The following allegations piece together various components
of our product and makes the rather paranoid claim that
our product somehow "spies" on the user and "secretly" reports back to
Network ICE. These allegations are wrong.
Many of these allegations are based around the surprising
discovery that our products can report (via HTTP) information
to a centralized console called "ICEcap",
which can then store them in an SQL/ODBC database. An easier
way to discover this would have been to read our documentation
or website rather than trying to reverse engineer the code.
(Actually, simply looking at the ICEcap
tab in our configuration screens would indicate this).
However, the allegations that we report anything other than
intrusion event information is false. It is also false that
our products report anything without the user explicitly configuring
the system to do so.
In fact, all ICEcap reporting is disabled in the home-user product;
this feature is only enabled for corporate customers. However,
we plan in the future to allow customers to report
to what we call our snitch server, which
will allow us to track hacker activity across the Internet.
A bug appeared in v1.9.4 such that if the user clicked on the ICEcap
tab, it would attempt to add these parameters to the configuration
file. It would then cause our product to attempt to verify
the DNS name snitch.networkice.com.
While this version shipped for only a few days before we released
an update, for some reason that version has been widely pirated.
These software pirates are paranoid that we are somehow "snitching"
on them. We don't (in fact, we can't).
Finally, the person posting this message has sifted through
our executables looking for text embedded in the program.
This person has looked for any text that can be interpretted in
a paranoid manner.
For example, all windows GUIs (like BlackICE.EXE)
that edit configuration files (like "blackice.ini") use
the function GetPrivateProfileString. This is a
well documented function; just search through Microsoft's
Win32 programming manuals or search for the function
on the web. However, the word "private" hints a something dark
and mysterious that we might be doing in order to discover
private user information; which is of course incorrect.
Similarly, the product has many "hidden" windows. Most applications do
this. For example, the background service "blackd.exe" must create
a window in order to receive Windows system events, but it is not supposed
to display anything on the screen. What is even more amusing is that
you can see the "blackd.exe" service listed in the TaskList. The claim
is that we are somehow "hidding" our service (because it doesn't have window),
even though we haven't hidden it from the TaskList. Note that
most hacker programs do indeed hide themselves from the list, which
must mean we aren't very good hackers :-).
In any case, there is an extremely easy way to verify this: put a
packet sniffer on the wire that eavesdrops on your network connection.
Assuming that we can take over your entire machine and completely
hide our activities (as the claims suggest), there is no possible way
to transmit something from a machine that a packet sniffer cannot
catch.
Network ICE BlackICE Defender - SPY TOOL
Message: 27250
From: nils holgersson
Date: Tue Feb 01 13:13 CST 2000
Network ICE BlackICE Defender , one of the most known antihackers tool, agressively marketed now in almost any known computer magazine and technical literature, also famous due to its authors - and the company founders, three famous security experts from Network Associates (NAI), the parents of the most known security products from the same NAI,
IS IN FACT A SPY TOOL , WHICH PROTECTS YOUR NETWORK/COMPUTER FROM EXTERNAL ATTACKS, BUT ALSO SPIES YOU, IN BACKGROUND, SENDING YOUR MOST SENSITIVE DATA , TO AN IP-ADDRESS LOCATED ON A SERVER BELONGING TO Network ICE Corp. !
YOU CAN ALSO HAVE INSTALLED OTHER FAMOUS FIREWALLS, FROM NAI, CHECKPOINT, ISS, NETGUARD, SIGNAL 9 SOLUTIONS, ALL ARE BYPASSED BY THE Black ICE Defender, WITHOUT ANY WARNING !!!
For those without any firewall, NetICE overrides completely any configuration made by the user/administrator, regarding Internet access. If you configured for ex. a manually security checked dial-up, BlackICE ignores it and breaks through, without any warning ! Tests were made with both telemodems, ISDN modems and cable/ADSL modems !
It seems that the founders of Network ICE Corp. had access to special information from Microsoft when they designed their BlackICE Defender, which exploits some secret backholes in the design of the Microsoft operative systems. Without any doubt, no private persons, but high officials from the US federal authorities, are well aware of these issues. It seems that this is one area where the US goverment wants to completely controll and intercept any kind of Internet traffic and external networks.
Programs like NetBus or BackOriffice are simply toys made by computer enthusiasts, compared to the lethal weapon which Network ICE Corp. - BlackICE Defender - is in fact !
The simply fact that it can break through the most powerfull firewalls existent on the market today, and is marketed as a security guaranteer for your network/computer - which is true - BUT... also spies your network from an unprecedent level of sofistication, is really icy.
For those interested, some details (BlackICE 1.94): --------------------------------------------------
|
These numbers refer to offsets within the file; e.g. the hex value A0 represets decimal offset 160. The
author of these claims is looking at the raw ASCII strings at these offsets, and making
assumptions about their meanings. The file "setup.ins" is shared by ICEcap/ICEpick/BlackICE,
so the author is finding strings unrelated to BlackICE. Many of the strings the author
is worried about, such as GetPrivateProfile, can be similarly found in other programs.
Note that the UNIX program "strings" is an easier way to list all our "secret" strings
within the product. Note that such "decompilation" may be against the
license agreement.
|
1. decompile setup.ins and check the following addresses: 000000a0 to 00000330, 00000970 to 000010f0, 00003870 to 00003a80,0003fb0 to 00004180, 00004a60 to 00004eb0.
2. check blackd.exe at addresses:
0006cf20 to 0006e180,
0006e330 to 0006e530,
0006fde0 to 0007e30,
00070ca0 to 00072060,
000722e0 to 00072390.
3. check in blackd.log the following: heartbeat, heartbeat.traffictimeout,
heartbeat.interval, heartbeat.lastcfg, trust.issue + the others rows.
NetICE monitors when the computer is unattended and starts the connection to the
Network ICE Corp. server, if you came back and start working, in background ,
BlackIce disconnects and changes automatically the waiting time for the
next attempt to reconnect to the Network ICE server (the heartbeat.interval parameter).
4. Also, NetICE temporary disables the protection against external attacks, when
the tcpprobe (the signature) of the attack comes from the Network ICE
server (see exclude.issue = 2000413 2000412 2000304 in blackice.ini).
5. check in blackdll.dll the following addresses: 00010810 to 000109b0, 00014380
to 00014ac0 (literally the content of your registry is sent to Network ICE
server - so they know exactly your identity and the content of your computer).
6. check also blackd-old.log
7. check blackdrv.sys at addresses: 00006800 to 00006b80,
00007760 to 00007b40 .
8. check blackice.exe at addresses: 0002d690 to 0002e640,
0002fbe0 to 00030330.
9. Network ICE assigns to you a unique identification code (from their database), which
can trace your computer, EVEN IF HAVE CHANGED PHYSICALLY THE INTERNET CONNECTION
OR PROVIDER AND SUBSEQUENTLY YOUR REAL IP-ADDRES !! (check guid.txt :
{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}).
10. check sigs.ini.
11. Try to stop manually the hidden service : Blackd !
Well, the system JUST REBOOTS !!! YOU CAN'T STOP IT ! ONLY
COMPLETELY REMOVE IT FROM THE SYSTEM AND SEARCH IN REGISTRY FOR
ANY KEY ("Network ICE" , "Net ICE" "ICE" "Black") AND DELETE IT ,
helps to completely clean your system !
