have a router (i.e. dialup) yet they don't have any problems with

malware. How will your preferred firewall solution help protect them better

than they are now? Maybe you could tell us exactly how their security will

be improved by using a different software firewall?

 

--

Kerry Brown

Microsoft MVP - Windows Desktop Experience: Systems Administration

http://www.vistahelp.ca/phpBB2/

http://vistahelpca.blogspot.com/

Guest Stinger
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

 

 

"Root Kit" wrote:

>

> BTW, what you provided here lacks any technical arguments which makes

> you sound more like a salesman than anything else. So what security

> software company do you represent?

>

 

The same "software company" that includes common sense as part mission

statement Root Kit. Try reading the entire thread before you jump in taking

things out of context. It's boring when people do that.

 

Read back through the entire post before challenging my quotes from others.

 

Here's EXACTLY what Kerry said earlier word for word...

"There is no debating the fact that this flaw in the DNS system needed to be

patched and it needed to be patched immediately. This has nothing to do with

Windows."

 

Nothing to do with Windows??????????

 

Why didn't you copy and paste the most important part of my last post Root

Kit? You know the one...

 

"Why was the patch even produced by MS if there wasn't a "problem" with the

OS?"

 

PS - don't see you posting a static IP yet Root Kit... :)

Guest Kerry Brown
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

"Stinger" <Stinger@discussions.microsoft.com> wrote in message

news:88C199ED-4893-4EB2-81F3-1053114DB96A@microsoft.com...

>

>

> "Root Kit" wrote:

>

>>

>> BTW, what you provided here lacks any technical arguments which makes

>> you sound more like a salesman than anything else. So what security

>> software company do you represent?

>>

>

> The same "software company" that includes common sense as part mission

> statement Root Kit. Try reading the entire thread before you jump in

> taking

> things out of context. It's boring when people do that.

>

> Read back through the entire post before challenging my quotes from

> others.

>

> Here's EXACTLY what Kerry said earlier word for word...

> "There is no debating the fact that this flaw in the DNS system needed to

> be

> patched and it needed to be patched immediately. This has nothing to do

> with

> Windows."

>

> Nothing to do with Windows??????????

 

I stand by the statement. The flaw iself had nothing to do with Windows. It

was a flaw in the DNS communications protocol. Windows was using the

existing protocol which was flawed. This meant that Windows had to be

changed to work with the new protocol or it would be vulnerable. How is this

a Windows problem? It's a DNS problem that all developers that make products

that communicate with DNS servers have had to deal with.

 

I agree with Root Kit. You havn't provided technical details of how a

software firewall that does outbound monitoring improves security over the

Windows firewall. You haven't tried to refute the fact that Zone Alarm's

monitoring of and reaction to system file changes is flawed. You obviously

misunderstand what caused Microsoft to update the DNS client in Windows. I'm

done with the conversation unless you can provide us with some technical

reasons that back up your assertions. I like a good debate as much as

anybody but it's pointless unless you at least try to back up your

statements.

 

--

Kerry Brown

Microsoft MVP - Windows Desktop Experience: Systems Administration

http://www.vistahelp.ca/phpBB2/

http://vistahelpca.blogspot.com/

Guest Root Kit
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

On Fri, 18 Jul 2008 15:10:03 -0700, Stinger

<Stinger@discussions.microsoft.com> wrote:

>Why didn't you copy and paste the most important part of my last post Root

>Kit? You know the one...

 

You mean the one where you avoided answering what would happen to the

machine protected with "just" the windows firewall?

Guest Stinger
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

 

 

"Kerry Brown" wrote:

> "Stinger" <Stinger@discussions.microsoft.com> wrote in message

> news:88C199ED-4893-4EB2-81F3-1053114DB96A@microsoft.com...

> >

> >

> > "Root Kit" wrote:

> >

> >>

> >> BTW, what you provided here lacks any technical arguments which makes

> >> you sound more like a salesman than anything else. So what security

> >> software company do you represent?

> >>

> >

> > The same "software company" that includes common sense as part mission

> > statement Root Kit. Try reading the entire thread before you jump in

> > taking

> > things out of context. It's boring when people do that.

> >

> > Read back through the entire post before challenging my quotes from

> > others.

> >

> > Here's EXACTLY what Kerry said earlier word for word...

> > "There is no debating the fact that this flaw in the DNS system needed to

> > be

> > patched and it needed to be patched immediately. This has nothing to do

> > with

> > Windows."

> >

> > Nothing to do with Windows??????????

>

> I stand by the statement. The flaw iself had nothing to do with Windows. It

> was a flaw in the DNS communications protocol. Windows was using the

> existing protocol which was flawed. This meant that Windows had to be

> changed to work with the new protocol or it would be vulnerable. How is this

> a Windows problem? It's a DNS problem that all developers that make products

> that communicate with DNS servers have had to deal with.

>

> I agree with Root Kit. You havn't provided technical details of how a

> software firewall that does outbound monitoring improves security over the

> Windows firewall. You haven't tried to refute the fact that Zone Alarm's

> monitoring of and reaction to system file changes is flawed. You obviously

> misunderstand what caused Microsoft to update the DNS client in Windows. I'm

> done with the conversation unless you can provide us with some technical

> reasons that back up your assertions. I like a good debate as much as

> anybody but it's pointless unless you at least try to back up your

> statements.

>

> --

> Kerry Brown

> Microsoft MVP - Windows Desktop Experience: Systems Administration

> http://www.vistahelp.ca/phpBB2/

> http://vistahelpca.blogspot.com/

>

>

>

>

 

And I've yet to see anyone answer the most important question, you include

Kerry..

 

"Why was the patch even produced by MS if there wasn't a "problem" with the

OS?"

 

Windows has to be changed to work with the new protocol? So either there

was something wrong with Windows before or after the new protocol was

invoked...which is it? Can't have it both ways. If everything was fine

before the new DNS protocol was invoked, we're right back to my question

above. You don't need to have technical expertise to see when people dance

cokmpletely around a subject folks.

Guest Root Kit
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

On Fri, 18 Jul 2008 16:00:03 -0700, Stinger

<Stinger@discussions.microsoft.com> wrote:

>And I've yet to see anyone answer the most important question, you include

>Kerry..

>

>"Why was the patch even produced by MS if there wasn't a "problem" with the

>OS?"

 

Why should anyone bother answering a question which exists only in

your head?

>Windows has to be changed to work with the new protocol?

 

Just like all the other platforms.

>So either there was something wrong with Windows before or after the new protocol was

>invoked...which is it? Can't have it both ways. If everything was fine

>before the new DNS protocol was invoked, we're right back to my question

>above.

 

Seems like you're talking to stay awake.

>You don't need to have technical expertise to see when people dance

>cokmpletely around a subject folks.

 

That's true. Everyone can see that's what you're doing.

×
×
  • Create New...