9th > July > 2001 Archive

Thank God someone's finally exposing this charlatan

See also: You both make good points, but we're still leaning in Steve's direction Steve walks on water; you're a moron, and so's your old man Have you seen the latest vuln dev posts from this morning? Gibson's taking crap from all angles. Looks like consenses from the list is that he's pretty clueless and only out for PR. One of the few times I've seen that community bash someone else and kinda defend Microsoft! --not signed Hey Grandma -- fire up your Spoofarino and let's take out our ISP. It's OK -- Gibson said so! --not signed haha kick ass! we've been waiting for someone to write this angle. --not signed We know Kieran is in full troll mode at the moment, but I'm surprised at your affectation that didn't realise that STEVE!!!! GIBSON!!!! is barking mad. Five minutes of scanning his (admittedly increasingly) bonkers site should make it perfectly clear. "EVIL SCRIPT KIDDIES!!! HIDDEN SERVERS ON YOUR PC SECRET GOVERNMENT CABALS!!! ONLY STEVE!!!! GIBSON!!!! CAN PROTECT YOU!!!!!!! WAAAH!!!!!!! GAAAA!!!!! YEEEARGH!" ;-) Kind regards, --Colin MacDonald Dear Thomas, Thank god that someone has finally put pen to paper (fingers to keys?) and written a decent article about Gibson's paranoia! As you say reading his web site recently it has turned from mild paranoia but with some useful tools into the rantings of a madman. His attack that every single teenager in the world will suddenly turn into a crazed script kiddie as soon as XP is installed on their machine is frankly ridiculous. DDoS programs are around now and the world isn't crumbling around us yet! I do think that he should let up on MS. Whenever they make their own standards people fall on them like a ton of bricks (quite rightly!). When they are now following other peoples standards they get all this crap! Anyway, thanks again for speaking out against him. Until your article my claims that he was a bit loopy were falling on deaf ears! --Charles Astwood So he is going to write an application for Windows (pre-2000) that will use raw sockets. Yet he pretends this is difficult so he can say Microsoft is making it easy for malicious attackers on XP. My head is starting to hurt. Good article. --weld I just read your article on Steve Gibson's effort to denonce the raw socket implementation in Windows XP. I agree with him about the fact that this will give more power to script kiddies to do whatever they want, including spoofing packets in Denial of Service attacks. However, when it comes to DoS attacks, it is always the same classical scenarios that are discussed. I'd like to bring your attention on my whitepaper "Babel, DDoS of Biblical proportions" (available at www.geocities.com/floydian_99), on which I describe a new type of DoS that many Windows machines are vulnerable to as we speak. The raw socket implementation in Windows XP could be integrated into Babel to do spoofing, but it is not necessary. The way Babel works is quite simple: it simply integrates viruses that spread through the Outlook adress book and pre-configured Denial of Service. The virus part takes care of distributing the DoS agent, and once a machine is infected, it simply starts bombarding the targets. Since Outlook-type of viruses usually infects several thousands of machine, it is easy to see that the impact on global connectivity will be major. Babel does not exist yet in the wild, but after some tests, it should be so easy to make it happen that I am surprised that nobedy ever thought about it yet. Thank you for your time. --Floydman Hello Thomas, And thank you for sounding off on this issue. It has perhaps occurred to you that if Gibson succeeds in developing his raw socket exploit, that he will in effect have disproven his own point, whatever that is? Cheers, --Rick Downes That guy makes my brain hurt. I don't think I've ever met anyone "in the know" that doesn't laugh about Gibson. --Marc Maiffret People actaully flamed you about that post?!? I really don't see the problem. What gain is it to the hacker to hack some newbies computer? That isn't a challenge for them so they don't bother. Hacking M$ systems is a challenge and that is why M$ are so frequently hacked. So IF there IS any increase it will be in large companies machines who invest millions a year in security. LMAO. It WON'T against the average home-user. Anyway, I think you are totally right - If they can't even read to the end of a new article then they deserve to be humiliated (you should post all the names of the idiots who flamed you). PS - This Gibson bloke seems like a really nutter. --mortensen Of course Steve's attack won't help at all. Everyone that has no clue about existing security dangers is already a valueble target, like sub7 etc. As I recall Steve likes the 'quality' of older Microsoft product where it was impossible to fake the IP address. Having a working and correct IP address makes it easier to battle DOS attacks. Just let the router drop all packets from that IP address. If a program can build packages with a random (non active) IP address, you won't be able to trace the origin of an IP packet. So I suppose Steve only tries to convince us that there will be one less method to fight DDOS attacks. Since he was able to track his attackers through their unability to hide their identity, he feels he has an obligation to protect the world. That's his problem. Isee a nice possibility for microsoft to incorporate a firewall that can easily be managed by users. Indeed give the man a holiday. --not signed Go Thomas! Go Thomas! Go Thomas! Give me a 'D'! Give me an 'I'! Give me a 'C'! Give me a 'K'! Put 'em together, what you got? 'Steve Gibson'!!!! Yaaaaayyyy! Repeat, ad nauseum.... --Paul Robinson I enjoyed this. It's about time somone started calling "bullocks!" on Gibson. Everything I've read by Gibson has amounted hype -- at best (for worse, read his NanoProbe page, or his Project-X page). What's remarkable is that I had colleagues that actually characterized this chump as a "scientist". The only thing I have any difficulty with is the designation security expert and security specialist with reference to Gibson, which the following piece of (anonymously submitted and still unpublished) errata addresses along with a few other problems in with Gibson. cheers, --munge I'm in total agreement with you... Mr. Gibson has some technical skills, but the man is seriously nuts. He fails to mention that a) you have to have Administrator rights to create raw sockets in 2k/XP, and personally I think MS will pull an OS X and disable the Administrator login by default, and b) It *is* in fact possible to create raw sockets in Windows 98/ME/NT4. It may not be *natively* possible, but it's trivial, once Sub7 is installed, to download and install a raw packet driver and spoof the packets that way. The capability is there -- the only reason it's not used is that it's not necessary. If attackers can already shred a site's availability without spoofing, why bother? --Eric Means Thomas, I have to agree. What Gibson and MS both seem completely unable to understand is that its neither raw socket nor hostile code, but a nearly total lack of egres filtering in ISP's routers *combined* with hostile code and lack of user education, no matter the OS. The first would prevent spoofing from getting out of and ISP's network and if done at the edge, would keep most spoofed packet from ever even entering the main network, the last would eliminate most compromises, and elimination of the second would eliminate the first and last issues, but we both know that'll never happen. --Rob I think your assertion that he needs a holiday may be the most accurate one. Consider this: 1) he suffered a DDoS attack 2) he had to analyse pretty quickly what it was and why it took his site off the Net] 3) he had to fight with the support process of his upstream providers to get someone to act on his recommendations (which were sound, but there is that interim step where you have to convince support to let you talk to someone who is capable of understanding what you say - and sees that you know what you're talking about) 4) he had to figure out a way to prevent recurrence - which is what brought us the (in my opinion) very valuable detective story. 5) he had to fight long enought to realise he was 'losing' the battle ('losing' is a relative term, I'd call it accept the problem and deal with it in a different way). I'm the first to wince at the pyrotechnics used in his tale - I've been using the Net long enough to dislike visual shouting - but his research was good. Now, adding all of this up I can only reach one conclusion: Steve forgot about the 'count to 10' rule when posting on the Net, he's iMO still too upset about the whole affair (I know how I felt when I had to get hold of someone over a weekend ;-). The pain with email and web postings is that they end up being an immediate dump of your emations at the time - and those may not be for consumption until you've cooled down. I think Steve's just gotten a tad too excited (British understatement here ;-) -- and depending on his character he may or may not realise this. I'm loath to declare him loopy - he reasons too well. But I think he's presently unable to disconnect emotionally from the issue (God, that's a consulting phrase, sorry) - which IMO harms the quality of his work and his image. Being excitable is not helpful in dealing with a direct or indirect attack and discredits all the good work. I sure hope he cools down - he sure needs a break ;-) Regards, --/// P /// Good article, but it took you all this long to notice Steve Gibson is off his rocker Anyways, I add this gasoline to the conflagration: Apple just released a BSD based operating system. Forget LINUX, you have 1 million plus Macs a year rolling off the assembly lines capable of... oh the horror. No, seriously... Hrmm... ok, I haven't been able to take Steve Gibson seriously for 5 or so years.. --Scott Hi As you have had so many flames relating to the original article written by Steve Gibson I thought I would write you one praising your article. Gibson is clearly a man possessed. I am not going to pretend I really understand the whole technical issue but the use of them giant fonts was enough for me. I did think where he wrote about some _kiddies_ getting together to perform anon DOS attacks made some sense but the man is still clearly mad. Is this all some guise to hide the fact he still has not got out his network 'scanner' 2 years after he fist bragged he had discovered a new fast way of scanning thousands of ports simultanously? I also have not forgiven him for recommending BlackIce Defender as the 'bees knees' of personal firewalls, until he decided (a week after I bought it) it was crap and ZoneAlarm was the best. I still use BlackIce and it works well enough for me. Anyway this email was supposed to be about your articles. Thanks, they are well written and I enjoy reading them. More than I can say about the recent insane ramblings of Gibson. -- Paul J Mr. Greene, I agree with you completely. Gibson is completely touting his own horn. To further your point, in Office XP (I realize that they are different products), Outlook disables basically everything that could possibly infect your machine. And there is no easy way to bypass this. So unless you are a complete idiot, if you upgrade to Office XP (somewhat forced now that you can't buy anything but XP), Microsoft has taken a step towards thwarting attacks, not increasing them. Also, since Microsoft based much of the IP connectivity in 2000 and XP on FreeBSD, it is much more reliable. And how often does Microsoft actually conform to someone else's standard, instead of trying to set their own? I think that for once, and only briefly, Microsoft should maybe be patted lightly on the back for this one. And yes, Mr. Gibson needs a long vacation. --Glenn Hunt I think I'd call Steve Gibson a 'self proclaimed security expert'. Security is a wide open area, so of course it's open to interpertation. But what has he done? He's tested PC firewall software. He's written a tool to check which hotfixes you've applied. He's discovered some spyware. He's writen a tool which does a pretty half-assed port scanning job. I think we're giving him too much credit. Unfortunately, a lot of consumers who don't know any better are going to give him even more, because hey, he's a security expert. I asked Steve why he had included DHCP IPs in the list he had logged as attacking him. He replied that DHCP is not as dynamic as people think, it's dynamic in allocation, but stay after that. Granted, most ISPs have long lease times. Buy my point is that he's pointing fingers in public, but can't be certain that he's pointing at the correct people. --not signed Hi Thomas, I just read your June 25th article over at the Register (http://www.theregister.co.uk/content/8/19925.html) regarding Steve Gibson's claims about Windows XP. You are absolutely right about Steve Gibson. When I first read his article on XP I felt the same as you do. His complete ignorance of the fact that building raw packets is possible under older versions of Windows (and without the use of installing some sort of protcol driver to boot) baffles me. However I think he's shot himself in the foot with this article. To the more knowledgable participants in the field of computer security he's discredited his name showing that he is given to fits of what I would classify as paranoid hysteria. I would put him next to John McAfee in terms of generating needless hysteria-driven hype (http://kumite.com/myths/cvha/1996/pr1.htm). I know the next time I ever read something put out by Gibson that I'll be taking with with a grain of salt. And you watch, now that Gibson has come out with his highly-publicized attack on XP's support of raw sockets, someone will come along and write a bot that spoofs packets under earlier versions of Windows which Gibson has deemed as "secure" just to spite him. Such a zombie would be slightly less-than-trivial to create but not at all outside the reach of even the most amateur of win32 programmers given the number of libraries out there to do that very job. Of course, as you rightly pointed out in your article, the use of spoofed packets plays a very very small role in DDoS show we are seeing. Filters are meaningless when it you're dealing in the millions of kilobits per-second. I wish Gibson had focused his efforts on something more worth-while such as the fact that these zombies infect open/insecure Windows clients and that, as Gibson himself found out, there are hundreds if not millions of insecure Windows clients out there just waiting to take part in the biggest show on the net. --Eric Tribou Hey Thomas, Great work you've done. Please keep it up. This is off the record -- [deleted, tcg]. Here's a great rendition of the Mickey Mouse attack on GRC by someone who really knows what he is doing. This is a very long and detailed analysis of the attack, but between the lines you can read very clearly: "Gibson is out of his mind and desperate. All these unpatched systems could have been patched, and real sockets has bollocks to do with it." Anyway, cheers and sincere hopes the Gibson Groupies don't drive you nuts! Cheers, --Rick Couldn't agree with your more about Steve Gibson's rant. I published a rebuttal of his nonsense on my site here: http://www.usethesource.com/articles/01/06/12/2157208.shtml on June 12. Nice article, thanks for talking sense. --John. Don't worry about Steve and WindowsXP. Steve has a notoriously short attention span. If you don't believe me check out his ASPI ME work. --Chess Dead straight. --not signed I read your article today and noted you mentioned that you got a lot of mail about the first article. Just thought you would like to know you aren't the only one taking the view that Gibson is wrong, see http://www.nthelp.com link about Gibson near the top of the page. --Geo. Yep, hes a loop. There are tools for normal windows that can allow spoofed packets. IE XP=no change. --Ant Finally someone who agrees with me! I've been trying to tell people this for years, I even wrote you guys about it a while ago... I can rest now --jon Hi Thomas Just wanted to say thanks for the excellent and very interesting GRC / Windows XP. Saw you were getting a few flames so wanted to add my support to your opinions here. Its refreshing to find a balanced view for once rather that the usual 'slag m$ off' trendy attitude that is so common on some sites. Just as a background I'm a Solaris sysadmin, but I mainly use Windows on the desktop and will probably continue to do so. Keep up the good work! And I think Steve Gibson really DOES need a holiday, his site is so unintentionally humourous. :-) Thanks --Paul I'm glad _SOMEONE_ is pointing out what a bizarre idiot Steve Gibson can be. This whole episode is nothing new for him, just more extreme. But it certainly all fits his pattern. In some ways Mr. Gibson seems to be a clever person. But he has technical knowledge gaps you could drive a supertanker through, an ego that dwarfs most suns and the apparent belief that the solar system does indeed, or at least should, revolve around him. It's time somebody mentioned that this particular emperor has never had any clothes. --Arley Dealey Thomas, I'm glad the register has pointed out the absolute rubbish that grc.com has been spewing out over the past few months. I'm a bit shocked that you didn't point out in either of your two articles that Windows 2000 has supported raw sockets from the outset. This isn't the only piece of misinformation, their so called "leaktest" program simply tries to connect to a remote host on port 80, and apparently if your firewall doesn't stop this it is useless. As a side note, are you still supporting Peter Blobfield @ BT or has he stopped bribing you now? Regards, --James Freiwirth. Thank you for trying to shed light on the lunitic fear-mongering that Mr. Gibson has been spreading for years. "Spyware" beaming data to the mothership -- "Zombies" taking over the net. Please. I commend you for trying to educate the public (and putting up with the flames from Gibsonites) as to the madness he spreads. While I recognize Gibson's technical expertise in the area of programming and assembly language, I agree totally with your assessment of his DDoS web page. In your article on The Register, "Steve Gibson really is off his rocker", you identify some of the key problems with his article. While being informative on one particular form of DDoS attack, his conclusions are far from scientific. The overall tone and style of writing are more something that I would expect from the National Enquirer or the Star [junk magazines here in the US with stories of women giving birth to three ton hippos, and zombies from outer space taking over the brains of people not wearing tin foil hats] than a scientific treatise on the anatomy of a DDoS attack. His style of sensationalism and not inviting peer review regarding his criticism of Black Ice Defender signify a mind that is under incredible durress and that is not fit to be writing a scholarly paper. In short, you hit the nail on the head mate: Steve Gibson really is off his rocker. Thanks for your criticism. It is only through peer review such as your article that we as security analysts and computer professionals can get at the truth, which is the ultimate aim of science. --Kurt Oestreich Hi, I loved the article you wrote on Steve Gibson: http://www.theregister.co.uk/content/4/19925.html. I couldn't agree more and being a security expert I can easily say I totally DON'T agree with him. Actually, he's not a security expert. He gained much success with his optout program (which he never even finished) and was able to write hype very well and still is. But that is it, his leaktest and sheildsup tests are fatally flawed and produce either a false sense of security or a mass of confusions. The tests are very basic and simple. I don't recall anything he's ever done that would qualify him as an 'EXPERT' in security. Only an expert at hype and false promises to finish anything he starts. Seems that he runs a popular news server and takes advantage of his audience, who by the best of my knowledge are comprised of really unknowing people and the media ready to cover a story. Very few real experts listen to Gibson as he seems to be learning the ropes as he goes... Thanks for such a wonderful peice, I'm definitely a fan for life! --not signed Hey there, This just came in my email from the bloated windbag aka. Steve Gibson. You may have already seen this, but just in case: http://grc.com/dos/xpconference.htm 'Loud and security-ignorant.' geepers PS. Kudos, by the way, on the fantastic articles. Intelligence battling alarmist behavior. Much fun. --Joe McGuire I have been a hacker, I've also been a security professional, and hell anyone who does tech support for a cable modem company has the skill required to pull of the attacks he speaks of, and my location alone had over 80o people on payroll that are all fully capable of that... he's taking it WAY out of proportion & he forgets that windows XP also comes with a built in, AND the Insect security manager, witch is supported by the server (your ISP's fault if it isn't) is dam near impenetrable, the firewall is active by default and this would cover most of the RAW SOCKETS vulnerability I say fuck the people that flamed you, have a good grasp on it, and secondly even if I DID disagree, your still entitled to your opinion. In this case though I agree whole heartedly ROCK ON! --not signed You write the truth, my friend. Your article sums up perfectly what I've been saying to my friends for over a month now. Steve has slowly and gradually gone bonkers over the last 5 years; check the rest of his website, specifically Project X (a physically impossible claim of his). --not signed I have to agree with your 25/06/2001 article on Gibson, the man is clearly delusional. One thing that bothers me is why he is being taken seriously enough to warrant, for example, a teleconference with Microsoft engineers. I don't see all the other web whackos out there getting equal voice. If its of any interest, he is involved in some other unrelated (but equally misguided) endeavours; including excitedly shouting about an old and boring font rendering technology as if its going to change the world, and some highly erratic ramblings about software being written in assembly and open-source software being the future, when in fact not a single piece of his software is actually open-source, and sane people started writing software in portable languages like C around the time of the birth of UNIX. Oh, all using lots of colours, bold, and large fonts, naturally. Mad. --Tristan hi! i've got a small question. how can he be occupied analyzing the DDoS he suffered of and Windows XP's imaginary threat to the Internet, if he's busy with writing more and more endless articles about that topic? have you noticed how long his articles are?! what i read at GRC sounds like WWII-style propaganda to me. BTW he noticed stuff about WinTrinoo2 on his site. IIRC WinTrinoo contains its own spoofing engine set up on NDIS. sheesh :) greets --Tom Servo Oh boy, do I know what you're talking about. Having had to talk a helldesk monkey with an MCSE through using DOS FTP the other day, I'm beginning to wish I had never gone down the official certification route. Perhaps I'm tainted by association. On a more serious note, I agree entirely with your comments about Steve Gibson and his contribution to the "hackers are going to take over the world and destroy all western (i.e. American) civilisation" debate. It is precisely this sort of ill-conceived hype that gets the wannabe techies in Congress and Parliament over here in a tizz resulting in yet more restrictions to our general civil liberties in what we can and cannot do on the Internet. If Steve Gibson really wants M$ to produce a cut-down restricted OS, then perhaps he should go back to using, say, Windows 3.11 himself. The power that even novice users occasionally enjoy is precisely the sort of thing that he himself would use. If in response he'd state that it was only the full Sockets implementation he was referring to, then he has a problem on his hands. What other "useful functions" could possibly be used by devious black-hats to wreak havoc? Telnet? FTP? Ability to run a TFTP server? VBA to craft nasty viral or DoS applications? The list is quite large. Anyway, keep up the good work, and the excellent writing. --Dan I'm sorry, but Gibson is really showing his true colors as being a truly expert, highly-trained, totally legitimate knucklehead looking for his 15 minutes of fame to fuel his otherwise miniscule ego. I mean, he's coming across more as a little anklebiter that just won't shut up and go away....I wonder if he's part of the Net Authority Syndicate?? :) Steve Gibson = "The Nutty Analyst" ? Happy 4th!!!! --rf Mr. Greene, In response to your article on Mr. Gibson's "warning cry", I would like to say thank you. Sadly enough fanaticism is a very real disorder that affects the brightest of individuals to the dullest. It is my suspicion that Mr. Gibson also was struggling with pride, to the point he failed to see past his exaggerated and often incorrect notions. As with all "doomsayers" time will prove them to be nothing short of charlatans. --James I agree, Gibson is MAD --MD Yep! Another Death Wish!!! HERE IT IS! I HOPE THE DEBATE OVER RAW SOCKETS DIES!!!!! (not the (people debaters...REPEAT, not the (human) debaters!) LOL! I thought I would grab your attention this way...Anyway, I am on the sidelines listening to you; Mr. Thomas Green and Mr. Steve Gibson debate the issue over sockets...I honestly do not grasp the whole idea with 100% understanding....or even 50% but with your articles, I am learning a lot. I envy the knowledge and skill you and Steve have. I listened to the show (online tonight) last night and I wish the host would have let you and Steve go at it in better depth....Oh well, that's how the ball bounces I guess. LOVE THE ARTICLES but I wonder who is going to be able to point the finger at the other and say with glee, "TOLD YA SO!" I hope I have not offended you in any way with my attempt at humor....if so, SORRY BUDDY! Didn't intend for that to happen. Regards, --webboss Continue Reading
Thomas C Greene, 09 Jul 2001

