NOW SpinRite 6.1 – Fast and useful for spinning and solid state mass storage!

FREE Internet Security & Privacy Enforcement Resources
brought to you by Gibson Research Corporation

The Controversy Over the Recurring
Misuse of Ben Brady's Firewall
Log Reporting Utilities

The BIG Question:

Does Internet-connected software have
a Social Responsibility for its actions?

Ben Brady, of Brady & Associates, implicitly says No.

I say YES — Absolutely.

We are at the beginning of a transformation in our information technology. A single global network is being created to interconnect all computers. The value already created from the beginning of this interconnection is so compelling that there is no longer any doubt that the world has been transformed forever, and that this transformation will continue.

Very soon, no computer will be an island. Computers everywhere will be connected to all others. The software running on those computers will set the character of the result. For the first time ever, software has a social responsibility for its own actions within this global network.

My recent — and unintentionally public — dispute
with Ben Brady serves as a perfect case in point:

A Bit of Background
After a day of increasingly tense private eMail back and forth with Ben Brady on Friday, March 5th — during which Brady threatened me with his attorneys and informed me that "I'd be sorry" — he then published a "press release" detailing his view of our private impasse, and containing a few carefully chosen bits from our private correspondence. This press release was eMailed to his products' several tens of thousands of users, then posted into the public USENET newsgroup '' with the subject line:

Gibson shoots first, asks questions later...

Throughout the weekend I hoped that this issue would quickly extinguish itself. But instead, Ben Brady's "press release" has spread rapidly throughout the Internet security community (as you'll see). During this time, my position has been without formal representation. Given the content of Ben Brady's note, it is no surprise that our office is receiving a flood of hate mail from angry people who consider me to be acting like a Goliath stepping upon poor David. But, as in any dispute among intelligent people, there is more than one side to the story. The following is mine:

Ben Brady's Statement
Since my response on this page, and my weekend's various discoveries, are consequences of Ben Brady's "Press Release", you should start there in case you haven't yet seen what all the fuss is about:

Steve Gibson, self-appointed Internet security guru, has
apparently decided to take on yet another crusade....

Every Cloud Has a Silver Lining: As you will see below, several
very important GOOD THINGS came out of a weekend fraught with
unsettling turmoil. I discovered a fantastic firewall logging utility
for ZoneAlarm . . .
and a similar one for BlackICE is on the way!

My Position
I regret using the term "idiot users" to refer to the users of Ben Brady's products. That was written two months ago, after we and our ISP had received yet another round of erroneous eMail "intrusion reports" generated by Brady's automated software utilities  . . . and I was upset. I reply to every last one of them since I feel that to do otherwise would be acting irresponsibly in the eyes of our ISP. We host the Internet's most popular Internet security testing facility — performing an average of 15,000 tests per day — so a certain number of worried firewall log readers is certainly to be expected. But that's not the problem . . .

I believe that providing powerful, but brain dead, automated eMail generating tools to uninformed users is the height of hubris and irresponsibility. It has an effect not unlike eMail viruses that now plague the Internet — empowered to automatically look up destination eMail addresses and generate specious eMail content.

But this is apparently the way Mr. Brady has chosen to pay his bills. While I disagree with the fundamental ethics of Mr. Brady's utilities, I had no complaint with them until the eMail they generate began harassing my company and my ISP. If the generation of such eMail was a good idea, you might imagine that this would be an obvious feature to build into any existing personal firewall in order to give it a competitive advantage . . . but no reputable firewall vendor would, or has, done so.

I explained to Mr. Brady that I consider his utilities to be defective because they incorrectly and irresponsibly interpret and judge the content of their users' firewall logs, portraying them as "intrusion attacks", then encouraging and facilitating the generation of specious "intrusion report" eMail.

Since contact by my security testing facility is user-requested and absolutely benign, EVERY PIECE OF EMAIL EVER GENERATED THROUGH THE USE OF MR. BRADY'S SOFTWARE — which declares our IP addresses to be the source of presumably deliberate "Intrusions" and further characterizes those who innocently visit our site as "Victims" (see the sample report below) — is incorrect, has never been correct, and will never be correct.

Furthermore, Mr. Brady has known of this problem with his software for at least two months and has repeatedly and adamantly refused to take responsibility and voluntarily correct the situation. I say "voluntarily" here, because in the public newsgroup over the weekend, Mr. Brady stated that he would repair his programs, as I had requested . . .

If I would pay him $20,000 to do so.

Here is a sample erroneous "intrusion report" typical of those being continuously generated by one of Brady's defective utilities. This eMail was subsequently addressed to and received by my company and my ISP:

I have recently intercepted information regarding an individual
allegedly subscribing to your service.  This information was
gained during an attempt to access my computer from an outside
source in a suspicious manner.

I have included the details of the intrusion attempt(s) below.

         Date:  2/25/2001
   Time (GMT): 19:39:46
  Intruder IP:
Intruder Port: 2892
    Victim IP:
  Victim Port: 25
    Transport: TCP

Please follow up on the information provided above. If you
require any additional information regarding the attack do
not hesitate to contact me. This information was gathered by
ClearZone Report Utility for ZoneAlarm. ClearZone Report

You'll note that whereas firewall logs label activity by "source" and "destination", Brady's program interprets and translates this into "Intruder" and "Victim".

