Doubt/Fear/Anger, and the trust component of software development and public use of the product

Hello…

And, I’m in agreement with one part of what Debunker says, here, about being able to trust Comodo and its applications, completely without questions or doubts, from time to time. The more you ask us to trust your software, the more you should be prepared to take on board criticisms and the sounds of suspicions in people’s posts. You’re digging deeply into our machines and saying, “Trust us!”

While I am well known to be speaking / viewing from a position of almost laughable ignorance in firewalls and how they work, it must also be said that Comodo is shoving deep-reaching, enthusiastic tentacles into just about every conceivable area of our privacy / security protection, on our computers and in their networks of all types.

If you want trust, please…show the trusters why they’re right to give you that.

Are we supposed to bring in the software in an atmosphere of automatic and unquestioning faith and trust? It would be great to be able to do that - not to mention head-spinningly stupid.

If you are asking us to do that, then - in all honesty - you ask too much!

Seeing such unprecedented (in my own 12 years, online) software production and driving keenness (alone) to get into so many areas of our computers’ security is the first spark likely to attract questions of trust.

The degree of that Comodo drive is a reasonably new phenomenon to many of us online.

While encouraging the public to use your protections, you are asking too much if you are suggesting that we (in the absence of adequate simplifications and explanations) never question those aspects that we find to be immediately unexplainable to us. Some of that will be down to our own ignorance, I know.

I’ve done the ‘hostile’ thing and it was wrong for me to have done it and it was handled very diplomatically. I recall that my ‘hostility’ was really fear…real fear that, like some blind fool, I may be trusting yet another agency that cannot be trusted. I’d already done that far too many times!

I’ve never met automatic trust - anywhere online.

I remember my sudden inward gasp when I first doubted a piece of Comodo’s software and FEAR…it really was!

Debunker could be said to have approached doing the ‘hostile’ thing here, too. But, maybe Debunker felt fear that he had misplaced some trust, also.

The doubt comes first; the fear comes next - THE ANGER FOLLOWS IN IT’S WAKE!

Why is Comodo’s Firewall Pro not Open Source?

(Just guessing: frankly, it sounds like an open invitation to be copied by just about all other Firewall producers / developers, and an increased open door to hackers to exploit located coding weaknesses before you’ve had a chance to address all of them, I must say.)

Talk to us!
Inspire us to know!
Inspire us to be able to understand!

Help users to get there!

Wanting to love your products is easy - I already want to…but, loving them comes much further on!

Comodo may turn out to be the biggest thing that has happened to computers since the invention of the uu-u-uh…computer! It may help to view our feelings of agitation and occasional insecurity as being “First Decade Nerves”.

This reply may trigger a fresh thread in another section, I realise - but, it was the last few posts in this thread that made me feel that I had to post this: that’s the only reason why it’s here.

Ian.

TheGodSplinter that’s an apologia of FUD anyway I don’t see any ill intention :).
I would like to suggest you to shorten that post to be less OT and to duplicate its entire content in an appropriate topic in the general section as I’m sure that many members are willing to share their point of view.

Please if you are willing to create a new topic give it a meaningful title.

Thanks,
gibran

Gibran…

a. What is meant by, “TheGodSplinter that’s an apologia of FUD anyway I don’t see any ill intention.”?

b. If I posted it in the General Section, as a thread-starter about doubt / fear / anger, and the trust component of firewall development and public use of the product - it wouldn’t be off topic, would it?

c. And, when I post about a subject as important as security, I almost always pick a meaningful title.

d. Also…there is no reason for it to be shortened.

Ian.

We want you to

Talk to us!

We want you to be
Inspired for you to learn!

We want to
Inspire you to be able to understand!

Hence this forum, where we can all interact and be open about everything. We never had, never will, any issues people wanting to learn, understand and communicate with us. Afterall this is why this forum exists! To aid understanding about Comodo and its products and communicating with the community.