You both make good points, but we're still leaning in Steve's direction

See also: Thank God someone's finally exposing this charlatan Steve walks on water; you're a moron, and so's your old man In your article posted on www.theregister.co.uk, you make some interesting observations. I think many people failed to understand your point that Win XP won't necessarily increase the number of zombie boxes out there and Gibson seems to be missing the fact that with a large collection of zombie boxes can allow a script kiddie to basically do the damage, raw-socket support or not. On the other hand, I see the problem being with script kiddies who only have their parent's computer to work off of. If they send an attack from their computer (even a nuke) against someone who has a logging firewall and that person reports it, in all likeliness they'll get caught. I know that my own isp does take reports of attacks seriously and with them, three strikes and you are out. This is the problem that I see, more people who don't have access to a computer that they can install Linux on, but that can get Win XP install no prob (it's still WIndows), will no be able to commit the smaller attacks. Now this isn't as big a threat as Gibson's claim but it does warrant some concern since many people on the net still don't have personal firewalls. Just my two cents. Thanks for taking a look at Gibson's article from the other angle and pointing it out, I wouldn't have noticed it on my own. --David Leinbach I've read both your arguments and Steve Gibson's and I can understand both points of view. My personal opinion is that Raw Sockets should be limited to root or administrators. Why make a nasty situation worse if you can help it? There really isn't a true need for all the features of a full TCP/IP Stack for everyday internet use. In your article you wrote: "He shows contempt for Windows users, assuming they're all complete idiots (presumably with the circular argument that they must be morons because they're using Windows), and strongly implies that they can only hurt themselves with a fully-featured OS." I think the unfortunate truth is that since nearly every PC has windows on it and most people just use it as a tool they give the appearance of being "Stupid". I think it is simply a case of people not wanting to learn things about computers on the level that we do in IT. They just want to use it and get on with life. I can relate since I really don't want to learn how our chemical engineers do their job and they don't really want to learn how to do mine. But, the bottom line, is that you have to assume they just don't know any better and implement your systems to protect the itself. Not from stupidity, but from simple accidents. The users aren't stupid themselves and it isn't because they use windows. If the majority of PC's had linux on them the same problems would exist. Except that *nix systems don't just give out special privileges to everyone who uses it. --Brian Reichert Just a quick note, a small point. In your defense of uSoft and attack on Gibson you take the position that Gibson is over-reacting to the impending availability of raw sockets and that you are sure that the computer savey of the world are just drooling at the real power uSoft is finally going to make available to them under WinXP. First, you and uSoft hasten to point out that anyone can easily add raw socket support to existing their OS. Then you declare that Gibson must imagine the world of computer users to be a pack of morons unable to maintain their own system integrity. Your final conclusion is that although XP really will make it easier to personally deploy or distribute Trojans that spoof IP addresses, any new risks are minor {pish-tosh Gibson - Take a vacation}. I am relatively new to the programming community (approx 5 yrs), I develop private company software (not for public distribution), my involvement in security issues is minimal, I use the internet primarily for personal recreation and research and I consider myself to be someone who stays reasonably well informed on a variety of current social issues and topics of personal interest. I do not consider myself an average computer user. Although I know that there are many computer people much more talented and experieced than myself, I still understand that your basic end user likes to be as ignorant about how their computer works as they are about how their T.V., radio, automobile ... hell even their lightswitch works. And with that out of the way here's 3 little words for you. ... I LOVE YOU ... I was the entry point that allowed that simple VB Script to infiltrate my company and down its e-mail server for the day.. and wipe out megabytes worth of JPEGs and valid VB scripts, some of which were on our internet developer's machine and represented hours of lost photo-editing work... and infect quite a few machines thoughout the company which had to be cleaned. You know the profile of the person that started that fiasco. No code guru he. Just as I'm no computer moron, and yet between the two of us we did my company no small harm. My point is that you ARE engaging in hubris when you take such a strong stand against Gibson's cautionary tale. If you admit that XP will make dDos any easier and if the intended audience is a generic personal computer user, than is it such a burden to yourself to pass up on one more included bell/whistle in XP which is so easily installed if you want/need it, so that the rest of us don't have to worry about whether we've set all our properties and configurations just so to prevent this weeks newest Trojan from incorporating our machine into some idiotic IP bashing just because we want to surf the web or e-mail jokes to our friends? uSoft has a well established history of trying to be all things to all people. I never have any free RAM no matter how much I add. And Gates won't be happy until Windows is the only OS available in the world, so is it to much to ask that they look real hard before they take the leap for us all? --DLynchE I've just read yours and Steve Gibson's articles. I have not taken anyones side. I do find it all interesting and would like to learn more about raw sockets in Windows XP. One thing though. Steve's articles seem to be more fact based as yours seem to be based on his character & calling him loopy. I would like to see factual counter arguments. This would make Steve statements less credible (I would think). At this time, though I am leaning towards the pessimistic side - Windows XP = Security Swiss Cheese. I would specifically like to see something about this statement of his. Which I did not see in your article anywhere or may have just missed. [...] Because of the danger of abuse of full raw sockets, all other operating systems restrict its use to only the most highly privileged applications running with "root" privileges. But as we heard in today's meeting, the need to run Win9x legacy applications under Windows XP has forced the notion of "privilege" to be discarded and thus eliminated a crucial layer of protection. All Home Edition Windows XP applications will, therefore, be running as "root" . . . and a dangerous capability that was never meant to be globally available to all applications - and which ISN'T in any other systems which offer full raw sockets, which have retained the notion of "execution privilege", - has been made available to all applications. [...] What is your take on the above comment? Thank You, --Kirk Rexin Hello, First I would like to say that you have some nice points... but: You write "an attacker first has to compromise a number of client machines with which to packet the target system." hmmm... Remember Trin00, TFN, etc.. ??? The *nix boxes were rooted with the sole purpose of DDoS attack, what makes you think that XP machines wont be ? Look at these scenarios. If a huge site with downloads (such as those linked to by download.com) had a server rooted all executable files could "easily" be infected with a trojan. Or simple going on IRC and finding some Sub7 hosts and setting om some spamming programs and hit a huge ammount of email addresses with "a new and exiting game" Or a "good old worm". Do you think that all 3 of these scenarios could be avoided ? By the way, I would very much like to hear your arguments, please reply when you find the time ;-) Kind regards, --Thomas Nielsen Hello Thomas Greene, Latetly I've been following with great interest the discussion regarding the potential Win XP threat by allowing spoofed packet attacks because of its raw socket implementation. I share your opinion about Mr Gibson's paranoia, and his way of writing on the GRC website make them look like the CNN of the hacker community. Although, I must admit it won't help you much calling him a loony and that kind of stuff :-) In my opinion this is more of a problem at the Internet Service Providers. I'm no expert at this but couldn't this problem be very easily solved if ISPs sat up very simple filter on each of their subnets. Such a filter could for example thrash all packets which had the following content: - Bogus IP address of origin. This is easy to check for an ISP since they would know that all packets coming from the foo.bar.net.x should have these numbers in the "sender" part of the packet. - Packets that are big size and low wait could be tracked. If such packets appeared on a stream they could be rejected. Although, I don't know if any "legal" type of internet service would use such a packet framwork, I don't think so. I seems clear to me that the first of this counter measures should easily prevent packet spoofing from the ISPs customers. Of course, there will still be thousands of compromised machines out there used as zombies for sending non-spoofed packages, but that is more a general Windows problem. At least those can be tracket down and informed. Best regards, --Erik Brenn I just read your article (referred from the Gibson page), and while this is largely an academic matter to me, since I don't plan to get XP (for other reason), there are a couple of questions that didn't seem to me to be answered: 1.) What is the utility (for me) of having these "raw sockets" in my home PC? (I seem to be getting along fine without them now.) 2.) If there isn't any added utility for me, why are they there, and what is the argument against removing them (irrespective of which of you is right)? I've heard and read a lot about whether these things are dangerous or not -- what I haven't heard is why I should want them in the first place, even if they're perfectly safe. --Jim Girard Hi Thomas, I've just read your "Steve Gibson really is off his rocker" column, and in around 5 years of using the internet I have *never* bothered to write to a columnist before, but this time... I think you have a valid point, but the real problem is more subtle. And dangerous. Microsoft claim that "hostile code" is the real problem, and detail their efforts to prevent this. However, the statement that "... Windows XP is the most secure operating system *we* have ever delivered" (my emphasis) proves nothing. The standard is not hard to beat. The unfortunate truth is that (due to legacy problems) the raw sockets will be *much* more exposed than on another OS. And wide-spread XP will make them *much* more widely available for malicious use. And, yes, there are a lot more "unskilled" people using Windows than other OS. This is mostly because, when people first get into PCs, they tend to pick the common format (Windows). This does not imply they are idiots. It just makes security on Windows much harder. Anyway the "subtle" problem I mentioned is this: Windows XP will be hacked and "spoofed" packet attacks will happen. The real issue is that Gibso (an 'expert') ONLY stopped the attacks, by knowing the originating IP addresses. In other words, with a spoofed attack, he would:- 1. NOT have been able to filter properly. 2. NOT have been able to track the attacking machines. 3. NOT have been able to locate a "zombie" to help solve the problem. So, under a future XP attack he would have been helpless, and unable to track any of the infected machines. A future attack wouldn't be a "bit worse" but "totally destructive". And if you think, that's not too bad, since the number of infected machines will be limited, then here's the real killer: If those infected machines aren't traced, then they won't be fixed. As time goes on, more and more infected XP's will be out there - creating bigger and bigger problems. That's why the number will increase. Even if Gibson is being paranoid, I still think giving raw sockets with less-protected access is like handing out loaded guns in the playground. Sure, everything might be fine, but WHY risk it? It's not worth it. Too many 13-year olds, might just try and see what happens if they pull the trigger. So please, please, reconsider on what you said earlier, and encourage as many people as possible to pester Microsoft to drop this particular feature. Many thanks, --Mark Hopkins Hi there, I'm a regular register reader, and I usually agree with what I read, or find it at least reasonable criticism of whatever issue is at hand. However, I must actually sharply disagree for about the first time in reading your site's content over the past year or two... Gibson isn't a paranoid delusional apocalyptic wanker. He is actually correct. Even if he's a bit off on the magnitude, the threat is very real and I need to correct some assumptions stated/implied in your article. You see, I used to help run EFNet, the world's biggest IRC network for a long period of years. I ran it enough to see attacks larger and longer than most people on the net (including, until a bit ago, Gibson, and including your staff perhaps... eep!). I also learned to step out of the spotlight and stop making myself a hard-ass target for the attacks. The attackers hold the cards... until mafiaboy got sloppy and someone documented his little fiasco with attacking CNN, and then coolio attacked a separate large company and boasted arrogantly... nobody had been "taken down" for LARGE scale denial of service attacks. When the largest network service providers in the world can say things like "Fuck! That's a gigabit smurf" in 1999... you have to wonder how much worse the automaton armies of the ambitious scriptkid can be. And, to make matters worse, the boxes involved in *those* attacks were not win32 boxes at all, but rather, a large number of unsecured linux, solaris and similar such boxes. Win32 exploits tended to cause problems here or there, but most of the uses the kids found for such hosts were related to unsecured telnet/connection proxies, not large amounts of traffic. Getting (or even coding, with a small amount of skill or some other code to start from -- easy to get from a book or, say, the source to ping!) material to make a linux/solaris/... attack which uses spoofed traffic is and always has been trivial. It's all a documented relatively uniform API, with underlying layers implemented for various fully legitimate reasons. Now, in Win32-land, this functionality has been incomplete by default. Given some snippets of code to do the spoofed attacking, of whatever kind, kids will have the weapons. The required counterpart in code will be some mechanism for taking control of the machine in question, remotely. Perhaps it'll just be distributed like some viruses as an executable attachment, or maybe it'll be a buffer overflow in IE, or whatever else. Once the kids find an easy way in, people really *should* be worried. I must directly quote and respond to snippets of your article, as well: > From that we infer that Spoofarino will enable Netizens to test whether or not their ISP allows them to send spoofed packets to Gibson's site. We imagine that any ISP which fails to filter outbound spoofed packets will be identified for a solid public shaming. Given the ISP could be misrepresenting, say, the fbi or the white house via spoofed packets from deep within their networks, maybe they'll stop and take a moment to care. > It sounds like a tool with which one could generate raw packets, though probably in a controlled manner. But if that's the case, it would lay much of the ground work for an EZ malicious version leveraging the very threat Gibson is decrying. It sure does. But his publishing this tool first doesn't make him a villian. Hiding the idea is security through very weak obscurity -- the good guys out there with a clue know it's possible, and so do the bad guys. And, presumably, raw socket code in XP will be similar to, if not conforming to the same standards as, its UNIX counterparts. The real issue is that our country (and therefore most of the world) is not ready to deal with large-scale denial of service attacks. These attacks can and will intensify against various parties, as it will be trivial to do so, from boxes even less likely to log properly trails of attackers. The law enforcement community has been unable to cope with or care about these attacks, save cases as large as CNN and Yahoo!... and those are by far the exception to the rule. Having seen (large) attacks that lasted weeks, and having seen 100% complacent ISPs and tier one network service providers entirely ignoring the spoofing issue... people *are* in for a rude awakening. The pain in the ass those of us on the front lines in the IRC world felt for the past five years will become more mainstream -- the kids are already branching out and finding new targets. It'll get easier and it'll get worse. The sky is falling, the sky is falling. I need to get back to work. I hope you enjoyed my moderately coherent rant. And, for what it's worth, I work in the network software industry doing low-level development, so I have half a clue about the tech side of this stuff, too :) --Fred Jacobs but he'll probably write his exploit in assembler, like everything else he does, so the skiddies won't be able to use it ;-)! --not signed Tom, I think the tone of your story is a little off base. Steve Gibson has been able to back up his previous claims with solid evidence and proof. For example, his work on uncovering the blatant privacy violations by Real Networks and Netscape was first rate detective work. You cannot compare relatively sophisticated users of Linux and Unix with the mostly unsophisticated user base of Microsoft Windows users. Clearly putting the raw sockets capabilility out on 10's of millions of Windows XP machines is a disaster waiting to happen. Your point that a relatively sophisticated user can add raw sockets capabilities to their Windows machines through a third-party program is irrelevant because the overwhelming majority (99 percent plus) of Window users would never do so. Those same 99 percent will not take the necessary steps to stop their machines in being used as slaves in D-O-S attacks. Clearly Gibson is correct in his assessment that tens of millions of new machines with IP spoofing capabilities is a major new threat to the Internets stability. Best Regards, --Michael S. Fredenburg You said: "According to Gibson's paranoid delusions, everyone with a computer is a potential criminal, and the only reason the entire Net population hasn't yet exploded in some mass orgy of evil is because Microsoft has thus far refrained from unleashing the uncontrollable power of the raw socket." I say: Windows is a security hole, ready to vaccuum any virus or trojan that comes its way. If you read his site correctly, his concern is with the rogue programs that infect a vast number of machines called "Zombies". These programs are hiding on thousands of machines, waiting for a command from their malicious creator. When the command is is issued, they flood some poor sole's machine with bogus packets, blasting them off the net. It is these "Zombies" that Gibbson is voicing concern about, not the individual computer users! Giving a large number of computers on the 'Net the ability to spoof packets will make it harder to trace these attacks. You also say (About Gibbson's new spoof test tool): "It sounds like a tool with which one could generate raw packets, though probably in a controlled manner. But if that's the case, it would lay much of the ground work for an EZ malicious version leveraging the very threat Gibson is decrying." I say: What groundwork? Spoofing packets using the standard sockets API has been known about for a very long time. The only thing Gibbson's tool will do is to make ISP aware of their lack of filtering. It can only help. --not signed I read your article, and I do see Gibson and your points. I just really believe the sentence below, shows you don't seem to get what Gibson is saying. >>All right, we'll allow that there'll be a few script kiddies who might prefer to use their Win-XP boxes for such purposes. But they can already do so simply by installing Linux and doing a bit of reading. It's not the point if a script kiddie is going to install Linux and get the same spoofing ability that will be available when XP comes out. He is making the point that there will be so many machines out there that are running XP the script kiddie will have his pick an be able to install a zombie and be able to DoS and spoof using that XP machine . A script kiddie will not start doing DoS attacks from his machine, even if he has Linux, they are not that dumb. You also seem to think that a script kiddie is going to go thru the hassle to install Linux and do a bit of reading. Script kiddies don't do that they just go to a web site download a program and click a button. They will not put in the effort. The amount of XP machines that are going out there on a broadband connection is going to make it so easy for a script kiddie to DoS and be harder to trace. I do hope Mr. Gibson is wrong, but we will see. I know one thing. he is not going to win against Microsoft, they will not remove the feature and give into Gibson. Mr. Gates has to high of an ego. Enjoyed your article. --Robert Spinelli Mr. Greene - I would be among the first to opine that Steve Gibson's writing style is often way off-the-wall. And I would also be among the first to applaud Microsoft for finally implementing some feature according to commonly-accepted standards of any controlling body other than their own. Also, this being the land of freedom, I would stand behind Microsoft's right to implement this standard as a principle of free and open business. (Again, somewhat of an irony!) I must point out, however, that there is a great deal of value behind what Gibson wrote. Having the full, standard raw-socket capability available in Windows XP will potentially result in its abuse by many more s'kiddies as well as true crackers, simply because there are so many more Windows systems in the world. And I would maintain that Gibson's assertion (http://grc.com/dos/winxp.htm#egress) that responsible filtering behavior by ISPs and domain owners is a major, essential part of the solution to preventing a significant problem. It is simply irresponsible behavior to allow messages to go out of one's domain with a source address that clearly misidentifies the sender! There can be only one reason for such a message, and those who ignore the spoofing are, and should be, equally liable for any damages caused by it. Although you focussed on taking Gibson to task for his semi-lunatic writing style, you did not provide any ideas or evidence to refute his underlying assertion. Do you have, or have you heard of, a better solution? I'm sure many serious Internet designers and users would love to hear one, because this is a real danger threatening the Internet. If any minimally-talented person - be s/he 13- or 43- or 83-years-old - can shut down the ability of serious, responsible people to use the Internet on no less than a whim or a perception of insult, then the conclusion must be obvious. The Internet will be unusable. Thank you. --Tim Crichton Hi, Is it worth mentioning (briefly at least) egress filtering that ISPs should, but largely don't, perform? That's the "ideal world" right answer to spoofed source IP addresses. Any sensible ISP should be using standard configuration templates for their customer premesis routers, and part of that standard template should be egress filtering. If they've got a sensible database-driven-automatic-router-building widget (I'm sure there's a good name for that), then it's as easy as falling off a log. And if you did mention this in a previous article and I've just forgotten about it, then, er, I'll get me coat. Cheers, --Chris I've been following this episode with much amusement... I'm not really sure why Gibson has got you goat, but you obviously don't think much of him - maybe its because he has a wide audience of techies. (that he can brain wash - LOL) I use and support NT and have a vested interest in security (being an admin). Perhaps Steve has managed to manipulate my brain waves and make me believe there is a real threat from XP greater than 98/NT. Whatever,,, malicous computer use won't go away and that is a real issue, hopefully your review will prove true, and Steves prediction won't. If a hole is shored as a result of Steve's 'maddness' then good. Oh and by the way, are you employed my MS :) or the register. Regards --Jason Clarke Just to follow up on your article: > As I pointed out in the previous article, malicious kiddies can already take over Windows machines with Trojans like SubSeven and use them for heavy packeting without the owner's knowledge. Raw socket functionality does not in itself make a machine more or less vulnerable to such infection. You are talking two different things here. Yes a windows machine can be infected already and that has nothing to do with raw sockets. The attack that Gibson suffered from wasn't raw socket based but he does bring the question up of what of raw socket attacks. Prevention is better than cure, try and reduce the main cause of problems, the cause being the continual lack of adequate security in windows products > So if packeting without spoofing is already brutally effective, why does he insist that the inability to filter XP-forwarded packets will lead to an Internet melt-down? Actually he did put in place at his ISP, filters to collect information so that futher analysis could be done. As soon as blocking was introduced it stopped. filtering known bad clients is ok, firewalls can deal with that. advanced firewalls could do rate limiting to share the bandwidth evenly. but with raw sockets that just doesn't work anymore, the source IP can change each time how can a firewall deal with that. An ISP could implement a source IP filtering but that still allows whole subnets. Its the same sort of thinking with the whole love-bug thing, too many people/admins insist on using virus scanner type software on MTAs. Its not thejob of the MTA to look through an email, it can, however implement policies to limit messages from the same person (like spammers or people suffering from the outlook bugs) MS reponse to his claims are correct the facility of raw sockets isn't the problem, preventing unauthorised access to the clients machine is, however windows does not prevent the thing from happening in the first place and the fact that raw sockets are of limited use it would seem to be a simple tradeoff. The fact that many sites don't implement suffcient routers/firewalling means that attacks like what Gibson suffered will become more common even theregister cannot be accessed by ECN enabled equipment as one of their routers/firewalls does not follow the IPv4 rules. I would not dismiss Mr Gibson as a loony who talks bollocks without knowing the facts, you have only looked at this from a very high level. Personally I don't think it will be that much of a problem, namely because XP like w2k won't sell, people are getting fed up of shoddy, expensive products that have a 2 year life span. --karl. Hi Tomas, I certainly agree the man tends to be a bit overenthousiastic in making his point, and maybe he is indeed a bit loopy :) Still, I do think he has a point. >As I pointed out in the previous article, malicious kiddies can already take over Windows machines with Trojans like SubSeven and use them for heavy packeting without the owner's knowledge. Raw socket functionality does not in itself make a machine more or less vulnerable to such infection. True, that's not what Gibson is saying either. This problem already exists, and the low security in many end user window boxes is what makes this a large potential group of DoS zombies. >Furthermore, malicious operators can already do heaps of packet damage using Windows clients without spoofing. Gibson is right that spoofing makes packets nearly impossible to filter, but filtering isn't the answer to a severe packet attack, as anyone who's had to deal with one can attest. Maybe you should have elaborated a bit on this, as this seems to be the crucial point you are making. Gibsons whole point seems to be that filtering isn't possible anymore when all packages coming in are from XP boxes that use the raw socket implementation to spoof source. If filtering on packages isn't the solution, what is? You gave one alternative, but you also said it's very expensive. Doesn't that mean that in practise, filtering is one of the few defenses left for many websites / ISP's? I am no expert here at all, and I bet most people aren't, so if there are alternatives, it would help to elaborate on this I think. I thought that most sites filter to defend against DoS attacks. >Gibson's attempts at filtering were rarely more than briefly effective and caused him and his ISP days of exasperation, according to his own account. So if packeting without spoofing is already brutally effective, why does he insist that the inability to filter XP-forwarded packets will lead to an Internet melt-down? Because he's loopy, that's why Nah, that's too easy. The attack was brutally effective, and only because he was able to filter he was able to deal with it in a way and get his site back up. You also scorn that he is unable to defend himself against a mere script kiddie. That's his whole point! Most people probably couldn't defend themselves against a script kiddie either. Any kid with a bad attitude can get tools and start disabling professional websites. Granted, this is already the case. However, he was able to limit the threat greatly because he was able to filter. His point is: imagine what happens if we can't filter anymore either. That means no more defense for most websites. And a spreaded, insecure XP spreaded among millions means millions of potential, hard to stop zombies that can't be filtered. Doesn't he have a point there? Even if he's loopy? :) Kind regards, --Christian Vogel Thomas, I read Steve's article and think he has a valid point. Perhaps he doesn't put it succinctly having been in the middle of a war, but it's valid nonetheless. As I see it, it unfolds as: 1) A widespread O/S and applications going to the great unwashed in an unsecured state instead of locked up like a drum (force users to understand what they're doing to be able to do it - but that would hurt sales...) 