Emailed reports of this nature, generated by Brady's utilities and sent to us and our ISP, have NEVER been correct, true, or accurate. (And who knows how many others, less easily heard than I, are being similarly harassed by Brady's defective software?!)

What Did I Ask of Brady?
You may now be grasping some sense of the degree to which Brady's public statement mischaracterized the nature of our dispute and discussion . . . but there's more.

Contrary to his repeated claims, I have not asked him — in any form or fashion — to censor the reporting of his utilities. I asked him to repair their defective operation (defined as I did to him) by presenting their user with a simple "Windows Dialog Box" mentioning that the firewall log entry they are viewing, and presumably believe represents "another intrusion", apparently originating from an Internet security testing activity requested by the user, in this case the one known as "ShieldsUP! at"

Brady flatly refused to make any such changes during our eMail interchange Friday, and continued to do so in the public newsgroup throughout the intervening weekend.

Finally, at my wits end, I explained to him that later this year we would be introducing an autonomous, background, daily security testing facility, known as "NanoProbe". I explained that I was extremely worried that this would tremendously increase the amount of erroneous eMail being generated through the use of his utilities and that absent any changes to correct their presently aberrant behavior, I couldn't see that I had any recourse other than making their non-use a clear prerequisite for users wishing to employ our future subscription service.

Because I knew that this was an extremely crucial issue for us both, because I wanted him to have plenty of notice, and since he had, by this time, threatened me with legal action and told me I "would be sorry" if I said anything derogatory about his software in public, I wanted to be very clear with him. So I stated this future problem in the clearest possible language — which you read in his public disclosure of our private conversation.

Where's That Silver Lining I Promised?
Late Sunday evening I received word that this controversy had jumped from the public USENET newsgroups into a popular and highly respected Internet security testing site "DSL Reports", so I headed over to see what was up. Here's a link to the discussion thread located there:

Steve Gibson - All Bent out of Shape??

I read through all of the postings there — about two pages worth at the time — and saw all of the damage being done by Ben Brady's, as yet unrebutted, public statement. At the end of the existing thread, I jumped into the discussion and explained more of the background, as I have here. The tone of the thread changed immediately when people were presented with a more balanced picture of the dispute. And I knew then that I needed to create this page in order to counter Mr. Brady's gross mischaracterization of the situation.

While reading through the online thread, I encountered one of the site's many resident Gurus (1555 posts on the site) who goes by the handle "Wildcatboy" and who has demonstrated his expertise at DSL Reports many times over. His initial posting in the thread was typical of many there at the time, and clearly demonstrated that he had no particular bias in favor of my present situation — as he knew of it from Mr. Brady. Excerpting, to characterize his first posting:

Posted by "Wildcatboy",  2001-03-04  at  09:48

" A case of swelled head it is. It's more like a joke to me. It's not Brady's fault that some people are idiots. ... So Mr. Gibson just in case you end up reading this thread I like the contributions that you've made but now you are just pissing me off. ... Now all we need is for someone to send Mr. Genius an email to come and read this thread. "

By wading through posts like that one, I learned that everyone there was already familiar with a fabulous firewall log analyzing and reporting utility I had not heard of before called "ZoneLog Analyzer".

Later in the thread, when "Wildcatboy" learned the details of my position relative to Mr. Brady's utilities, he downloaded a copy of Brady's ClearZone, examined it relative to the familiar ZoneLog Analyzer and — with his proven expertise in personal firewalls — in a publicly reported message to the group's moderator (see the thread), characterized Brady's ClearZone utility by saying:

"It's a Mickey Mouse program ..."

"Wildcatboy" subsequently fleshed out and explained the basis for his judgement about Mr. Brady's utilities:

Posted by "Wildcatboy",  2001-03-05  at  06:57

" Just a follow up on this whole issue. As I said I wasn't familiar with the product so in order to be more objective I downloaded and installed ClearZone. Now I know why people send more abuse letters with this software than they do with Zonelog Analyzer [ZLA] and trust me it has nothing to do with having or not having a warning.

The way I see it this is a program that basically changes the text format of the log to a fancy and colorful display and almost nothing else. ZLA is a far more superior software. Of course they let you point at an entry and ask and then they copy a standard text to your clipboard so you can paste it to your email program.

What puts ZLA ahead is the detailed explanation of the ports and what the actual scan means. It clearly educates people as whether or not they should fire off an email and that's something that Clearzone doesn't do at all. No wonder that people send far more complaints with Clearzone than they do with ZLA. Now I am even more convinced that a warning on the program is not the answer. Clearzone makes no efforts to educate the user and it's nothing more than a cut and paste program.