Melih

I understand that amongst some, publicly-released source code appears to be synonymous with the creation of trust. However, I’d like to know at what point ANY of the commercial firewalls for Windows have released proprietary code to the public? I’ve never seen any indication from any that they do that. And why would they? It’s their code. They wrote it. Why would they give it on a platter to their competitors to use freely, if it’s proprietary?

Regarding peer review, that’s not really something that comes into play for software development; it’s primarily purposed for publications (could apply to a theoretical text on computer security, but not an actual software application). Scientific and medical journals of various types, yes. Software, no.

I don’t personally feel that the argument is valid. It tries to bring unrelated elements to bear in a way that appears intended to discredit the target, rather than validate a testing methodology (given the lack of a precedent).

Comodo asks us to trust them. They respond in the forums and in their products, changing the ways they develop and release the product - they have proven this over and over again. They provide direct feedback, assistance, and support, and try to help users help themselves. They promote their products, but do not shove them down our throats. Is this in any way similar to the behavior of their major commercial competitors? I posit that it is not. Look at those companies, and compare to Comodo’s proven behavior. If in the end, any user does not feel a level of trust for any software they are using, their recourse is to remove the software from their computer and discontinue usage thereof. If they are unwilling to discontinue usage, they must still have some trust left…

LM

Look…

Let’s cut to the chase!

Is the statement in this thread’s title: "This firewall does NOT protect anyone - it is EASY to bypass" true, or false?

• Does “…does NOT protect anyone…” seem a trifle extreme and sweeping to anybody else?

• Is “EASY to bypass” a fact? (or a fallacy based on a user’s error in thinking / usage?)

Ian.

First of all, let me say I’m not a computer expert; so some might argue I’m not the most competent person to answer these questions. Well, you’re right. However, I feel I’m quite able to state my opinion, which is based on research and commom sense.
I’m not the most paranoid computer user in the world, however, I always do my best to make sure I can trust the software I install on my computer. As I don’t have the technical understanding to test software myself (other than using e.g. leak tests from other sites, etc.) I always put a lot of effort into research. I think I’ve read almost every test / user experience that was published on the net (at Wilder’s and similar sites, PC magazines, download sites, …) prior to installing CFP; and I did it for every new version I installed.
CFP has always been highly rated and most of the citicism I came across was that it was too noisy, a firewall for the paranoid, etc. but almost everyone agreed that it was one of the most secure.
Comodo, 1 - sceptics, 0
I’ve hardly ever come across any posts that expressed any doubts concerning Comodo invading into people’s privacy, and if so, those people were convinced by, IMHO, comprehensible arguments. If some people can only trust open source software, that is their problem. I’m with Little Mac on this one; and I would never expect Comodo to make their code avaible for the public, even more, I’m happy they don’t as I think, I’d make the firewall more vulnerable (but I’m not an expert - seems logic though). So again, the vast majority has no privacy concerns.
Comodo, 2 - sceptics, 0
I think that everybody agrees that even our beloved CFP is not bulletproof. However, CFP pro version 3 seems to be one giant leap into that direction (even as a beta). I’ve been using CFP, in various versions, for quite some time now and I’ve never been aware of any unauthorised connection to the internet by any software. Comodo has always alerted me (provided I had told it to do so by an appropriate rule). This is not something that can be said for other firewalls I’d used before switching to Comodo. For me, it’s the best I’ve ever used. I’ve always tested ‘my’ firewalls to the best of my abilities, have always read every review, test, and user experience that was published on the net, have always monitored the firewalls’ behaviours under different circumstances and CFP has outperformed them all. Comodo has always won to nil.
Comodo does protect everyone - it is not easy to be bypassed.
(R)
Cheers,
grampa (a believer)

If an apologia is a formal defense or justification and FUD is a way to influence public perception by disseminating negative information, then an apologia of FUD means a formal defense of a discussion style that carry Fear and Uncertainty and influence public perception. As a longtime Internet user you should be aware of the netiquette which suggest a way to properly interact and express ourselves.