2) Mavolent script kiddies without a shred of personal integrity (who should be thrashed within an inch of their miserable, worthless decrepit lives) get the bonus of their 'bots from 1) being untraceable (unstoppable) 3) Any chance of making ISPs become accountable for their users disappears. It seems that in the current scenario, it would eventually become possible to force ISPs to disconnect identified IPs involved in an ongoing DoS attack, eventually forcing lazy users the option of becoming blacklisted (no-one will let them connect) or minding their property properly; or maybe even the software writer being shamed into doing a better job (certainly doesn't seem to be any market pressure there to force them). Handing spoofing to lazy (malicious little b*s like these can't be bothered doing the hard work themselves) and technically illiterate script kiddies on a golden platter on the most common (not popular) and insecure platform in the world is insane. Sounds to me like "Well, he's stealing cars. Cops can't be bothered chasing him. Manufacturers make locks optional extras. People can't be bothered getting locks for their cars and the Courts just slap their wrists if they are caught so let's do something brilliantly intelligent and just remove the licence plates from cars. After all, there's no point trying, is there?" Regards, --Jon Burmeister I enjoyed your article on this subject in the Register, though I think you're being somewhat unkind. From the evidence of his site, he is a little loopy, but I don't really think he's mad! After all, I thought his detailed analysis of the DOS attack he suffered was actually quite interesting and you have to be a bit loopy to go to all that effort! I think everyone is dancing around the whole issue. Let me take a stab at it: 1) Raw sockets will allow you to spoof what address you are transmitting from. 2) Under the most used by the masses windows OS, the spoofing ability is not native. (Or so I think -- could be wrong) 3) Statistically, most compromised boxes are Windows machines. (ASSuMEd) 4) If you have a bigger pipe than your DDOS target, then ONE machine, zombie or not, is all it takes. This basically means that if you can zombify ONE machine at some corporate office that a nice T-3 or better connection, you can spam anyone on the net if you can burn up more bandwidth than they can receive. How do you stop such an attach? Well if the DDOS person is sloppy, you could attempt to filter out the single offending (non spoofing) address. This usually must take place at the incoming location or at the ISP tap. If the DDOS person is using spoofed addresses, then the addresses are all over the place. You can't filter the address. The only way I know how is to physically get someone to look at their incoming traffic patterns and try to determine who is chewing the most bandwidth. Then call the people upstream and repeat the process until you get someone very close to the source of the system. Then someone will have to cut all outbound traffic until someone physically turns off the machine. If you want proof, how long would it take you to contact by phone and get someone to help you at each gateway/router your attack stream is hitting you from? A quick analogy. If you worked in a water works that had zones that were controlled by other people and such areas were off limits to everyone but that one individual, how long would it take for you to find a water leak that is 16 zones away on a Sunday morning? Because you don't know which zone it started in, you only know which zone it is dumping into your zone. So you must call the other zone to have them look for which zone the flow is coming into their zone and repeat the process until the sourcing zone is found. Not getting the water flow fixed is another problem. --Kriss H. Thomas, I agree that SteveG is being a bit of an alarmist, but I this that he is accurate in saying that raw sockets in WinXP will indeed be a huge problem. The simple matter of all new systems after WinXP is released coming bundled with the retarded "personal" or consumer version of WinXP will mean that there will indeed be more pinheads with "raw socketable" systems out there that are too stupid to put up any defenses on these systems or even recognise when their systems have been compromised. Remember, in North America unlike the UK, there are many morons with broadband ....... --Tony Petrilli Hi Thomas, Ok, Let’s try to sort this out. There are TWO points being made in Steve’s ramblings. 1) How can we stop DOS attacks from Windows machines? 2) How will Windows XP make this more or less difficult? Point 1. "but one can already do heaps of packeting from Windows machines with SubSeven, and even launch the attack in bulk from IRC." Absolutely correct, but Steve’s point is that EVEN NOW this should not be the case. Windows machines can currently only generate large Ping (ICMP) and large UDP packets to tie up a remote server. These packets are however filterable because they are ILLEGAL. It is up to ISP’s to show some responsibility and filter these packets out AT SOURCE and not forward them onto the Internet, because their only possible purpose would be a DOS attack. "Gibson's attempts at filtering were rarely more than briefly effective and caused him and his ISP days of exasperation, according to his own account. So if packeting without spoofing is already brutally effective, why does he insist that the inability to filter XP-forwarded packets will lead to an Internet melt-down?" Firstly his ISP had no experience in filtering these types of packets. Secondly there’s a hell of lot more load when filtering packets on the router that’s trying to forward valid packets on the last leg to your site, than if they’d been stopped on the other side of the world and you were never aware of them, and thirdly see below. Point 2. The introduction of Windows XP provides the opportunity for a DIFFERENT TYPE of packet attack, a SYN flood. When a remote IP Client connects to a server it first sends a SYN packet. The server sends back a SYN/ACK packet then waits for a final ACK from the Client to complete the handshake and establish the connection. IF however the SYN packet arrives at the server with a SPOOFED source IP address, the host will have a port locked out waiting for the final ACK that’s never going to come. THIS IS THE MOST DEVASTATING DOS attack… Firstly because there is NOTHING ILLEGAL about a SYN packet, it cannot be filtered. Secondly it is a very lightweight method of performing a DOS attack, a SINGLE machine with a broadband connection could easily take on large website and no amount of “load balancing and content distribution” is going to save it. --not signed Hi again! I just read your most recent article concerning the windows raw packet issue again, and I thought I'd offer up a few points. Let me start by saying I completely agree with your point that windows XP will not increase the number of PC's on the net that are compromised. >As I pointed out in the previous article, malicious kiddies can already take over Windows machines with Trojans like SubSeven and use them for heavy packeting without the owner's knowledge. Raw socket functionality does not in itself make a machine more or less vulnerable to such infection. Totally agree with the above paragraph. >Furthermore, malicious operators can already do heaps of packet damage using Windows clients without spoofing. Gibson is right that spoofing makes packets nearly impossible to filter, but filtering isn't the answer to a severe packet attack, as anyone who's had to deal with one can attest. The real solutions to packeting are capital intensive, like load balancing and content distribution. Unfortunately, they're quite expensive solutions, and few besides well-heeled commercial entities can afford to put them to use. Gibson learned that much for himself the hard way; he finally had to cry uncle to a thirteen-year-old packeteer named "Wicked", even though the kid tormenting him wasn't using compromised boxes capable of sending spoofed packets. Nevertheless Gibson - a security expert - couldn't make it stop. I have to take issue with this. Having first hand experience in being attacked in this manner. Load balancing does nothing to solve brute force floods. All you do is get into a "my pipe is bigger than your pipe" situation. So long as your attacker has more bandwidth than you do, then he will always win if you take this approach. Distributing the attack accross multiple pipes gives you more bandwidth but nothing is solved. The only things along this line that can help you is rate limiting (ie. limiting the number of packets/connetions per second to a given host). This can be accomplished through quality of service devices. It still doesn't solve the problem, if you have a sufficient diversity of hosts you are still in trouble. Gibson didn't find filtering to be effective, because frankly, he was doing it wrong. If that's his fault or his ISP's I don't know. I've read his synopsis of the attacks and I would have done things differently. >Let's say just for fun that there's a consistent number of infected Windows machines x on the Net. There's nothing in Gibson's reckoning which affects that number. There's nothing in Windows-XP that affects it, and nothing in raw sockets either. We still have x victims out there. We've seen from Gibson's account that dealing with a packet attack in the absence of spoofing is a ghastly pain. I allow that the spoofing potential of XP raw sockets will make it somewhat more of a pain, but a bit worse than horrible is nothing to shriek about. Let me give you a give life example of why this is more a problem than you think it is. At home I have a 10mb/s connection. Gibson has a 3mb/s connection. Therefore from my home computer I can generate more bandwidth than he can accept. So, if I decide I don't like Mr. Gibson I can flood him with packets. If I'm just a script kiddie using a windows box then all gibson will have to do is filter 1 address and poof my attack is gone. If I am able to generate random IP's, then I can keep Gibson down for as long as it takes for him to track me, hop by hop, back to my computer. Can I do this right now anyway? Without of the use of windows, or using libpcap, yes I sure can. I can do it with any unix unix box. But, let us consider that unix boxen, and well, everything other than windows boxen still make up the minority of the devices connected to the net. What windows XP will do is deliver millions of new machines to the internet that can accomplish packet spoofing. This is not in dispute it's a fact. With all these new machines that, generally, are not patched regularly, have no adminstrators, and do not take much knowledge to use. It WILL become easier to perform these types of attacks. That's just a fact. The only thing I see here to dispute is wether or not, just because it will be easier to do, that more people will do it. I think they will. >He shows contempt for Windows users, assuming they're all complete idiots (presumably with the circular argument that they must be morons because they're using Windows), and strongly implies that they can only hurt themselves with a fully-featured OS. Well, let's assume for a minute that the number of idiots is constant. Since there are more windows client machines on the internet than any other type of box, we must conclude that there are more idiots using windows. It's just strait math =) --not signed Dear Mr. Greene, First a little background on myself - I am a contract developer of various network and security applications. I also design hardware and write firmware for smaller embedded devices. While Steve Gibson may be overreacting (time will tell) to the threat that raw socket support contained in Windows XP, he does have several valid concerns. I felt that he aired those concerns quite well. Given the recent attacks on his web site, it isn't very difficult to see why these matters weigh heavily with him. It does seem to me that perhaps you missed the gist of his concerns. So I have taken the liberty of outlining what I consider to be the most important areas (of your articles and Steve Gibson's web site) and adding my own thoughts. - While it is true that nothing that I'm aware of in Windows XP will increase the number of zombies (or other infected machines), the zombies will be much more useful. With raw socket support the offending program will be able to mask its origin, something that only Windows 2000 could do before. Previously it was fairly trivial to locate a zombie running on an infected Windows machine (except 2000), by just tracing the source IP back. Now that the source IP can be anything, it will be much more difficult. - Infecting an average Windows machine is fairly trivial, as most people have ActiveX and Java enabled. It just isn't that fruitful, as the average machine is easily traced back and many operate over low speed connections. However, with the ability to both spoof the source IP and generate almost arbitrary packets, even a machine with a low speed connection will be able to do significant damage. - There is absolutely no good reason to include raw socket support in Windows XP. While I do accept that some programmers may have use for it, this could be handled by a special version of TCP/IP on a development CD. - The argument that Unix/Linux/... has had raw socket support for a while and nothing has happened is not very valid. Many incidents have occurred as a result of this. Fortunately, the infection of these machines must usually be done in person as they tend to have far fewer security holes. Also, many of the hacking utilities and zombies are Windows based, as are many of the programmers who write these "tools". Steve Gibson has had a long and distinguished career as a top notch programmer and genuine good guy (which is probably why so many people have come to his defense). He is sometimes a little sensational (as is The Register), but his heart is in the right place. Only time will tell if he is correct and to what degree. --Jeff Hill I thing the point is that spoofed packets will not be traceable. Right now Gibson can list all the IP's on his website that have attacked his site. I think he is inarticulately reasoning that if the packets are spoofed, the attackers will feel more secure and be bolder in their attacks. Guess we will just have to wait and see which is the correct conclusion. --David Heier In your article "Steve Gibson really is off his rocker". You said he finally gave up and had to cry uncle to wicked. I believe that after his articles he was attacked not by wicked again but by people attacking his webserver with port 80 so he couldn't block it without stopping his site. He never says that this is wicked but more likely it is actual hackers who didn't like what he did. --Mike Thomas, (regarding Steve Gibson being off his rocker...) Steve Gibson has never said the low level sockets interface in Windows XP is going to result in more machines infected. Rather, it will make it nearly impossible to block or filter them because those legions of Win9x machines now captured by trojans will become WinXP machines able spoof their IP address. Best Regards, --Don Kenny Windows XP's raw sockets implementation will encourage malcontents to allow their machines to be used for malicious purposes. A major deterrent to date has been the need to place 'zombies' on remote machines to prevent detection. With XP (or indeed as you say LINUX) , malicious users are being invited to do whatever they will undetected and undetectable. Regards --Paul Hanlon I think Steve Gibson's point about the danger of XP's spoofing is that he could have not tracked his assailant if the addresses were spoofed. The machines attacking him were not spoofed, so he was able to track down zombies. This lead to getting a copy of the trojan and, eventually, finding his assailant. If the addresses were spoofed, he might never have obtained a copy of the trojan and found his assailant. Spoofing may not make DoS attacks more damaging, but it may make it harder to find the source of the attack. I don't subscribe to the doomsday fear of XP proposed by Gibson, but he has a valid point. I do think he should turn his story into a hardy boys novel, though. --Aaron Longson Hi Thomas, I agree that Gibson is making a bit too much of a fuss about incorporating into an OS what really should have been there in the first place, but you are wrong to dismiss his claims that the spoofing ability of XP will not seriously increase the overall affect of DDoS style attacks. I understand your point about it not increasing the number of attacks and agree with it. The only way Gibson was able to put a semi-stop to the attack that crippled his link was by tracking the source IP the floods were coming from and block them at his ISP level. What is now possible from an XP machine is spoofing the source IP so that even if the ISP was willing to help you in blocking an attack by tracking where the floods were coming from, the TCP header has been altered so that there is no trace of the true source address. ie there is no unique factor in the attack. DoS programs have been able to alter destination address, dest. port, datagram size for ages all making it harder to selectively block unwanted traffic, now source port (from a Windows box) is not distinct either. Hopefully 2 things will stop Steve's end-is-nigh predictions of coming true: XP will actually be less hacker friendly than previous MS OSs; ISPs will do the responsible thing and put in place measures to not stop customers being able to spoof. Most edge routers/ termination devices available for broadband have this functionality. This second point is crucial and possible. Any decent net-eng worth hs salt should be ashamed if he hasn't got anti-spoofing configuration to stop his customer's being naughty. I have a picture running through my head of an ORBS style blacklist for ISP networks where telco's would basket any packets from certain ISPs if a thrid party said they didn't have anti-spoofing deployed.. hahah. Phew, that was a bit of an effort. Cheers, --Simon King HI Thomas, I read your articles and find them informative, Thanks for the effort. I conceed that Steve didnt need to use so much bold and colour in his statement, but I hardly think that is a worthwhile point to labout over. I also feel from your tone in the article that you arnt impressed with steve at all, and think to put him in the Alarmist category , which I must disgree with you. Steve's point is that Windows XP will make the situation worse. you conceed that much. This is the thing ! Microsoft are making the situation worse rather than better. Not a good move. (Btw I dont have a problem with microsoft beside thinking they could do more to improve security.) You state : "Gibson is right that spoofing makes packets nearly impossible to filter.but filtering isn't the answer to a severe packet attack, " Thats right it isnt the answer BUT its all we've got at the moment for protection, for Temporary protection, and you advocate taking this away. Microsoft's answer, "its not raw sockets thats the problem, its the malicious code" harks of buck passing since its their systems that are so open for compromise in the first place. Thanks, --Cameron Jiggins Hi, I was interested to read your comments on Mr. Gibson's essay. I have read the entire article Mr. Gibson has up on his website, and I have read two of your commentaries. I dont desire to 'flame' you, but I, for one, am disappointed in the way you appear to dismiss Mr. Gibson's assessment of the situation. My opinion: you both have valid points, but you both are overly hyperbolic. No doubt you are right that the # of vulnerable boxes will not be altered by XP, but Gibson is also right that it is ridiculously easy to sabotage Windows boxes, because, yes, in fact, most Windows users *are* idiots, at least with respect to knowledge of implementing firewall software etc. This is not an insult per se to Windows users, just the result of its massive user base, and the reality that 95% of users understand less than 10% of the system they are using. Most people *still* cant figure out even half the features of their VCR, after all. Most people dont care and dont want to know. Nor *should* they need to know. In my opinion, Gibson is right to sound the alarm as radically as he does. Especially as MS continues down the road of less security for Windows, as in the now infamous design flaw where all defaults are set to maximum insecurity, etc. I wish you would spend more time echoing the call for concern over this issue that Mr. Gibson is raising, instead of so rudely dismissing his skillful efforts at revealing the dangers out there. The Bottom Line remains, as Mr. Gibson asserts, that any 13 year old can bring down most any website with impunity, and nothing is being done about it. It would seem this is a very very serious issue, and I think Mr. Gibson will be hailed in the future as a prescient voice in the wilderness. I am sorry to say it, but the attitude of your commentary comes off as a reaction to another's genius. A few more paragraphs reinforcing the Mr. Gibson's assessment of the reality of the problem would help everyone, whether or not you agree with his hyperbole. anyway, thanks for keeping the issue alive! take care --not signed Dear Thomas, Steve may have been over reacting somewhat with his outlined tables and huge multi-coloured text, but there are some differences between what you're saying and what he was on about. Your article says: "Raw socket functionality does not in itself make a machine more or less vulnerable to such infection" but what he was saying was this: Once a machine is infected, that compromised machine can be used to do more damage if it has raw socket functionality. So assuming that the same number of XP machines are infected as Win98 machines are, those XP machines can be put to more mischievous use. His rationale for saying that is based on his experiences with the DOS attacks on his site. The first few were normal Win98-style attacks and after some sleepless nights he managed to block them all off. Then he was attacked again, this time with spoofed packets and there was nothing he could do to block it. Not being a network security expert, I don't know if he was right one way or the other but that's what he based his rant on - not on whether the XP boxes were more vulnerable than the Win98 ones, but on the fact that he thought that if they are vulnerable then they're more dangerous. You've probably had plenty of emails about this stuff already but I felt like not working for 5 minutes so I sent one too ;-) Regards, --Stephen Tjasink I've read both your articles, and I think both of you are a little whacked... Mr. Gibson is concerned about security - it is his job and passion (mine is UI development - to each his own). His concern comes from the fact that there are few good ways to stop an attack other than filtering. This needs to be done at the ISP level and few owners could do anything OTHER than block specific IP addresses. They (the ISP's) often do not have the technical knowledge and/or facilities to accomplish more. By being able to spoof the IP address you completely remove this defense. My first defense in an auto accident is my seat belt. I may have more (like an air bag), but that first device does a lot towards saving my life. Your concern or point (not sure which) is that Mr. Gibson is over reacting - that this new version of XP will not pose any greater threat than other versions of Windows. In part you are correct - all the versions of windows are pretty susceptible to virus's and being taken over. Please consider the market. As of this date, most Windows users that have choice and are knowledgeable are running Windows 2000 because of its stability. This same group tends to run virus scanners and be careful about what they open. Certainly not perfect people, but better educated in computer use than the mass of people that buy a computer to do email, play games and let their kids use the computer with no supervision at all. Many (most?) do not have a virus scanner and they probably wouldn't upgrade to XP if it were free. The only way XP is going to popular is with new computers because it comes "free" with the computer. I see no reason to upgrade to XP, nor do most people I know. I see the current slump in computers continuing and because of that slump, XP will be a failure. I would be interested in numbers for installed computers with ME and how many people upgraded (darn few I bet). Dell, Gateway and others can't even give their computers away - people are just not interested. Because of this lack of interest in XP, I agree Mr. Gibson is overreacting - but as a security expert he has to deal with potential threats and act accordingly. If he did not, he would be betraying his profession. Sincerly, --David Stidolph H i Thomas, I read your two articles ridiculing Steve Gibson's concerns regarding raw sockets support in Windows XP with much interest. All valid points, I am sure Anyway, I have read both sides of the argument, and I suspect they both have some merit. Can I just point out one thing that Steve Gibson stresses, and which AFAIK none of his detractors has properly addressed: despite the rights or wrongs of his "rant", just what good *are* raw sockets to an end user like me? Not a techie or a software developer, but a user like me? Is there something that Microsoft has planned for Windows XP that needs raw sockets to do it's "thing"? Or is it just to make life easier for the software developer? If the former, then they should tell us. If the later, well, no, think again - it should be taken out and a techie can just go and install winPcap and do their thing on their own machines and leave the rest of us alone. I think the absence of this information from the anti-Gibson camp is a real disservice to this debate. If Microsoft is putting raw sockets in because it is needed for me and my other computer-users, well, fine - but they (or you?) should tell us what it is. If they are only putting it in because they can, and so they can say "me-too" to all those Linux boxes - well - that is faintly ludicrous and completely arrogant. Any thoughts? Cheers, --John Just wondering if you had seen Steve's page at http://grc.com/dos/xpconference.htm where he takes a stab at you guys. A little name-calling now going back and forth? I think you struck a nerve with him! He may be overreacting, but he makes some well-reasoned arguments, you have to admit. --David Parker I can surely guess that the more articles both you and Gibson put out will speed the "development" of DOS attacks. Hackers will always be after the recognition, claiming rights, and the need to prove you wrong (or right as in Gibson's case). One thing you didn't address in your Register article, and something I haven't seen explained elsewhere, is some sort of rationale as to why "raw sockets" support should be implemented at all in the OS. Of what possible benefit is this feature? Why should a net-friendly OS permit its identifying IP address to be "spoofed" in the first place? Although the Microsoft response to Gibson claims that his case is overdrawn, it makes no mention of why the OS should support this "feature", or what benefits it might offer. I can't think of any, but I'm not a security expert. Perhaps you could do a follow-up on this aspect of the controversy. --Gary German Today, I received Steve Gibson's latest newsletter.In it, he points up a conversation he had with M$ techies. Included in this article, located at http://grc.com/dos/xpconference.htm , he states: But, my protestations are falling on deaf ears at Microsoft. And thanks to many other loud and equally security-ignorant voices which are attempting to confuse the industry on this topic, Microsoft shows no intention ofresponding to this now very visible threat. In his article, of course, "loud and equally security-ignorant voices" is a link, pointed to your article at http://www.theregister.co.uk/content/4/19925.html . I would LOVE to see a pissing match here. :) --Nick Walters No flame Mr. Greene - just a note: since Steve Gibson does have an international reputation as a fellow who generally knows what he's talking about and since few if any know of your reputation for other than ridicule (or did Microsoft's Execs ask you also to attend a private meeting?), why don't you write another article on your background, level of knowledge, publications, citations for work well done, etc.. Then, perhaps most of us could attend your rants with a different perspective. --Cordially, Tom Instead of slagging off someone who cares about and understands security, it may be worthwile trying to understand him. You position seems to be that the Net cannot be attacked successfully for any longer time, for some unspecified reason. Almost all computer users haven't got much of a clue about security, which doesn't make them idiots, but makes us right in being worried. It is hard to understand your reluctance to face up to the reality of the security problems on the Internet. Do you believe that someone has already thought of all the security problems, and there is no need to improve and monitor the security aspects of the Internet? I can only assmue you don't like Steve's assertiveness -which in my opinion stems from a very good understanding of the technical issues. MS is not going to listen to a quiet "excuse me", so I believe Steven's tactics are OK. BTW, just because this security problem is not the ONLY one, and perhaps won't lead to meltdown, it doesn't mean it is not worth doing something about. --Patrik Dear Thomas, I also like to give my view on the matter of Steve Gibson's claims about WinXP's raw sockets. First of all, some facts that we already know: - A majority of the people on the Internet don't know a damn about security. They also don't care about them, even after you show them the danger right in front of their faces. (Believe me, I tried.) - Many script kiddies out there don't actually know much about coding (or the technical details). They are, however, very resourceful. They know where to download other people's code and modify the variables to suit their needs. (Since they don't know the codes well, they can cause non-working programs after modifying them. This can be seen from many macro-viruses.) - Most script kiddies own a Windows machine. Why? Because they can't be bothered learning Linux. And Linux is nowhere near as user-friendly and easy-to-use. It's also not as fun. - Kids like to make friends with those who share common interests with them, those who are fun, or those with the same taste with them. Continue Reading
Thomas C Greene, 09 Jul 2001

