Feeds

Steve Gibson picks a fight with Microsoft and The Register

Loud and security-ignorant the pair of us

  • alert
  • submit to reddit

Build a business case: developing custom apps

Security consultant Steve Gibson - whose claims that Microsoft's latest OS, Windows XP, will destabilise the Internet we have covered extensively - has posted another DDoS diatribe following a conference call with the Beast of Redmond's security team.

In an extremely rare occurrence, however, The Register has been clumped with Microsoft and both received a barracking at his hands [isn't that our job? - Ed]. Well, more precisely Thomas C Greene has been clumped with MS.

Claiming that his concerns and complaints about XP have fallen on deaf ears, Steve Gibson states: "and thanks to many other loud and equally security-ignorant voices which are attempting to confuse the industry on this topic, Microsoft shows no intention of responding to this now very visible threat" with part of the text hyperlinked to one of our stories.

Which one? Er, that'll be the "Steve Gibson really is off his rocker" story. This reporter (me) extensively covered Gibson's claims that XP would enable huge denial of service attacks over the Internet due to its implementation of raw sockets.

This will enable hackers to direct spoofed IP packets at particular sites. The theory runs that since XP will have such a huge uptake with technically illiterate people, hackers will be able to load Trojans onto hundreds of machines and then direct them at will. Hence XP will bring down the Net.

Thomas - who does know a thing or two about security - remains utterly unconvinced by this argument however. As he puts it: "malicious kiddies can already take over Windows machines with Trojans like SubSeven and use them for heavy packeting without the owner's knowledge. Raw socket functionality does not in itself make a machine more or less vulnerable to such infection.

"Furthermore, malicious operators can already do heaps of packet damage using Windows clients without spoofing. Gibson is right that spoofing makes packets nearly impossible to filter, but filtering isn't the answer to a severe packet attack, as anyone who's had to deal with one can attest."

In short, Gibson is "talking absolute bollocks".

So, what does Steve have to say about Thomas' comments. Not much, sadly. The inclusion of the story does seem to calm him down however. Starting with a very angry "Microsoft knows nothing about security and are a bunch of idiots" stance, by the time The Register makes an entrance, Steve has put on his reasoned hat and concluded: "Even though perfect security may be - and probably is - impossible to achieve, increasing the difficulty of criminal exploitation is a worthwhile and effective deterrent."

So there you have it. Check it out for yourself here. Ironically, we found out about this latest installment from receiving an email from Steve sent to email group "My press friends". ®

Related Link

Steve Gibson's latest diatribe

Related Stories

Steve Gibson really is off his rocker
Windows XP will make Internet unstable - top security expert
Everything you wanted to know about DDoS attacks
Security expert waves DDoS white flag
Network ICE CTO responds to further BlackICE criticisms
Network ICE hits back over Gibson jibes
Security expert waves DDoS white flag
Everything you wanted to know about DDoS attacks

Next gen security for virtualised datacentres

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Scale data protection with your virtual environment
To scale at the rate of virtualization growth, data protection solutions need to adopt new capabilities and simplify current features.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?