There are many way to express our ideas and feelings that encourage an openminded discussion in a honest and respectful way in order to develop further some topics and have a chance to reach a new level of truth by means of cooperation.
Cooperation is one of the fundamental aspect of Trust. Trust is the base of a honest interaction.

Anyway IMHO trust doesn’t mean that someone has to act the way I want or to share the same ideas I have as I can trust someone that has another opinion and I can expect him to really believe in that.

As most part your post had not a direct connection to a topic that belonged to Leak Testing/Attacks/Vulnerability Research board and had the likely chance of shifting the focus of the discussions on another subject (Thread-Hijacking) I asked you to shorten that post and develop that subject in a new topic in the general section (which is fit for any discussion) anyway on a second though this childboard (Please tell us your views and Vote here!) should do as well.

I suggested you to write a meaningful title and I added please. That was a simple and polite request without any hidden meaning you may have guessed.

Regarding Opensource. As Opensource it is only a licensing model it does not imply intrinsic security anyway this don’t mean that Opensource is not secure nor that closed source is secure. Strictly relating them is a Logical Fallacy.

As Opensource has other good features I really appreciate it anyway there is no point to force opensource.
On the other hand I would really like to stress one point that IMHO worths more attention like interoperability an standardization.

Those software related aspects can really improve enhancements and evolution regardless of the licensing model.

As for egemen post in the originator topic you should have already acknowledged the answer to this question.

Gibran…

Yes, I would have acknowledged it, had I the slightest idea what people were talking about for most of that thread: non-techs use firewalls, also. I gave up trying to understand right around the time when I realised that there was no simplification available, in the thread, or anywhere else.

Also…in Open Source, what guarantee would a user have that the REAL and final code was available, anyway? Would it not be easy for the developers to go on protecting the real code by releasing a crowd-pleasing, sanitised version, instead?

Ian.

I know that non-tech users use firewalls and security softwares, anyway in order to achieve a good level of security it is needed to develop an increasing tech knowledge.
There are priorities as well so we all start from simple things and keep going until our interest goes off.

As for security in general there is a need of support when one approaches it, this forum can answer those requests as well, anyway in the short term and for users who devote their time learning other things it is still widespread the use of security policies.

Security policies are usually good practice behaviours in order to lessen security risks, they are tailored for specific usergoups and usually change as the threats do.

Well it’s not a thing that any user can do but it’s possible to use the sourcecode to generate a binary image (executable) and then compare it with the software (if the same compiler was used) anyway reality is a mixed bag as we usually make a compromise to choose what we have to address ourselves and what we trust others to do for us. It’s a trial and error process which make us stick with one solution until it proves effective.

Regards the final code one thing that could happen to small opensource projects (sometimes there are also ONE man projects) is that the actual code available for download is not updated.

This would be in violation of whatever Open Source licensing agreement they had signed up to. And whilst it wouldn’t be easy for non-technical users to tell, other technically minded users would know. Quite simply the source, once compiled, would not provide the same functionality.

hheeeyyy, what’s going on around here ???
and where’s the vote option ??? ;D

so Godsplinter, you ask for CFP code to be open source? we’ve already eaten the food for free, why should we ask for the recipe now? what’s the point?

Gibran/Kail…

Now, this stuff, I understand! :BNC

---

Ganda…

To the best of my recollection, I’ve pondered this Open Source issue, so far, from an admitted to state of limited knowledge and I’ve deliberately included questions about my own suspicions as to why developers may be ill-advised to do so.

I’ve heard Open Source described in words like, “See what you’re getting”, etc., but I couldn’t, hand-on-heart, complain about CFP’s code being unavailable until I know more about what is involved and what the pitfalls are. Even from an unenlightened user’s perspective, I can see that you can’t make good security better by making the ‘recipe’ something into which the enemy can peek, at their leisure.

If the battery of online testing methods are maintained and improved, then seeing the source might render itself not only pointless (for the programming / networking ignorant), but redundant, anyway, because the improvements would come along, and the bugs would be ironed out, at just the same rate as they would…were it never released.