Steve walks on water; you're a moron, and so's your old man

See also: Thank God someone's finally exposing this charlatan You both make good points, but we're still leaning in Steve's direction Dear Mr. Greene, While I don't want to come across as strident, you don't seem to have read the "thousands of words on his Web site" you mention Steve Gibson as having written. There is one reason, and one reason only, that he believes the raw-socket capability in WinXP is going to lead to chaos - its use in zombie machines for DDoS attacks and the inability of ISPs to effectively filter out packets with spoofed IP addresses at the target router. Of course all unix and unix-like machines already have this capability. Certainly it can be added to existing versions of Windows. Yes, DDoS attacks can now be launched from Win95 machines subverted by SubSeven trojans or IRC 'bots. None of that is an issue. The issue is that: 1) There are thousands of Windows machines left running 24x7 on broadband networks (primarily @Home and RoadRunner) by clueless owners who have made no attempt at securing them. 2) DDoS attacks originating from even a large number of such machines can be filtered - at the point nearest the victim - by ISPs' high-bandwidth routers before they shut down lower-bandwidth customer links, if the source IP addresses are real and unchanging. 3) Hundreds of WinXP machines launching a DDoS attack using forged, possibly rapidly varying, IP addresses will not be filterable by the targeted victim's ISP, and will without doubt succeed in swamping his/her link. Gibson (and others) aren't worried about WinXP or Linux machines in the hands of script kiddies, as you suggest. Nor are they especially worried about the ability of ISPs to trace infected machines and notify the owners, since none of the ISPs Gibson contacted showed any willingness to do this now. Your statement: True, the boxes will eventually be found because their IPs are traceable, and admins will contact the owners and let them know they're infected -- but only long after the damage is done. Raw sockets in 'XP only marginally improve the situation for a malicious party. We really don't see an immense growth in packeting on the horizon. completely misses the point of the unfilterability of IP packets with spoofed and variable IP addresses, by the victim's ISP (not the source ISP). I'm not sure whether or not Gibson is over-reacting, though if I had had his experience with a personal website I'd be awfully unhappy. But minimizing the problem of zombie machines provided with a raw socket interface is not a reasonable response to his concerns. And your further paragraph: According to Gibson's paranoid delusions, everyone with a computer is a potential criminal, and the only reason the entire Net population hasn't yet exploded in some mass orgy of evil is because Microsoft has thus far refrained from unleashing the uncontrollable power of the raw socket. misrepresents everything he says in his admittedly voluminous web pages. I don't know whether you actually believe this summary, or whether you intended it as hyperbole, but it doesn't serve you, or your publisher, well. Regards, --Mark McCutcheon I've read your article and it seemed good... then i read Steve Gibson homepage and become confuse.. were you talking about the same person i saw the page? "(...)so he's decided to exploit the very threat he claims will make the Internet permanently unstable" The way you say this makes it seems it's just a mad man. The way i readed it was a controled experience to serve as prove of concept, they are two diferent things... i don't think his ideia and work is to make internet useless. "All right, we'll allow that there'll be a few s'kiddies who might prefer to use their Win-XP boxes for such purposes. But they can already do so simply by installing Linux and doing a bit of reading." Your losing the point here... the s'kiddies computer doesn't need raw sockets... it doesn't participate in the "attack". The machines that he controls need it. So are you sugesting that a flood program be created that in an automated way converts win98, me, etc... into linux? "There will also be more Windows clients available for malicious misuse as 'XP grows in popularity; but one can already do heaps of packeting from Windows machines with SubSeven, and even launch the attack in bulk from IRC." That's the problem and the only know way to work around it it's to filter packets. With winxp, that will be no more possible. "Raw sockets in 'XP only marginally improve the situation for a malicious party." If you call become "invisible", with capabilities to circunvent filters and make an attack unstopable a marginal thing.. then, you're right. "Gibson, on the other hand, tells it like a loner in the desert, living, we would imagine, on locusts and wild honey for a bit too long a time." You're not being inteligent and cordial here... it's just kind of an insult i think... well.. carry one... "After being packeted into submission last month by a thirteen-year-old computer enthusiast called "Wicked", he's become obsessed with the mission of dissuading Microsoft from outfitting 'XP with the same capabilities as most of its competitors." First i think this all thing was a joke... when i saw the potencial here... i'm getting a litle horried, let's see... We can make a program that can spoof packets and bypass filters, can be run in any port we want, can locate to a dynamic server and in the near future (see freenet project for a way to doing this) can detect infiltered nodes an reject them. Remember that this stuff it's not created by s'kiddies and it's released and used by them... "According to Gibson's paranoid delusions, everyone with a computer is a potential criminal, and the only reason the entire Net population hasn't yet exploded in some mass orgy of evil is because Microsoft has thus far refrained from unleashing the uncontrollable power of the raw socket." Here again, the way you wrote this... you make seam that we says that everyone will actively participate in a computer crime, in a attack, if i didn't read his page (and the majority didn't i'm sure) i would be completely bad informed and with a bad impression of a man that's probably right. Raw sockets are for others things other than normal internet use, they are there to provide the "pros" with power to improve things and do thins in another way, not to the consumer just barely using the internet as it is... So, i share he's idea when he says that personal computers can live well without raw socks. --Ricardo Cunha Mr. Greene - There was really no reason to "[sic]" Steve Gibson's quote, when all he did was use "Insure", the accepted American spelling, rather than "Ensure", the British spelling. In the US, "Ensure" is the trademarked name of a brand of liquid dietetic supplements for the aged and infirm. Also, I would hardly refer to the author of SpinRite as a "Geek". Yours, -- David Ratti I rarely go out of my way to comment on a technical news article but this one I found so unprofessional I thought I would go ahead.... Firstly, your blasphemous use of scriptural quote, comparing the man to John the Baptist and then calling him paranoid & virtually placing the word "bastards" into his mouth - is really sick. Secondly, the man is emphasizing the ease & prevalence of the exploit, not just the possibility. Your focus on the already-standing possiblility shows you don't even realize what Gibson is talking about. The point is that hundreds of thousands of people do not use WinpCap or Linux. If WinXP becomes a desktop OS for the average Joe, it can be exploited by trojan bots by the thousands without owners' awareness. I think you better revisit Gibson's story of the Wicked cracker and focus on this idea of ease and prevalence without OS owner awareness. It has nothing to do with current possibilities with WinpCap and Linux. --JLC Dear Sir, Windows XP makes MILLIONS of novice users' computers into Distributed Denial of Service (DDoS) platforms, capable of SYN floods and with anonymous spoofing of IP addresses enabled by default. These millions of newbies have no clue about security, much less about how to defend their PC's against malicious hackers with their trojans and 'bots. This has never been the case before on UNIX/Linux/Win2K systems, mostly managed by expert users who are presumably aware of the security issues, and who set up firewalls as if their jobs depend on it, (which they do). I trust Steve Gibson's analysis of the problem. He did his homework. Yours Very Truly, --Brian Eargle Let me quote you first: "The raw sockets which have Gibson so steamed enable a machine to send or capture data independent of the operating system -- quite handy if you're a software developer or an advanced hobbyist. And while it's true that this also enhances the packet-flooding capabilities of a Windows machine by making it easy to spoof packets, it's also true that this function is already included in most other operating systems, and can be added to an existing Win-9x, 'ME, or '2K machine quite easily with a library called WinPcap ." Now let me make sure I get this right. The only group you can show that MIGHT need this raw packet capability are advance hobbyists and developers and there is a library available to them that they can use now. Right? Then why the hell does it need to be in the OS? I am a Microsoft developer since 1981 and have come to their defense on damn near all points, but this just seems hare brained to me. If these two are indeed the only groups benefiting, then why have it at all? Especially since, by your own admission, it can really make finding the source of a DDOS attack a pain. Steve's right. You're wrong. --Gary Shell Dear Thomas, I read you recent affirmation of your opinion of Steve Gibson. I thought I'd just write to point out why you are wrong. Briefly, Steve Gibson is claiming that the launch of Windows XP, with the ability to write raw packets, will make the DDOS problem much worse. You rebutted this by saying that a script kiddie can already send spoofed packets by installing linux, and that is true. But Steve Gibson is not claiming that this makes any difference. No single machine could run an effective DOS attack, and no malicious party would want to run the risk of being traced by sending it from their machine. You also said that the launch of Windows XP will not affect the number of people actually running compromised windiows machines will not change. That is certainly true too. Again, this is not what Steve Gibson is claiming is the problem. You claimed that dealing with a packet attack run from older Windows machines without packet spoofing is "a ghastly pain" and allowed that the spoofing potential of XP will make it "somewhat more of a pain". You imply that neither attack can be dealt with effectively. If you read Steve Gibson's long account of the attack on him carefully you will see that, after the initial surprise, he was usually able to counter the attacks 24-48 hours after they started, by filtering. It's quite clear that he was able to defend himself against the attacks once he figured out what was going on. To say that in this case filtering was "rarely more than briefly effective and caused him and his ISP days of exasperation" is simply misrepresentation. You say "a bit worse than horrible is nothing to shriek about" and this is very weak. If "horrible" means an attack which knocks the website off the net until the routers can be configured to filter against the attack then "a bit worse" does not accurately describe an attack which cannot be defended against at all. Furthermore, spoofed packets are very difficultto trace. Some other factual innaccuracies. You said "The boxes will eventually be found because their IPs are traceable, and admins will contact the owners and let them know they're infected". If you read Mr Gibson's original article you will see that in the large marjority of cases this did not happen. The large ISPs were not interested in doing so. You also cast doubt on his assertion that there will be lots of compromised Windows XP boxes around which hackers can use as zombies in a DDOS attack. This is presumably what you mean by "He shows contempt for Windows users, assuming they're all complete idiots". Apart from misrepresenting his claims as perforative to Windows uses, you can see that Mr Gibson's first experience with an attack clearly shows that even one 13 year-old hacker had access to hundreds of such boxes. Finally, why the personal tone? You clearly disagree with what he's got to say but why is it necessary to attack the man and not the issue? Is it because your arguments are weak? As a journalist I would hope that you would take time to contact him and allow him to express his views in your article to counter your own. By the way, I'm not connected to any party in this. I'm just a bit saddened by reading a personal and inaccurate attack. --Dr Andrew Ker i think you're missing the point of Steve Gibson's article (this isn't a flame per se - i'm trying to be informed ) this is what Steve said: "Thanks to the fact that the fleet of attacking machines were Windows PC's, they were unable to send TCP SYN packets to our port 80 (which would have crippled us completely), and were only able to flood us with UDP and ICMP packets (which we could temporarily ignore)" now what he seems to be saying is that at the moment, the most vulnerable machines to being "zobified" are windows PC's...which is fair enough. You can buy them out of the box, plug them into a phoneline with little idea of what you're doing. The only Win2K machines tend to be business users (protected by firewalls, antivirus software etc. or home users who have a bit more technical know-how) WinXP will have the Unix port's enabled, as Win2K does, the difference being that WinXP will be for home users as well. Now i don't know the full technical details of ports enabled, what it enables you to do, but what he's saying seems to make sense to me. The number of machine's on the internet isn't going to increase, the number of vulnerable machines on the internet isn't going to increase, but the number of vulnerable machines, with the potential to do a lot more damage is. that's how i see it anyway. If you think i'm talking b*llocks (which is always a possibility) and you have any good links to where i can understand what i'm trying to talk about, feel free to let me know. --not signed You keep making a single flawed point - that packet filtering is ineffective against DDos attacks. This is not true - packet filtering is frequently enough to see off an attack - the only caveat is that the filtering needs to be done at a high enough level (in the routing hierarchy) that the attacker's attacking bandwidth is less than that available at the filtering point. You also seem to think that it always takes a long time to find the infected boxes "...only long after the damage is done". This is absolute rubbish - there are plenty of cases where the attacking IP's could be traced within minutes of the attack starting, and enabling machines to be blocked at the source ISP. You can get out your modem, dial freeserve and wahay - new IP address, and a safe connection on which to trace the attacking IPs. The only problem here is if the source ISP are lazy/stupid/etc and refuse to co-operate or e.g. don't bother turning up to the office most days. From my reading of the Gibson article, the people he's really annoyed about are incompetent/negligent ISPs. --Adam Martin The minute you have one-tenth the knowledge that Steve Gibson has about internet security, maybe, maybe!, people will take your crap seriously. Your whole argument about Gibson being mad amounts to saying, "if it's bad enough already, who cares if it's made worse". That is utter and total crap! it's like saying, oh well, there's so much poverty in the world, let's just fire everyone and steal all their money, it won't make a difference because it's so bad already! Steve was not saying that WinXP will make more zombie infected machines, what he is saying is that it will make DDoS attacks much harder to block and stop. You said yourself that there is no effective way to stop packeting, well filtering works to a degree, and it's the only thing that works at all! If I.P's can be spoofed then there is no way whatsoever to stop packeting attacks. I guess the real point here is, does raw sockets support do anything besides allowing for spoofed packets? If it doesn't then it should be eliminated from WinXP because if it doesn't do anything BESIDES creating a massive security hole, then it's bad thing and should be removed. If it does do something worthwhile, then it should be evaluated in contrast to what harm it can do. I do agree with you that Gibson is making too big a deal out of this, but it is a major issue and you shouldn't make light out of it. --not signed If you read his article you would see that he did mainly stop Wicked's attacks by filtering. Subsequent attacks he could not block, but if the worst came to the worst he could have at least blocked the IPs of most of the attacking machines. The fact he is a alleged security expert and he still could not stop the attacks should point to the serious nature of DDOS attacks and not take into question Steve Gibson's abilities. The ability to spoof the source of packets makes them untraceable, without manually going into every router and switch in-between to see the current port allocation tables. Currently in a worst case scenario it's at least possible to trace a Windows machine. Remember Windows machines will make up the vast majority of DDOS clients (zombies). I don't think he is -- I think perhaps you have missed the point of his article. Also Microsoft's article somewhat conveniently fails to address some important points : 1) Microsoft OSes are by far the most common 2) They're used by people with little knowledge of computers on average, as compared to other OSes. 3) There are more Trojans around for Microsoft OSes (see point 1) 4) Most XP boxes will not be set-up by default to require all executing software be signed -- as 99% of users will have at least one piece of legacy software 5) Although many of Microsoft's points are valid they still do not stop someone downloading an executable which happens to contain a DDOS client and executing it. (Trojan) I'm sorry, normally your articles are well written, but not this one. It sounds like your are angry more than anything else. Aren't you supposed writing an unbiased article? I expect better from The Register. --Stephen Bland Hi Thomas, I read your original article, and your defensive follow-up, and, to use your unbiased journalistic language, I thought it was bollocks. Sure, Gibson's ransom-note style of web-page design doesn't do much to lend credibility to his message, but that's no reason to argue that every point he makes is false. In fact, most of the points that you make aren't actually at odds with anything Gibson is saying, although the way you line-up your straw men makes it look as though you are destroying every last shred of credibility Gibson might have. He never pretends that he has a magic cure that will stop Windows boxes from being hacked. In fact, the only thing he is claiming is that the spoofing potential of XP raw sockets will make dealing with a packet attack more of a pain - a point which you claim to agree with... although you then go and attempt to argue against that by pointing out that 'Gibson's attempts at filtering were rarely more than briefly effective' - another claim which seems to be only slightly related to what actually happened. You've littered your argument with claims like 'he shows contempt for Windows users', which, as far as I can tell, you have made up just to try and hide the fact that there is no substance to anything in your article. Ad hominems are always a good form of attack when you've got no other legs to stand on. As far as I can tell, Gibson's attempts at filtering landed him with the IP addresses of all the machines 0wned by Wicked, gave him a chance to reverse-engineer the zombie program and talk to its author, AND let him block the attack. In a slightly better world, he might have been able to let the owners of the hacked machines know how to tighten their own security, and the FBI could have easily tracked down the culprit. None of this would have been remotely feasible with the current Internet infrastructure if the machines had been able to fake their IP addresses. Hope to see more factual reporting in the future... Keep up the good work. --Andrew Hi Thomas, To be honest little of what you say seems reasonably