Steve, I believe Matt's software is a far better product and well worthy of more publicity. It is also updated every month which allows future modifications. I am not sure if Matt would be able to incorporate the ability to read other formats such as Winroute and Black Ice logs to his current software. It shouldn't be hard at all since the foundation of the program is already in place. If that is implemented Matt's software can singularly blow away all three of their [Brady's] products and the need for warnings are eliminated as well since the whole program is about interpreting the logs as opposed to just sending email. "

As you can see from Wildcatboy's "before and after" postings, he was originally every bit as poisoned by Brady's public statements about me as were so many others who encountered them. But then, judging NOTHING other than the relative merits of Brady's software, he came to thoroughly understand and support my position and arguments. (And we all agree that having the industry switch over to Matt's ZoneLog Analyzer would quickly solve the problems being created by Brady's utilities.)

The "warnings" Wildcatboy refers to in his posting above, would be clear if you were to read through the entire discussion thread at DSL Reports, as you are certainly welcome to do. But, essentially, Brady (and others who support him) have been contending that this is entirely a "user education" problem which can be solved by working to make users aware that not all entries in their firewall logs represent actual "intrusion attacks."

The difficulty with accepting this line of reasoning from Mr. Brady is that the entire function of his own software appears to be the parceling out of the deliberately inflammatory labels "Intruder" and "Victim." As we have seen from Wildcatboy's review, unlike ZoneLog Analyzer which significantly aids the judgement of its users, a functional evaluation of Brady's utilities concludes that they exist for the purpose of generating what is probably erroneous and inflammatory eMail.

I can't see why or how any well-informed and unbiased
observer could reasonably draw any other conclusion.

While Brady attempts to deflect responsibility with empty rhetoric about "educating the users" of Internet firewalls, the users' experience with Brady's software encourages exactly the opposite result.

In any event, the first bit of silver lining to have emerged from all this is the discovery (by me and my web site) of a really terrific, new, capable, and RESPONSIBLE BEHAVING firewall log analysis and reporting utility: ZoneLog Analyzer.

The product is currently at "finished late beta" stage and nearing its formal release. It may be freely downloaded and used — for no charge — at this time. Once Matt, the program's author, decides that it's ready for the world, it will become full-function shareware incorporating a little "nag" dialog to remind its user that with continued use comes an obligation to register and pay. Matt indicates that the cost of registration will be approximately $13 (US).

Needless to say after all of this, I love the idea of some reasonably priced, readily available, responsible alternatives, to Brady's software.

The second bit of silver lining, as disclosed within the DSL Reports thread, is that this discussion has stimulated the programmers and software developers over at DSL Reports to immediately begin working toward the provision of a similarly useful, comprehensive, and responsible utility (they believe it may be freeware!) for the BlackICE Defender intrusion detection system.

What About the Idea of User-Education?
For me, this is perhaps the most important issue to arise from this dispute. This site — GRC.COM — is the perfect platform and vehicle for educating Internet users about the real contents of their firewall logs and about the true nature of unsolicited inbound IP packets. Our site was instrumental in motivating millions of visitors to adopt personal firewall technology. Now we need to explain what all of that "Internet Background Radiation" (IBR) is really all about.

It is a complex topic, in need of a careful and concise explanation, with plenty of peer review. It is a need I will address at the first opportunity. In the meantime, in response to many people who felt that a clearer warning about the logging consequences of using the ShieldsUP! site would be a big help, I immediately (earlier today) added language to the pages to explain that the use of our system WOULD CERTAINLY RESULT in appearances in the user's firewall log, if any.

However, do YOU know whose site is at
 . . . just by glancing at the IP address?

Due to the realities of the problem, I hold out very little hope that the typical user running a poorly conceived, automated, firewall log processing program will take notice of our IP address when they are being told by that program that they are victims and that their system has suffered an intrusion. Wouldn't most people just press the "Blast 'Em" button?

Being realistic about the typical Internet user, any program that automates or aids in the generation of "intrusion reporting" eMail MUST ASSUME SOME RESPONSIBILITY for the veracity of the eMail that program helps generate.

For the program to do anything
less, is socially irresponsible.

Returning to the example we have used to highlight this issue:
I believe that Ben Brady foists HIS share of the responsibility off onto his users, then implicitly blames them, and their "lack of education", for the repeated misuse of his software.

When social responsibility is so simple for
a program to assume
, not accepting
that responsibility is unnecessary.

I think that makes it wrong.

In Closing . . .
Part of me wants to apologize for having to air my private dispute with Ben Brady in a public forum. That was never my intention. But as the Internet public's reaction so clearly demonstrated over the weekend, Mr. Brady's publicizing of our private dialog required clarification. However, mostly I am glad that this issue created the opportunity for us to examine another important issue relating to software and the Internet. That's what we often do here, and it's always worthwhile.

I believe that Ben Brady has been wrong about many things, one of them being that "I would be sorry." How could I be sorry when the ultimate consequence of this event will certainly be improved options, better software, and enhanced education for the typical Internet security concerned personal computer user?

No.  I'm not sorry at all.

To be kept informed about the development of this new breed of high-quality firewall log analysis and reporting utility, you are invited to join my eMail list. (Click the GRC Mail System icon below.) I never send mail unless I have something significant to report. In the entire history of the system, I have only ever sent seven mailings.

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2024 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: May 28, 2010 at 14:17 (5,104.72 days ago)Viewed 1 times per day