I believe that I have made clear, in posts, that I see more reasons for NOT RELEASING THE SOURCE, than I see for releasing it.

Three weeks before I switched to Comodo’s firewall, I had bought the Kerio (Sunbelt) firewall. I liked how it behaved in the tests, but found that it failed to pass some of them. I saw a post on a message board, somewhere, the name ‘Comodo’ and tried it. Within the hour, it was glued to my machines and it will remain that way until somebody with sufficient clout inspires me to do otherwise.

I won’t allow a computer, in this house, to run without it!

I felt that I had made a step upwards and that left me feeling so much more secure, I didn’t care about the money I’d spent on KPF.

When Debunker posted that dramatically titled thread (I know how easy a mistake that can be, personally - I’ve done it), my confidence’s ears just stood to attention. Somebody was chipping away at that confidence in terms I still couldn’t fully understand the nature of. What happened next was a flurry of almost impossible (for me) to understand techie-talk exchanges, and that became fertile ground in which my worries grew worse, due to my lack of understanding.

Run along a line of travellers in a queue, busily preparing their boarding passes, at an airport and shout, “This plane does not protect you from crashes - it’s EASY to bypass it’s safety features!” and you’ll find that you have their attention more than you could’ve imagined there, too.

What ‘Debunker’ said had my attention!

The issues in those exchanges still have my attention!

Ian.

But, in effect, Debunker said: If you have two PCs & only install CFP on one of them, then the other PC is completely unprotected! Shock-horror. 88)

Kail…

Personally, although I know little about this…I’d’ve wanted a copy of Comodo PF on the real and the virtual machine, and I’d’ve wanted it to be tested with that config’, given the nature of (and reason for) the 2nd machine’s “virtuality”, in the scenario given by Debunker.

Ian.

Hi Ian

Egemen (CFPs developer) said the CFP 2.4 (the current release version) will catch VM network traffic if the option Monitor other protocols than NDIS is activated (off by default).

But, if I’m understanding you correctly… installing CFP into the VM environment? I believe CFP creates kernel level hooks (a defensive/protection measure) & this might cause problems. I guess it depends on how well the VM kernel matches the real thing. Try it & let us know.

Explanation of Kernel.

Kail…

I had to laugh when I saw your post! (:TNG)

I would have difficulty understanding even what the VM actually is.

So, I loved it when you said, “Try it & let us know.” I was just adding theory and common-sense to the idea of leaving Comodo’s FP off the Virtual PC and then for those doing that to be wondering why there was an easy thoroughfare for information and/or leakage.

That was so flattering! You’ve given me a good day by assuming that I had more than a fleeting moment of knowing what all this was about!

Thanks, for that! (:CLP)

Ian.

Run along a line of travellers in a queue, busily preparing their boarding passes, at an airport and shout, "This plane does not protect you from crashes - it's EASY to bypass it's safety features!" and you'll find that you have their attention more than you could've imagined there, too.

And that, Ian, is where the "FUD" comes into play. Why would someone run up and down the airport shouting that, if not to cause to some fear in the other passengers? Granted, if we take the illustration apart too much, it won't correlate as well, but at the core there are more appropriate ways to voice a concern than that. The primary thing is approaching the right people, and in a calm, logical manner present information/evidence. If someone is going to make such an emotionally-charged accusation in such a public format, they should be prepared to be challenged on it. To give another illustration, if you accuse someone of a crime and cannot offer solid proof (or it's later found out that you were lying) you yourself are in danger of some time in jail (at least in the US).

It’s one thing for a user to point to what they feel is a security flaw/bug in Comodo’s product. That is actually desirable (when done in an appropriate manner) because it will help improve the product. It’s another for someone to run screaming past a line of people waiting to get the product (to use the illustration)… Fear. Uncertainty. Doubt. And yes, “does not protect anyone” does indeed seem rather extreme and sweeping.

LM