thought through. "As I pointed out in the previous article, malicious kiddies can already take over Windows machines with Trojans like SubSeven and use them for heavy packeting without the owner's knowledge." But, as Steve points out, in a manner it's possible to filter "but filtering isn't the answer to a severe packet attack" It can work, as Steve has proven. Therefore it effectively makes the barrier to entry for a DDoS attack higher. "The real solutions to packeting are capital intensive, like load balancing and content distribution" a) load balancing won't help against a DDoS AFAIK, since you can simply attack the machine doing the distributing (hence no requests get passed on b) content distribution suffers similar weakness: the DDoS attack only has to hit the entry points "Let's say just for fun that there's a consistent number of infected Windows machines x on the Net." Well let's not say that since it's a pretty silly thing to say? People *are* still buying computers. More people are joining the net every day. Broadband is slowly taking off but this will accelerate as the technology matures. All this makes the potential of x a rapidly increasing number. "When those insecure and maliciously potent Windows XP machines are mated to high-bandwidth Internet connections, we are going to experience an escalation of Internet terrorism the likes of which has never been seen before." And where have you heard warnings like this before? Perhaps time around the turning of the millenium? It was through bold warnings like this that large companies woke up and poured previously unthinkable amounts on money into ensuring y2k compliance. Otherwise they would simply buried their heads in the sand and there *would* have been a y2k disaster. We can look back and think those urging fixing the y2k problems as 'loopy' since nothing happened, or we can thank them for prompting a change in attitude and ensuring nothing did happen. Personally I think Steve is doing a good job in warning us. I would like to see everyone running a decent firewall and software that scans the host machine for vulnerabilities, but that isn't going to happen. Disabling raw sockets in XP could be the next best thing. The kind of people that run XP are only going to be people that just want to run Word and Excel, and occasionally browse the web and check up on email. Why would they want the raw socket ability? --Phillip. I do not think you have understood why Steve Gibson is worried about raw sockets in WinXP - it is not that "XP is going to increase the number of infected victims", as you stated in your recent article (http://www.theregister.co.uk/content/4/19925.html". You are correct that there is no reason to think WinXP will increase the number of 'victims' machines. But that is not the point. In his description of the series of DDOS attacks on his internet connections, the first attack crippled his connections for 17 hours - mostly due to getting a hold of someone at his ISP so they could filter out the bad packets. These filters were not permanent, it sounds as if the ISP removed them after a day or so. Initial subsequent attacks were stopped when he was able to more quickly get a hold of Verio and setup filters again. I believe they were able to filter out the bad packets based on the source addresses. Gibson's fear is that when a single 13-year old is able to launch DDOS attacks from 400+ untraceable machines, these attacks will be much harder to defend against - for anyone. Real solutions are not "intensive, like load balancing and content distribution" - that is just avoiding the problem by throwing money at it. In future articles, I would suggest really reading and understanding someone's position, rather than brining up a non-issue (as you have done here). Given Microsoft's history, your trusting that they have made WinXP 'secure' against user actions (that IS how the trojans get installed) really questions your grasp of the issue and history. Sincerely, --Jeremy Silver I read your article "Steve Gibson IS off his rocker" with interest. Your attempt to clarify one passage in your first article, "The boxes will eventually be found because their IPs are traceable, and admins will contact the owners and let them know they're infected -- but only long after the damage is done. Raw sockets in XP only marginally improve the situation for a malicious party." misses the point. No one misunderstood you, and it had nothing to do with the "transparency" of your phrasing. You "spelling it out" more clearly does nothing to acquit yourself of your mistake. In fact, not to get off the point too much, but your whole article seemed more an attempt to defend yourself than illuminate the issue, which summed up, is this: Everyone understands the nature of Trojan Horses such as subseven, and we all understand that a primary component of the problem is infecting the clients in the first place, which, as you say, does not increase with the release of XP. What changes with the release of XP is, as you know, the ability to spoof the packets. You dismiss this out of hand, but really it is the central point. Steve WAS able to make the attacks stop (despite your intimations to the contrary), by filtering the sources of the offending packets. XP makes this impossible. You may think this is not much of a problem, but you don't really know. With identifiable zombies, you can alert the owner and block the source. This removes the threat from you and may well remove the machine from cracker circulation. I don't think it's outrageous to suggest that without being able to do those things, a big problem now might explode. I really enjoy the sarcasm and wit of the Register, probably to some degree because I agree with you most of the time.. It's interesting, then, when I read the sarcasm and wit employed foolishly to defend ones ego. --not signed You couldn't actually put any real hard facts in this article could you? You merely repeated what you said and used insults to try and justify your point of view. So moron, don't come running when some 13yr old "script kiddie" with the power of raw sockets decides to throw a combination of syn/ack attacks, ip spoofing, buffer overflow and ping of death DDOS attacks at your site. If your article is journalism at it's finest then no wonder no-one believes you or the politicians. --Richard John Purves "Let's say just for fun that there's a consistent number of infected Windows machines x on the Net. There's nothing in Gibson's reckoning which affects that number. There's nothing in Windows-XP that affects it, and nothing in raw sockets either. We still have x victims out there. " Before WinXP: Machines running older versions of Windows are unable to spoof packets. Victims know the source machines are infected with "zombies", they report them, decreasing the number. If I flood my victim with non-spoofed packets from my high bandwidth link alone, with no "zombies", the attack could easily be filtered within seconds. After WinXP: Machines running WinXP are able to spoof packets. Victims cannot find out their IP address, and cannot report them. If I flood my victim with spoofed packets from my high bandwidth link (AS STEVE POINTED OUT), there would be no need for "zombies" as I could flood my victim with spoofed packets from my connection, as they cannot be filtered. It seems some people just cant grasp these basics. People like that write for TheRegister. People unlike that write for TheInquirer. --Matt Brown I just finished reading Gibson's text and yours, I don't understand yours. His was quite clear. This stuf isn't personal you know. By by --not signed I sincerely believe it is you, sir, who missed the point. Gibson is not claiming that raw sockets in XP will in and of itself multiply packeting-DoS on the Net. The genuine threat of raw sockets and the ability to spoof source IP, is that traditional firewalls (which apply rules based on IP address classes) will have hardly any way at all to deal with this effectively. Not to mention (per his examples) most ISPs are either brain-dead, or don't care about user-end security, or both. The other side of the coin is that, while Unix sockets have had source-IP spoofing since the beginning of existence, Unix systems have traditionally been administered by more technical and security conscious users. The insidious point that Gibson is making, is that Windows XP is being marketed to every Joe, Sam, and dog out there. Microsoft preaches ease of use and dumb over dirty, so why should you expect these people to even be aware that their systems might be compromised in such a way, much less know what to do about it? I'm waiting to see just what the next "Snow White" will do. Gibson may be an evangelist, but there are many chilling facts in what he brings to light. --Ryan I submit that you are off your own rocker. The problem is not that more boxes will be comprimised. The problem is that the comprimised boxes will be harder to track down. Oh, and yes... filters do help. They are not a panacea but they are a good addition to an effective defense strategy. Microsoft is not opening a new door to vandalism, but it is making it easier. As such, there is NO reason to include the new functionality. I realize that journalism is more successful when it is exciting, shocking, etc... However, this has opened the way for ridicule... directed at you. You are losing readership. Me. Oh, and I do know what I'm talking about. I designed and wrote network monitoring systems. Know the term Sniffer(tm)? Maybe you'll remember the name of the company that made that term popular. --Brian Smith Why do you hate Gibson so much? Is it because he is sucessful and completely self employed? Tis you who need to get out of the Beltway and relax. Windows does not need raw UNIX sockets. Or do you actually accept all the Redmond Mafia spin and vapor speak. July and Aug are almost upon us. Get the Hell out od D.C. and RELAX. Don't sit there anymore and let you brain bake in the humidity. --not signed Mr. Greene, I probably disagree with Steve Gibson on the issue of raw sockets in XP, but you miss his point and you clearly know little about him. First of all, I'm not sure I've ever seen him claim to be a security specialist, although he clearly is in my belief. I'd be glad if you can show me where he makes this claim. In your second article, you still don't get it. He's not saying there will be more machines acting as Zombies. He's simply saying that existing Zombies will be far more difficult to deal with. It is a valid concern. Now the diatribe (respectfully submitted): Ever since the 1980s, I've considered Steve Gibson to be the single best 80x86 Assembly Language programmer I know of. His Spinrite program has returned hard drives to life for me. I know plenty of utilities. There is nothing to compare with Spinrite. There is nothing in its class. There is nothing that can do what it can do. Dead drives are alive thanks to him. How many stories would you like to hear? For more than 13 years I've considered Spinrite to be the single best program ever written. I don't know a lot about Steve Gibson, but I know that he loves computers and technology and I believe he has a love/hate relationship with Windows/DOS/Microsoft/Intel as many of us do. He programs for this platform and this is the platform he considers important. I admit that he sometimes seems naive about other platforms and especially Unix, but when this guy needs to learn something, he digs into authoritative sources (RFPs and direct information from manufacturers) and studies like few people in the world. Then he produces something which may look a little funny, might sound a little funny, and maybe is too wordy, but performs amazingly useful functions which no one else is providing. And I'm never afraid his stuff is going to mess up my system. Steve Gibson wrote other disk utilities as well as making improvements to Spinrite which gave me some control over Zip and Jaz disk recovery and disaster protection which Iomega has never been able to do. Iomega would do Dell to license GRC technology, to make it available to their customers who don't have the time or knowledge to find his site on their own. The GRC Iomega utilities are free for those who can find the site and take the time to wade through his chatty information. At least he tries to tell us what he's doing, unlike almost everything else I have to use or program. Yes, you can see if your Zip disks are on the verge of disaster and you can find out for free. For real, precisely, exactly. Not something you can do with the underpowered and misleading utilities Iomega provides. Steve Gibson's Shields-Up site is invaluable to me when I'm setting up machines, which I have to do much more often that I like. Any time (and I mean every time) that I set up a machine, as soon as it's on the Internet I go to his site to double check the security of the work I've done. I know of no better site. I recommend his site to anyone who asks me for help setting machines up. If you have a machine on the internet and you haven't checked this site you are not done. (with the possible exception of those who are inside a well built and maintained Intranet) Furthermore, I learned about the google.com search engine and ZoneAlarm from Steve Gibson first. I'll spare you long descriptions of how much these are worth to me. I learned about these because I'm on his email list. He sends the fewest emails of any list I'm on and the sum total of the information is higher than any other. He sends so few emails I'm sometimes afraid that I'm no longer on the list, but I am. Steve Gibson never berates people who use technology, as far as I have seen. He berates companies for not making things easier, more reliable, and more secure for the typical users of their technologies. This is a very different thing. You know what? I oughta send this guy some more money. He doesn't charge me for Spinrite often enough. Let me put it this way: if Steve Gibson sent me an email asking for $100 to support his efforts, I'd send it. His efforts have been worth thousands of dollars to me. Thank you for your time, --Jim Turtora Geeze Thomas, You lay pretty hard into Mr. Gibson with little technical information and no solutions. It's like answering his problem with a doldrums "So." Why do you try so hard to insult the man, so little to understand him, and not at all to provide a solution to the problem? The problem isn't that people could be infected, or that Windows XP has a greater potential for infection, it is that Windows is the more popular OS and this is a soup in a can solution to s'kiddies to unleashing hell on the internet. If s'kiddies had to upload a new Winsock, write the packet code, and then distribute it to existing clients, well, few to none script kiddies are going to go through the trouble to do that. Nor does the average possess the intelligence. But with the same approach they take today, but applied to Windows XP, they can infect a warez crack or Anna Kornikovia VBS email script and deliver their zombies with little resistance. Now the target of this attack can't defend the way Mr. Gibson was able to by successfully filtering the ported traffic at the router level. The target, pray it isn't one of our businesses, is screwed. Windows XP has mass potential to be installed on the average Joe's computer. And the average Joe would have no clue they were infected. I work in the MIS department at a school district in California. And I can tell you that 80% of the computer users have no clue how in install or remove software. Furthermore, 95% of them wouldn't know how to trouble shoot why their cable modems would suddenly lit solid with outbound traffic. Or even know that was a problem. They pass along countless hoaxed virus warnings in email. And some even follow the steps to format their hard drive because the email from "Bill Gates" said so. The problem is not the number of infected victims as you iterate. It is the undeniable inability to block or filter out the traffic. What's your answer? Probably along with the common answers, that there isn't a problem. Right? Or, what was it? Oh, I know... You said, "The real solutions to packeting are capital intensive, like load balancing and content distribution." Bollocks. good day, --Chuck In your article "Steve Gibson really is off his rocker" found here: http://www.theregister.co.uk/content/4/19925.html ... you said Steve Gibson is litteraly a roaming lunatic. I beg to differ. Having fixed and "uncompomised" a number of machines, it is obvious that there is a lot of infected machines today. It is also painfully obvious that most users cannot protect themselves or even detect the presence of subsevens without the use of specific software. Also, after experiencing it personnally, most ISP don't give a f**k what users are doing on either side of the fence (I was trying to trace someone actually sending some sort of zombie-like software through e-mail). Unless you're some sort of authority, an ISP will either ignore you or be vaguely polite, to the tune of some legal mumbo jumbo about being preoccupied about your health and not being able to pick up the phone and call the police because all the lines a busy (...). And when that's not the problem, we have M$, who's proven they prefer to patch things up afterwards than plan security ahead in the first place. All of this is reason for great concern. Now what Steve Gibson is REALLY saying is that there are loads of issues at hand and NO ONE CARES. Everyone sticks their heads in the sand hoping everything will turn out allright all by itself. Of course it won't. Also there is no public debate about this. There is only medias hyping attacks and attempts to compromise security. I think what Steve's strategy is to make the most noise possible about these DOS attacks to bring about some practical changes in the way operating systems are built. It also to bring to the forefront the obvious questions about ethical behaviour on internet and the obvious temptation to lock everything down to ensure absolute security. We are long overdue for a public debate on that one. Sorry if the whole thing seems rather weak, I admin I'm sleeping between the paragraphs. And it's getting worse ... --Obi Wan Celeri Hmm... I'm not sure he is, y'know. His point was that your average internet user (i.e. non-technical homebody) knows about computer security as I do about microsurgery, which is to say that they've heard about it, they know lots fo clever people do lots of clever things in that department, but they havem't a clue what they are. Now add into this that we're talking Microsoft here, a company whose built-in security can be described using two words: one of which is chocolate, and the other of which is fireguard. So, we have a lot of insecure PCs with the ability to get infected. So far, so good. This means we're not really going to be able to stop traditional trojans like SubSeven, etc. But at least we can trace boxes because we know the source IP. But raw sockets means a program can construct its own packet, and spoof its source IP, changing them every second, or even every packet if it wants. This presents a nightmare scenario - buried under that mountain of IP packets is the real IP address, but we need to pick apart the route it's come from to find it. The thing is that the most obvious tool to do this - traceroute - will give us the route to a foreign host. That means we can't really get hold of the actual source IP, because unlike a mail message, there's nothing in the TCP/IP specification that will add the routing to the packet as it goes along. So I'm afraid I have to agree with Mr G on this one. As for his figure of 90% of Windows users being idiots... don't you think he might have underestimated the percentage on that one? --SC Steve Gibson really is off his rocker I hope that you will be as forthcoming when what he predicts becomes reality. --not signed Hi, Just like to add my 2cents. Scenerario: If you have 2 hackers. 1st has 5 Zombie Machines Running Win98, doing DOS attacks. Can block these 5 because you know where they are coming from. 2nd has 5 Zombie Machines Running WinXP, as above, except that the ip's spoofed for every packet sent, spoofed ip address are random. Please tell me which is easier to stop. --not signed Dear Thomas Greene, I am getting very tired with these articles about grc.com. DROP IT ALREADY. Gibson is simply trying to point out that when XP machines become infected (which with the bone-headed computer users, will happen) that these attacks will be un-filterable.... When a Windows 9x machine sends packets, lack of raw-sockets means that that computers "fingerprint" (IP) is put on each packet. But with Raw-Sockets on WinXP, that "fingerprint" will be a phony. I.E. You are wrong, you are too much of a baby to admit it, so you sit there using your writing "power" (as you wish it would be) to gain attention to yourself. Please stop this at once. Thank you. --not signed Dear Mr. Greene: Essentially what you're saying, if I read your article correctly, is that the change in the Internet's infrastructure brought about by the mass-market of Windows XP will not be a problem for corporations willing to spend the necessary amount of money on defeating the more serious styles of attack. So where does this leave JoeSmallBusiness.Com? Large corporations have to spend more cash, small corporations get it in the shorts, all because Bill Gates was too cheap to fix the problem and you were too arrogant to admit it was one. Thomas Greene, you really are off your rocker. --Jacob Day Thomas, I have followed your flame war against Steve Gibson with quite some interest. My brother-in-law is a networking specialist, and I have been involved with PC technology at all levels for 19 years (my first machine was a 1Mhz Ohio Scientific C1P!). We both have broadband, and we have both been hit by smaller attacks in the past. You have missed the central point - for anyone BUT corporate sites, filtering is and will remain the only effective method of dealing with DDOS attacks. Yes, the ISP can be slow at setting them up -but not always. Recently, my brother-in-law ran a test for a smaller client of his, and orchestrated a self-inflicted DDOS attack on his client's test site. Their ISP, BBN (or Genuity as they are now known) had a filter in place within 20 minutes, WITHOUT A PHONE CALL TO THEM, and the attack was rendered ineffective. Just because Gibson's ISP hadn't yet LEARNED how to monitor and effectively set up filters previously does not mean they will forget how to now. The NEXT DDOS on Gibson's ISP is likely to be met with a much faster response - because they can clone Steve's solution - which was VERY effective once it was in place. But WInXP will render all of this filtering knowledge obsolete, and probably difficult to reconstruct - with the spoofing available in XP/UNIX/Linux, no one knows HOW to examine packets for authenticity. So we have therefore lost the only tool available for shielding personal/small business IPs. As for MS's claim about defending against the initial compromise - well, that just doesn't hold water. It's a simple problem off all the eggs in one, well-known, basket. A NetBUS script could EASILY alter my firewall settings by building new rules (it's just a file!), and grant itself unlimited and undetected access to my broadband - provided they know my firewall software make, or have a large library of attacks. Right now, script kiddies don't know what security software I have - they are just hoping I don't have any. Unfortunately, with the levels of security in XP, few people will buy off-the-shelf firewall and anti-virus software. THAT is the problem - anyone who can compromise XP's security by writing a NetBUS script that alters local firewall config files on an infected PC can write that script once, and know that it will work on nearly ALL XP boxes. The only way for this to be stopped is for XP users to not run "unknown" executables while logged in with Admin privileges, and make sure that all firewall settings require admin to modify the settings and files. However, given that there is so much that you need admin to do in Win2000 at present, I suspect most XP users will continue to run as members of the admin group, and the script kiddies will have their way... One other point - in all of your flaming of Steve, you have never mentioned ONE ADVANTAGE of having low-level IP services available. In effect, you did a cost/benefit analysis without mentioning any benefits - only by personal flaming. Highly unprofessional, IMHO, and makes me wonder if you have a commercial interest in MS, or are just getting paid by the word (hack, and not the computer type). regards, --Robert Hill Mr. Green, I think that you are a bit extreme in claiming that Steve Gibson is off his rocker, and your article inaccurately portrays what is stated on the GRC.com site. I read the accounts of the attacks, his claims about XP making the specific attack that he fought worse, and the Microsoft response to his so called "loopy" claim. Microsoft has, by far, the most machines on the 'Net--so it is probably inaccurate for you or Microsoft to claim that spoofing does not have the ability to dramatically increase with XP. Yes, you can already take advantage of raw sockets on Sun, Dec, etc. machines, but there isn't a significant malefactor community focusing on those platforms. Mr. Gibson is saying that the spoofing can dramatically increase with XP--rendering the filtering defense useless. Sure there are other issues, and greater issues, but don't get nasty because of a font choice. I believe that the guy is actually trying to provide a service to the community. I think that Microsoft tries too, but their focus on security is secondary--and there is so *much* code that it is *impossible* to secure. All you have done is taken a shot at someone who seems to be a decent fellow. Maybe he is a bit of a geek, but he seems to be intelligent, hard-working, and honest. Why take shots? Thank you, --Fritz Ames Interesting columns, mate, but you didn't seem to really impale his true complaint. ... Packet spoofing makes an attack harder to filter out (you did note this),, but the inability of Sub7 victims to be spoofed might be a mild deterrent to script kiddies. If the zombies can all be spoofed, and accountability is difficult or impossible to extract from their ISPs, then more and more mischief makers may go on a rampage. I don't agree with Gibson that this WILL happen, but the possibility of this is rather sobering. This is of concern because 24/7 "always on" consumer broadband is really catching on here in the states. And, my firewall logs stray pings day and night from various US cable internet machines that are hosting Sub7 on its default IP, 27374. It's freaky -- my "neighbors" out there are infected and waiting for commands to launch packet attacks. Poor sods. --not signed You will have to try to explain yourself again. Either I don't understand you or... you don't understand that easy spoofing with Windows machines can be the next major problem of the Internet. When spoofed attack already exist, usually some UNIX machine is used for a "Zombie". Their number is perhap limited and often time, a backup link is all is needed to survive an attack. The fairly recent popularity of Linux make it clear that this era was comming to an end. Spoofed attack are now much more effective and attack from what appear to be a few hundreds machines do occurs. However, Windows XP will exacerbate the problem greatly. When you get DDOS by windows machines, this is not a few tens of machine comming at you. This is hundreds and thousands of machines. Guest what, they can hammer your link, the backup link and the uplink routers... You cannot do much unless you have an OC-12 and your backup append to be an OC-3 but end-up needing only a fractionnal T-1. Now, the funny think is that if every packet have a spoofed address, tracing the origin of a packet become...say...difficult. Actually, is might well be that only a "Tier 1" ISP will be able to do some work to find the offending machines. Potantially, one by one... And the game is not over since most of the offending machines will be on the network of Tier 2 or 3 ISP (political game will start). Windows XP will be install by ten of thousands on the Internet (Perhap, millions). Several Thousands will have insecure configuration and many will never get a single security patch for their lifetime that can exceed 5 years in some cases. Of course, count on Microsoft, like any other software developer to have introduce new security flaw in their product. In a few years from now, you can even think that it will be possible to DDOS the "Internet" by attacking some strategic backbone equipment and then, the Internet can take days or weeks to fully recover. So, it look like that microsoft can help a great deal. Gibson is right. --Jean-Yves Landry While your mother might feel better after reading your article. Anyone that knows anything about security, and networking knows that XP being the OS installed on most the machines in the future will be a bad thing. Let me point out some serious flaws in your article: The raw sockets which have Gibson so steamed enable a machine to send or capture data independent of the operating system -- quite handy if you're a software developer or an advanced hobbyist. And while it's true that this also enhances the packet-flooding capabilities of a Windows machine by making it easy to spoof packets, it's also true that this function is already included in most other operating systems, and can be added to an existing Win-9x, 'ME, or '2K machine quite easily with a library called WinPcap. Most other OS'es do NOT, I repeat NOT have this ability. My guess is that Win9x machines are on 95% of the computers in the world. The other 5% are a split of servers running NT/2000, and the many flavors of *nix. Yes it can be added in. Should we not lock our car doors, because someone can just break the window and get in? Of course not. We should, and can lock our doors. Just as we should hope that Microsoft will not make it so that when your mother brings home her Best Buy Compaq Presario, and she gets infected with a Trojan/zombie it's ready to wreak havoc out of the box. If a hobbyist wants added ability to support the full TCP/IP implementation, they can then patch it themselves. All right, we'll allow that there'll be a few s'kiddies who might prefer to use their Win-XP boxes for such purposes. But they can already do so simply by installing Linux and doing a bit of reading' These "kiddies" can use any OS they want to control their bots. It's your mothers computer who's been compromised which will be used to attack sites in the future, and no filtering in the world will be able to stop it. No way to trace the IP of the source machine. Nadda, zip, nil. Wait till these scripts these kiddies use, are programmed to use all 3 classes of networks, spanning the entire range of IP's. Wait till these script kiddes use your mothers email program and a mail server which allows relaying, or maybe just flooding "theregister.co.uk" with Spam mail. And knowing how pathetic Microslop products are about security in the first place. The true hackers will have found some vulnerability in XP that allow them to hack their way in, opening the door for the script kiddies. It will only take Microslop 3 months to release a patch, and are they going mail a CD to your mother, who has no clue about security? Oh yes the auto-update will patch it. Doubtfully, the true hackers will have that disabled first thing. Time for your mom to break out her Compaq Quick Restore CD. Gibson, on the other hand, tells it like a loner in the desert, living, we would imagine, on locusts and wild honey for a bit too long a time. No Steve tells it like it is. We are only going to see more and more attacks. I'm just an average citizen, working in the IT industry, but I'll bet paycheck for paycheck a year from now it will be worse. DoS attacks will be more common because any script kiddie can hide behind a spoofed IP, without installing Linux. (So they can still play Diablo, while DoS'ing someone And control hundreds of zombies hidden on computers, much like your and my mothers, and their friends. He's written thousands of words on his Web site, denouncing Microsoft for putting something like real power into a consumer operating system. He's written memos to the company; he's warned all his site's visitors; but he's still not satisfied. The "XP Christmas of Death" is coming, he warns, immediately after which all the little s'kiddies will gleefully baptize us with fire. Consumers have no need to spoof packets do they? Name one application which needs spoofed packets? Name one advantage of having a fully implemented TCP/IP stack. Name one thing that consumers will be able to do with it, that they can't do now? Does your mother have a need to send spoofed packets? SYN, or ACK packets? I think not. And for real power like a gun, don't you think people should be trained how to use it, much like the military does? Not like your mother is going to learn to even be able to notice her machine has been zombied. Microslop can give users a decent OS for once (okay W2K is their best effort yet) and it can be secure, stable, and so on without a full RFC aka Unix compliant implementation of a TCP/IP stack. One more thing at the start of your article, You quoted the bible, you better keep it handy. Maybe you can throw it at your cable modem and unplug it. And do us people in the IT industry a favor, and go write some home and garden article. You don't know jack about network security, and handing a loaded gun to someone that doesn't even know it's a gun. (WinXP) --Shawn McNeece Mr. Greene: I believe you need do more research before writing such a malignant article regarding Mr Gibson. Mr. Gibson knows more than you can imagine regarding security. His research concerning Windows XP has been thorough and his conclusions accurate. I used to be a "white-hat hacker," though those experiences were for the challenge and to avenge various attacks against my friends. Since then, however, I have become a network specialist working not only with businesses in Southern California, but for a large government agency as well. I, too, have explored the new capabilities in Windows XP, including the ease with which the full raw sockets can be used to take advantage of others. What Gibson states is unfortunately quite true, whether you wish to believe it or not. I am unsure as to what sort of research you did before writing your articles in The Register, but from what I can tell, you are simply attacking the author, lacking any real evidence or support for your arguments. --AJ As you have to admit in your own article Gibson seems to be 'a security expert' and it can be assumed you are not, so maybe he is not 'talking absolute bollocks'. When a new item is to be developed the experts are the ones that are consulted and Gibson's is one of those expert's opinion. Only that, but a grounded opinion. It is clear that avoiding spoofing will NOT stop DoS attacks but at least will help to point out the origin of those and, at large, will help in reduce them (by letting educate the owners of the Zombies or by letting the attacker's ISP be warned). But with spoofed packets there will be absolutely impossible to do such a thing so we will be PROMOTING DoS attacks by allowing the performers never be pointed out. You claim that 'Gibson is ranting as if raw sockets are going to multiply the number of infected machines connected to the Internet. But that simply isn't true; the same primary obstacle to getting an attack started remains, spoofing or none, as Microsoft pointed out in their well-reasoned reply to Gibson: an attacker first has to compromise a number of client machines with which to packet the target system' and that 'There's nothing in Windows-XP that affects it, and nothing in raw sockets either. We still have x victims out there'. But I think that is NOT the point. The point is that hackers will quickly UPDATE all the already compromised machines with the new spoofing version of sub-seven or whatever you like with nearly no effort. From that point on there will be impossible to detect and point out those machines. With a well established 'Zombies base' they can then redirect all their efforts to compromise and gain control of new machines without worrying about anoyone discovering their already working Zombies. So we can expect things will be going worse in a steep curve. And with very little effort from hackers. I beleive that not avoiding that is in fact promoting it. MS can't claim that as they have not done any harm they are not responsible. If they build up the weapon that allow others cause harm I think they are, at least, ethically responsible, because they know and are advertised of the future damages. The claims from Microsoft are scaring; if by mouth of a MS teechie 'anyone could get a "certificate" with which to sign a malicious driver', How is it supposed XP will protect us against 'unsigned' (read untrusted) drivers and other threats?. If the security model is deprecated by those that are promoting it we better turn the computer off. Anyway, writting a driver is by far more difficult than writing a exe file so we can expect a lot less 'certificated spoofing drivers' than 'spoofing exes'. So I adhere to Gibson's claim that MS is wrong and that an increase of 'trash traffic' is been expected in a near future. An remember, we all pay for that litter traffic so we will all pay for this mistake. Being paranoid is the only countermeassure we have and it has shown insufficient. So think about not being security paranoid. May be windows users are no idiots but they surely do not too concerned about security as far as it can be seen. If you fire a gun you can at least say where is the bullet comming from. But when bullets are able to turn corners there will be no way to stop the shooting. And at the end everybody will get injuried. And finally, all this discussion will not deserve a single minute should raw sockets be a vital element for XP to work. But MS has demonstrated with NT that this is not true. --Miguel Erill. I think it's only a blind who can not see what Gibson is talking about...It goes beyond your knowledge and understanding of security. --Yaya I guess I can't see the point of your article. Other than slandering Steve Gibson's name, what is it that you are trying to say? That he is not entitled to his own opinion? You admit in your column that spoofing makes things more difficult. Sure it does. And it also makes it harder to trace back and find the person(s) responsible for DDoS attacks. All that aside, I still don't see the point of your column, other than to cast aspersions at someone whose opinion is different than your own. I for one have had to deal with innumerable holes in Windows, and the sheer popularity of the platform makes it a popular target. I think what's really of concern here is that although Microsoft issues patches for their security problems, sometimes they must be prodded into doing so. The average user should not be required to spend excess amounts of time learning how to prevent problems when the problems can be more easily prevented at a software development level. It's easy to say they need to be responsible, but it is what it is, and the vast majority of Windows users at home do not have a fundamental understanding of what their operating system is really doing. It's the reason that technical support exists. But once again can you please explain what the point of your rant was, other than to say you're correct without any substantial evidence to prove your point? I found it rather crude mud-slinging instead of responsible journalism. --not signed Hello Mr. Greene, I am not trying to be a typical respondent that is flaming you because of you opinions of Mr. Gibson's take on raw sockets in XP. But it is attitudes such as yours that will leave the Internet even more vulnerable to attack byscript kiddies. You seem to be telling the clueless masses that it is OK to run an insecure and wide open machine on the Internet. Here in America, the people that do this can be held liable for any attacks launched from there machines regardless of if the were cognizant of it or not. I have to agree with Mr. Gibson. Why make it any easier for these bozos to make zombies of security incompetent peoples machines? I just doesn't make sense. And the argument that these kids could just install Linux and read a book is non-sense. As someone who is making a career of UNIX/Linux, I can tell you that a 13 year old that has mastered Windows and launching script attacks from it/to it, will have a lot tougher time trying to figure out the same things in UNIX/Linux. There is a lot more to overcome when attempting to compromise a UNIX/Linux box as opposed to a Windows machine, not to mention the severe learning curve when coming from a Windows environment. And the amount of people adopting DSL and cable access is just going to aid in turning the Internet into a big playground for script kiddies and wanna-be hackers. Thanks for taking the time to read this. Sincerely, --Tom Wilson Continue Reading
Thomas C Greene, 09 Jul 2001

The Gibson letters

Few stories in Register history have generated the volume of accolades, essays and flames that our coverage WinXP raw-socket Cassandra Steve Gibson has done. Herewith your letters, divided in three categories: 1. Thank God someone's finally exposing this charlatan 2. You both make good points, but we're still leaning in Steve's direction 3. Steve walks on water; you're a moron, and so's your old man
Thomas C Greene, 09 Jul 2001

UK homes on Net pass 10 million mark

Ten million homes in the UK are hooked up to the Net, according to the latest research from telecoms regulator Oftel. While four million homes have connected to the Net during the last year, one-and-a-half million homes signed up in the three months between February 2001 and May 2001. The rise in home usage appears to tie-in with the growing availability of unmetered narrowband access to the Net which caps the cost of Net access for both home users and ISPs. The research shows that a quarter of all UK homes that use the Net have unmetered packages. The survey also shows that broadband take-up remains insignificant - too small even to measure accurately. While Oftel's research claims that 2 per cent of Net users have DSL, it tempers its finding by adding that industry estimates suggest this figure is actually less than 1 per cent. In addition, 3 per cent of consumers claimed to be using cable modems to access the Net although Oftel reports that, once again, industry estimates for cable modem use are actually less than 1 per cent. In a bid to work out why take-up of broadband services is so low the report concludes: "Although based on a small sample, ADSL users seem to be under the age of 34 and amongst the AB social grades with higher household income, which perhaps indicates that the cost of this service continues to play a major part in uptake." ADSL too expensive? Never. ®
Tim Richardson, 09 Jul 2001

‘MS antipiracy’ hoax triggers paranoia attacks

So there you are, lurking on IRC somewhere beyond the fringes of legality, and you're not sure if all of the software on your machine is entirely legitimate. Or, to paint a more realistic scenario, deep down you know that not all of the software on your machine is entirely legitimate. Then Microsoft's anti-piracy people take control of your machine, tell you they know all of this, and they're coming round to see you. Over the past ten days or so several people have forwarded The Register screenshots that purport to show precisely this happening. There are different permutations, but the basic format is that you get a Messenger Service popup on the screen, telling you something along the following lines: Message from Microsoft to [your IP address] on [time and date] One or more of your Microsoft products are not genuine Microsoft products. For more information, please go to http:www.microsoft.com/piracy/ where you can find out if your product(s) are legal. Your IP has been logged by our Anti-Piracy team, and you will be contacted shortly [incident ref code] On Friday there was also a screenshot of an IRC version posted on the web, but unfortunately this has either been blocked or pulled over the weekend. That one was a delicious piece of paranoia fodder that appeared to confirm all of the warez community's worst fears about narks from Redmond trawling their IPs from #stealmsofficenow then sending the snatch squad into their bedrooms. So it's a pity it's gone. Naturally, The Reg was kind of suspicious about this. We thought the message was probably a hoax, but that it was quite an amusing one. Practically everybody in the world thinks that Microsoft will get up to this kind of thing one day, and practically nobody is prepared to state that it's obviously a hoax without doing some further checking. Funnily enough this applies to Microsoft's people as well; when we called them they said it looked like a hoax, but they'd get back to us. So even within the Mighty Redmond they don't entirely discount the possibility that - say - some crazy in Microsoft Research has accidentally unleashed the Enforcementbot on the world, with all that implies to them for damage-control. But they did get back to us, it is a hoax, and this is how you do it. You rename your machine 'Microsoft' then reboot. Then you run the command net send [target IP address] "insert menacing message here", and voila, your victim has pulled the plug out of their machine and is hiding under the bed quaking with terror. They probably reacted so fast they didn't even pause to note how strangely like a printer job popup the message looked. It's a simple one, but it's one of those scams that convince people because they want to believe it. And anyway, it's bound to happen for real one day, isn't it? ®
John Lettice, 09 Jul 2001

France to spend FF30bn on broadband for all push

France is set to commit itself to nation-wide broadband Net access by 2005, according to a Reuters report over the weekend. It's estimated that wiring up the country would cost around FF30 billion (£3 billion). However, the French Government realises that the private sector alone will not fork out for such an investment - especially in more rural areas. That's part of the reason why the French Government is to make available FF10 billion (£1 billion) worth of cheap loans to help fund the investment. The French Government's appears to have recognised that if it wants broadband to be universally available then it will have to intervene to help realise that goal. In a telling statement a French Government spokesman told Reuters: "If we bowed to the logic of the market, in five years time a quarter of the French population and 70-80 percent of our land mass would not have access to high-speed links." This is in sharp contrast to the position of the British Government, which, like its French counterpart, has also made 2005 its goal for broadband. However, Downing Street believes it is up to the market to fund and drive forward the roll-out of this technology. Government's role, it believes, is merely to give the process encouragement. Instead of handing out cheap loans, the British Government hopes the lure of public sector spending in broadband will generate sufficient demand for companies to invest in expanding services across the country. Time will tell. In September government advisors are set to report to their findings on kick-starting the broadband sector in Britain. ®
Tim Richardson, 09 Jul 2001
DVD it in many colours

Half of British Airways' IT staff to get push

British Airways is about to sack half its IT contractors, according to an internal memo seen by Silicon.com. The estimated 150 losses will happen by September but far from the cuts remaining permanent, existing contractors will instead be replaced by cheaper staff from India, Silicon alleges. The memo, dated 2 July 2001, comes from CIO Paul Coby and IT director Peter Radcliffe. It says that as part of cost-cutting, staff levels would have to be brought back down to last May's. BA confirmed that 100 contractors will not have their short-term contracts renewed, but with an existing 300 contractors on the payroll, this may extend to 150 people. Most incredibly though, Silicon claims sources at BA have said the work done by the fired contractors will be taken on by Indian workers brought into the country and paid a fraction of what UK contractors charge. The memo confirms trade associations' fears about cheap labour being brought into the country for short-term contracts. Last year, the DTi said it was opening up the UK to workers from abroad. A big row erupted when stonemasons working on a new temple in Wembley were found to be earning far below the minimum wage. The highly skilled workers had been brought over from India and were held within a temple compound. They were happy with the wages - above what they earned in India - but a judge ruled they must be paid minimum wage. Many professional contractors suddenly realised the danger such outside workers presented to their livelihoods. This BA deal may be just the first of many in the IT industry. ® Related Link Silicon.com's story
Kieren McCarthy, 09 Jul 2001
server room

Marconi's Mayo kicked out; board keeps head down

Marconi announced late on Friday that its deputy CEO John Mayo has resigned from the telecoms equipment manufacturer, following a disastrous profit warning on Thursday that saw shares fall by over 50 per cent. Stakeholders were furious and bayed for senior management scalps. Mayo's departure will keep the hordes at bay - at least that is what current CEO (Lord) George Simpson is hoping. Simpson was due to become chairman and Mayo to step into his boots. Now, Simpson will remain as CEO and Sir Roger Hurn will be retained as chairman. Marconi's board is keeping a low profile at the moment though, and despite the extraordinary events of the least few days, a company spokeswoman told us there are no plans for a press conference. It may only be a stay of execution for Simpson, however. Several major shareholders have spoken against him, calling him a "mere caretaker". Simpson will be 60 this time next year, so with luck he will be able to argue that he can find a replacement CEO in that time and then step down. John Mayo left with the anodyne statement: "Marconi is a great company going through difficult times that are not of its own making. The entire workforce faces immediate short-term challenges and it is inevitable that sacrifices will have to be made for Marconi to enjoy the prosperity and growth available in the medium and long term. I wish all my colleagues good fortune and look forward to my Marconi shares under George's stewardship appreciating in value over the coming years." Marconi's shares price has recovered slightly to 106.5p from a low of 96.5p on Friday. The company's shares hit a peak of 1250p in September 2000. ® Related Stories Marconi drops even further; everyone suffers Massive fall-out from Marconi share collapse
Kieren McCarthy, 09 Jul 2001

AOL UK stuffs Freeserve in popularity battle

Freeserve's dominance of the domestic UK ISP market appears to be at an end, according to the latest research from telecoms regulator, Oftel. The winged watchdog's survey Consumers' use of Internet: Oftel residential survey Q5 May 2001 shows that Le Freeswerve's share of the domestic market has slumped from 29 per cent in July 2000 to just 18 per cent in May 2001. In contrast, AOL UK's share of home users has soared increasing its market share from 8 per cent to 17 per cent during the same period. That leaves AOL UK just one percentage point behind Britain's biggest French ISP. And since the survey was carried out in May it's possible that AOL UK has already overtaken Le Freeswerve as Britain's most popular ISP. The market share of third place BTinternet remains flat at 12 per cent. A spokeswoman for AOL UK was delighted with the news explaining that since its introduction of flat rate charges in September, its user base has increased dramatically. No one was available for comment from Le Freeswerve by press time. ®
Tim Richardson, 09 Jul 2001

Mono to open source .NET by mid 2002

A software libre implementation of Microsoft's .NET broke cover today, with GNOME lead Miguel de Icaza promising to have .NET code ready by the middle of next year. Ximian's Mono project (that's Spanish for monkey) consists of three parts: a Linux C# compiler, a virtual machine, and the common language runtime, so Linux developers will be able to create and deploy .NET apps on Linux in languages other than C#. The work will be released under the GNU GPL or LGPL and collaboration is encouraged. The Microsoft SDK will be supported, according to the Mono FAQ, and the project uses and promises to extend GNOME libraries. Although Ximian's announcement refers to Linux throughout, and specifically mentions a Win32 (on x86) versions, since it's open source, it'll run on any GNOME- (or glibc)-friendly platform: which these days includes the free BSDs and almost every Unix too. So Sun Microsystems, which is committed to making GNOME the default UI for Solaris, will find itself hosting a Microsoft production platform for the first time. Has anyone told Scott? Timescales are deliberately open ended, but there's talk of getting the Win32 implementation of the C# compiler up and running by the end of the year. "A rough estimate is that we might be able to run our C# compiler on Linux by the end of the year. That means running the Windows Executable generated by a Microsoft .NET compiler on the Linux platform." Future suggestions include a CORBA bridge, a JXTA protocol, and a mail API. Ximian has yet to decide whether the project will be hosted on GNOME mirrors or at SourceForge. Ximian stresses that this is way more ambitious than the joint development agreement between the Beast itself and Corel to port parts of .NET to FreeBSD announced ten days ago. That doesn't cover GUI apps or allow FreeBSD to host the database, says Ximian. Ximian called in the great and the good to vouch for the project: Perens, O'Reilly and Michael Tiemann of Cygnus fame (now Red Hat) all endorse Mono in the initial press release. In some ways there isn't a philosophical difference between Mono, and say, Cygnus supporting Win32 as one of many target platforms for its gcc compiler, which it's done for many years. Nor is the practice of chasing the tail-lights new. But politically, it's a landmark for software libre: giving its blessing to a controversial platform that's heavily vertically integrated. The technical infrastructure - the language and schemas - are 'open' - but .NET services in Microsoft's preferred implementations so far (HailStorm) are driven through the Beast's own Passport authentication mechanism, and no one else is allowed to play. If it's successful, Mono will allow .NET apps to be written without needing to drive through the Redmond tollgate. We'll update this with words from Miguel himself in a few minutes. ® Related Link Mono Related Story Call my bluff - how smart is reverse engineering .NET?
Andrew Orlowski, 09 Jul 2001

PoizonBOx hacks past security firm's ‘honey pot’

New Zealand security firm Co-Logic has become one of the latest victims of prolific hacking group PoizonBOx. In order to monitor hacker activity the security assessment firm had set up a "honey pot" server, a poorly protected section of its Web infrastructure that contained no real data and was designed purely to log the activity of crackers. However after hacking into this site, PoizonBOx was able to break into the firm's genuine systems, IDG reports. The defacement has been recorded by Alldas.de and can be seen here. Paul Rogers, network security analyst at MIS Corporate Defence, said there were a number of unanswered questions about the attack, particularly how the hackers were reportedly able to leapfrog from decoy to real systems. "Honey pot systems servers should be set up on a separate network segment with no access back to admin systems," said Rogers. "Such systems need to be constantly monitored by systems admins, who should receive alerts when they are compromised." "If you're doing something to tempt hackers to inspect systems then need to have the right policies and procedures in place. Otherwise you're playing with a hot potato," he added. The vulnerability to the Co-logic site (e-secure-it.co.nz) came about because of an incomplete un-installation of FrontPage 98, which left the site open to FrontPage extension vulnerability. To make matters worse after PoizonBOx ran rings around the firm's security, another hacker group opposed to PoizonBOx reported redefaced the site. Co-Logic founder Arjen de Landgraaf tried to put a brave face on the security breach. "In a sense it is embarrassing, but as a result we discovered a new vulnerability we weren't aware of," de Landgraaf told IDG. Over the last month, PoizonBOx has engaged in a prolific defacement spree which has seen the Web sites belonging to the foreign subsidiaries of IT firms (such as Samsung and Acer) and the sites of household names, such as Ford and Sony Music, falling victim to defacement. MIS' Rogers said PoizonBOx was likely using automatic vulnerability scanning and defacement tools, which are easily available in the digital underground. There's no sign that the hacking attacks will let up so users were urged to bolt up their security hatches, or else risk becoming victims of defacements themselves. ® External links: Security specialist succumbs to hackers A record of PoizonBOX's defacement spree from Alldas.de
John Leyden, 09 Jul 2001

Telewest and ntl in joint bid to plug broadband

Telewest and NTL are to run a joint advertising campaign to promote broadband services and "accelerate the take-up of broadband services throughout Britain", the cablecos confirmed today. The campaign - believed to cost around £4 million - will begin in a fortnight and run until mid September. It's designed to highlight the benefits of broadband internet to consumers throughout the UK and Ireland. According to the latest figures broadband access over cable is currently available in nine million homes, although this figure is expected to rise to 11.6 million homes by the end of next year. As of May 2001, ntl had 26,300 punters; Telewest had 18,600 broadband cable customers. Adam Singer, CEO of Telewest said the campaign was a "shot in the arm for Broadband Britain". ®
Tim Richardson, 09 Jul 2001

Web caching tech boosts network performance 400%

Networking firm Expand Networks is trying to extend the benefits of Web caching to all enterprise data traffic with appliances it claims can boost network performance by as much as 400 per cent. Expand's Accelerator product line works with a variety of network configurations including ADSL, ISDN, Managed Frame Relay and Wireless environments, boosting the capacity and speed on these connections by between 100 to 400 percent, according to Expand. The firm recently announced the launch of the beta version of its new operating system, ExpandOS 4.0, which supports Lan-based security services and scalability beyond 2Mbps with rack and stack boxes. The idea of Web caching, pioneered by such firms as Inktomi, Cacheflow et al, is now well established and applying the similar ideas to optimise WAN connections seems to makes sense. In a Web cache commonly requested web pages are held locally, and the technology will try to service user requests from pages held in the cache before looking for information at a remote site. Similarly by placing Accelerator boxes at both ends of a private line, the units adapt to network patterns and protocols to locally store commonly transmitted patterns of data, which are represented by a token. When the local cache sees this pattern of information again (which Expand's regional manager Scott Dobson said could be anything from corporate expenses spreadsheets to VoIP headers) the Accelerator sends only a representation token to a remote site, where data is transformed back to its original form. The technique won't work for encrypted data and two units (priced at around $12,500 a go) are required, nonetheless Expand's approach has been well received by a number of customers including Motorola, Texas Instruments and the United States Department of Defense. Expand is also targeting telecom resellers and ISPs in marketing its technology. ® External links: Expand Networks
John Leyden, 09 Jul 2001

Diary of a dotcom demise

Handheld site Brighthand is currently in limbo while its founder Steve Bush decides what to do. But, interestingly, he has written a lengthy document on the history of the dotcom and why it's in trouble. Called "apology.html" it is basically a first-person account of that now-familiar phenomenon - the dotcom burst bubble. You won't learn anything particularly original but it makes good reading nonetheless. Basically, Steve set up the site as a hobby. He wrote a few pieces on handhelds and was unexpectedly inundated with emails. The site grew and grew - as did the hours he had to put into it and the bandwidth costs. Before he knew it he was working all the hours God sent and forking out a couple of grand of month running the site. And then the online advertising angel descended. The money came in, Steve quit his jobs and started working full-time on the site. Then the advertising slump, content troubles, mistaken partnerships, ever-increasing traffic and costs - and away went his savings. Readers offered to help with cash, which amounted to little but left Steve with massive headaches in the form of irate and abusive punters. Now, Steve has to decide what on earth he can with the site. And this, ladies and gentlemen is the story of our times. Read it. Or give Steve some money. ® Related Link The dotcom collapse through Steve Bush's eyes
Kieren McCarthy, 09 Jul 2001

‘Waiting for i845’ syndrome lands Intel with P4 glut

Sources in Silicon Valley claim Intel is facing a nightmare glut of P4s, as cannier buyers hold off pending the arrival of the i845 chipset and the associated cheaper memory. The i845, due in the middle of this quarter, will initially allow you to use PC133 rather than RDRAM, and considering the ramifications of that one might speculate that the canniest of canny buyers will simply hold off some more, and wait for DDR. According to our sources, the P4 inventory could have a severe impact on Intel's Q2 figures, due on 17th July. The i845 with PC133 support may have some impact after that, but tagging geriatric PC133 SDRAM technology onto the P4 can't exactly be what the designers of Intel's 'state of the art' had in mind. Over at Tom's Hardware Dr Tom himself is currently pointing and laughing at this deranged initiative. The Good Doctor reckons you'd have to be crazy to go for this combo, and points out that i845, P4 and DDR is the obvious solution. DDR support is in the i845 chips Intel is currently shipping to the mobo makers, but the green light for actually using it isn't due until January 2002, for not entirely explicable reasons. So what happens? Intel runs a murderous price war with AMD, but the lacklustre nature of the 'volume' P4 platform continues to maim P4 sales levels. If that turns out to be the case, the DDR roadmap may get accelerated more than a tad. Oddly enough parts of Intel (or at least the parts that post other people's stories) seem to agree with Doctor Tom. Over at the Intel APAC channel site they're currently running a reprint of a DigiTmes piece which observes that "with the announcement of Intel 845 chipset, which supports PC 133 and DDR SDRAM, and the introduction of 478-pin Pentium 4 processors, Intel was expected to correct its decision to just support to RDRAM." But not yet? ®
John Lettice, 09 Jul 2001

£31 billion hostile bid for AT&T Broadband

Cable TV company Comcast has made a $44.5 billion (£31.5 billion) hostile bid for AT&T's broadband division. The arm includes the giant telco's cable and Internet interests, including Excite@Home. If the buy were to go ahead, it would create a broadband giant with 22 million subscribers. The unsolicited bid was made on the same day that AT&T's wireless division became fully independent. However, despite both companies having been in talks for months, AT&T has said it has no plans as yet to sell off Broadband. The deal came in the form of a letter to chairman and CEO of AT&T Michael Armstrong, which Comcast has posted on its Web site here. Comcast - which claims a merger would benefit both companies to the tune of $1.25 billion a year - is the US' third biggest cable provider. It also owns QVC, which offers TV and Net shopping in the UK. "This is an extremely compelling combination for AT&T and Comcast shareholders, customers and employees," wrote Comcast chairman Ralph J. Roberts. He also admitted that Comcast and AT&T had been considering this very deal for months, but it was "unfortunate that we were unable to continue our dialogue". No mention of job losses was made, unsurprisingly. The proposed deal is share-only, and Comcast has also offered to pick up other AT&T interests in Time Warner, Cablevision, and Rainbow Media. AT&T shareholders would retain majority control over the company. The deal, says Comcast, offers AT&T shareholders Comcast shares at $12.60 when they are currently worth $16.80. Comcast will also pick up AT&T Broadband's $13.5 billion of debt, making the deal worth $58 billion (£41 billion) in total. AT&T is breaking itself up in a bid to cut its debt and help it become more competitive. Its plans have been paralleled in the UK by BT, also suffering under heavy debt and sluggishness. BT announced last week that its joint venture with AT&T, Concert, is to be scrapped and split between the two behemoths. ® Related Link Comcast press release and letter Related Stories BT to announce death of Concert We know BT's future strategy
Kieren McCarthy, 09 Jul 2001

Anti abortion activists step up UK Net campaign

A Scottish pro-life group plans to step up its campaign to put the names of British doctors and NHS staff involved in abortion on the Internet. The UK Life League is encouraging surfers to send in the names and contact details of anyone involved with family planning or abortion in Britain. These details are then put on the "Hall of Shame" section of the group's Web site, which states: "Listed hear [sic] are active supporters of child abuse. They must be exposed. The same sort of people would probably have supported slavery, apartheid etc. when it was politically correct to do so." Jim Dowson, a UK Life League representative, told The Register: "Why shouldn't we have the names? They work for publicly funded bodies." According to Dowson, the group "doesn't expect anything to happen" to the people listed on the site. It does not, he says, advocate violence. "The day will come when they will be held to account by the law...We want to see the glare of publicity on them," he said. The online naming and shaming is part of a wider campaign - which will be the biggest to date from the UK Life League. It will involve street protests in Liverpool, Birmingham and London, and demonstrations outside abortion clinics, where "sidewalk councillors" will give out anti-abortion information. The UK Life League also plans to create its own political party ready for the 2003 Scottish Parliament elections. Dowson added that the group was not connected with the Nuremberg Files, a US Website listing the names of "baby butchers". Eight doctors named on this site have been killed by anti-abortionists. ®
Linda Harrison, 09 Jul 2001
SGI logo hardware close-up

Why it pays to embrace and extend .NET – de Icaza

Miguel de Icaza has told us why he is leading an open source project to implement Microsoft's .NET development framework on Linux. Mono was unveiled earlier today, and promises to provide an alternative toolchain and execution environment for .NET developers. It'll run on Linux and Windows first, but should be portable to almost any platform. It's currently being developed on Solaris. So why bless the Beast? "I'm not interested in ostracising a technology because a company is ugly," he told us today. "I'm interested in finding the best technology and implementing it so developers can write nice applications." It's just that .NET provides most of the answers in an acceptable, standards-blessed (it's going through the ECMA process right now) form, he says:- ".NET solves a number of problems we've been trying to solve in GNOME," he told us today. "Instead of wasting our time trying to create a new standard we're embracing .NET and extending it for our own purposes." Problems such as avoiding code duplication, for example. "Once an API is exposed - every time we add a new Gnome API, we have to wrap it in Python and Perl and Pascal and Objective C. So one problem that .NET solves is that we have to define class libraries once." Garbage collection is another, he says. The Unix API has grown messy, and .NET provides a clean interface: "It's basically starting from a clean slate" For a project that makes a core part of .NET open source, Miguel said he didn't want to confuse it with the many other projects emerging from Redmond, some pretty nebulous, but all sprinkled with .NET marketing dust. ".NET is a company wide initiative. It means too many things - different things to different people. I'm talking about the CLI, the class library and the C# programming language," he told us. We wondered if CORBA itself didn't provide a basis for building open source web services. GNOME has stuck by CORBA, even after KDE dropped it for performance reasons, and we noted that one of the suggested Mono projects was to build a CORBA bridge. Horses for courses, he suggested, and Mono was really dealing with anything remotely. de Icaza says he got the religion December last year, and mocked up prototypes for Mono around February. The target is to have a self-hosting compiler by the end of the year, "so you can do everything in Linux without Windows", and the GUI and server portions by the middle of next year. Code for the core of the CLR (Common Language Runtime) that implements a common type system, is available. "We have a disassembler, the first step is to add an interpreter, then a Just-in-Time compiler hten an optimizer." He's already talked to ECMA, he says, "and they seemed to understand what we wanted to do really well." It may even lead to open source representatives sitting on the language committee. Which we'd have thought would be a pre-requisite, to watch for any suspicious changes to the spec being bounced through. And as our battery was going flat, he was about to make contact with Microsoft for the first time. We'll have time for a longer discussion later in the week, so if you have questions that aren't addressed in the Mono FAQ, mail us them here. ® Related Story Mono to open source .NET by mid 2002
Andrew Orlowski, 09 Jul 2001

Naked man with no product waggles his dotcom

A fictional brand that offers no product has managed to fool more than 1,500 people into responding to its ads. The brand, called Joy, was advertised in the national press for six days, as well as on an advertising hoarding plastered on the back of a truck and driven around London. The ad showed a naked man leaping around in a black rubber ring, surrounded by the words "sing, laugh, drive, sleep, eat, breathe, cry, but do it with joy". Nothing else was offered by way of explanation as to what the company offered apart from a URL, www.withjoy.co.uk, and a phone number. But this wasn't part of a dotcom scam, rather an "experiment" by UK newspaper The Guardian to demonstrate the scary power of branding. "Are brands so powerful today that you could launch one without a product and still make a splash in the market?" today's Guardian asks. It would appear so - a bit of nakedness and a few choice words was enough to get 1,562 people to ring the number or log onto the Web site and register their interest in Joy. According to The Guardian: "We used to make money by selling things; today we make money by selling an emotional attachment to a brand." And the 1,562 people who felt compelled to respond to Joy? The Guardian has kindly offered to send them all a limited edition Joy T-shirt. Of course, if you were of a cynical turn of mind, you might wonder whether the scam didn't prove something entirely different that we all knew already. You blow shedloads of money (virtual, in this case, as they were house ads) on national newspaper publicity for a whole week. Then you get a crummy 1,500 people who might be vaguely interested in a dubious-looking consumer dotcom, but six months down the line it'll turn out they weren't. You probably heard that one before, somewhere... ® Related Link A hairy naked man in a rubber ring. Interested?
Linda Harrison, 09 Jul 2001
Cat 5 cable

Coming soon: mobile phone multi player gaming via GPRS

The technology pieces that will bring together multiplayer gaming on mobile phones are beginning to be brought together. Mobile entertainment firm iFone plans to publish a GPRS and bluetooth compatible multiplayer football game, called iSoccer, which is designed to allow gamers to take advantage of the latest advances in handheld technology. iSoccer and a carting game called iTrax are due to become available on WinCE handhelds, such as Compaq's iPaq, in September at a price of between £7.99 and £9.99. Last week at Ericcson's London headquarters, iFone demonstrated that these games could run on mobile phones that support Symbian's Epoc 6 operating system. Mobile gaming is expected to be a major growth market over the next few years as service providers seek to find compelling applications to befit the mobile phones with high speed connections and colour screens that are coming into the market. Multiplayer mobile gaming requires the always-on connections GPRS provides and is likely to be particularly tempting to the under-30s network providers are so keen to sign up to these services. Handset manufacturers also see the potential of the idea and are working to develop a standard platform for cellphone-based multiplayer games through the Mobile Games Interoperability Forum, whose work means games publishers like iFone can in future work with a single consistent set of APIs. Multiplayer mobile may not go mainstream until the middle of next year, but a separate deal means iFone will be able to bring mobile versions of classic arcade games to market from October. iFone has an agreement with Infogrames to publish Atari games on Java and EPOC-based mobile devices. This winter consumers with mobile phones equipped with Java 2 Micro-Edition (J2ME) will be able to play Asteroids, Defender and Breakout for between 30 to 50 pence per game. The game is downloaded into a phone's memory and deleted when a player has completed the game. Never has retro gaming seemed so cool... ® External links: iFone (site makes heavy use of Flash and may be tough on those with older browsers)
John Leyden, 09 Jul 2001

Reg temporarily disappoints Gibson fans/bashers

Last Thursday I squared off with WXP raw-sockets doomsayer Steve Gibson on the radio show Online Tonight with David Lawrence. Gibson and I covered a decent amount of material during the ninety-minute debate. Our readers have been keenly interested in the topic, so I posted a copy of the audio file on the Reg site Monday. Unfortunately, we were unable to cope with the demand, and have since removed it pending a bit of re-jiggering. We will re-post the file as soon as possible and bring it to your attention with some bolded, oversized red lettering in honor of our pal Steve. ®
Thomas C Greene, 09 Jul 2001

WinXP prices out – buy now while stocks get built

Prices are out for Windows XP, although it's not currently clear whether they've leaked prematurely, or whether Microsoft is poised to make them official. At time of writing the prices were available on amazon.com, but Microsoft seemed not to have officially announced them. Search for Windows XP on amazon.com, and you'll get three hits, for WinXP Professional, XP Home Edition, and XP Home Edition Upgrade. If you don't get these at some point in the near future then you'll know Amazon jumped too soon. Amazon stresses the products won't ship until 25th October, but says it's taking orders now. It quotes prices as follows: XP Home Edition Upgrade, $99.99; Home Edition full product, $199.99; and Professional (presumably full product, this is the only one they list) $299.99. These prices are pretty much in line with typical current prices for Win2k and Win 98 SE. Prices listed on Egghead today, for example, are $278.99 for Win2k ($188.99 for the upgrade version), and $178.99 for the full version of SE. Egghead doesn't list an upgrade price for SE, and tastefully doesn't mention WinME at all (that's enough comparison shopping - Ed). Given the small amount of information available, it'd be dangerous to try to read too much into the pricing. We do have prices which apparently closely follow previous products, but the fact that there isn't an upgrade listed for Professional may be significant. WinXP Pro and Home Edition and damn nearly the same thing, with just a couple of minor, irritating (and pretty clearly deliberate) differences. If it was easy to get an upgrade version of Pro through the channel for about £199.99 (which is likely what it'd have to cost) then there would be blurring between the two versions. So Microsoft is probably trying to introduce an entirely artificial differentiation between the two 'versions.' One could also speculate that by only selling the full version of Pro at retail, Microsoft is putting further weight behind its efforts to get businesses to buy through its various bulk licensing schemes, which will give you upgrade discounts provided you sign up for the right one at the right time, and buy scads of copies of WinXP Pro the very instant you're able to. And finally, as 'per copy' product activation will only be implemented on the home variant (business versions will use a single unlock, multi-install procedure), it wants to limit the circulation of more easily piratable code at retail. But they're just small facts, as we said, so that's more than enough speculation for today. ®
John Lettice, 09 Jul 2001