MS vs. Steve Gibson

... Here is a thread that has links to other threads in the security forum about this.

»Gibson / Microsoft row heats up

M$ doesnt make mistakes.

Maybe someone can clarify whether or not 95/98 supported raw sockets ???

Nope. Raw IP sockets is a recent addition.

This doesn't mean that 'raw network' access is a new thing, however. Sockets ain't the only API in town. \Device\TCP, \Device\IP, and \Device\YourNicHere were all exposed. I suppose (but did not verify) that you might even be able to use them from user mode if you know what you're doing.

I think Gibson's wrong on this one.

Hey, didn't he have some thing called 'nanoprobes' (no longer listed on grc.com as the 8th wonder of the world, I notice) which used hand-crafted IP messages? He implemented those with no raw socket support, didn't he? Apparently it can be done.

Or perhaps his contention was that availability of raw socket support lowers the entry barrier? Sure, but that's irrelevant. It only takes one person to write the software regardless of how hard it is, and a few thousand script-monkeys can use it.

Oh, sorry, I just noticed: you asked about Win9X and I replied for NT.
[text was edited by author 2001-06-11 16:39:18]

MS doesn't make mistakes? That's just about the funniest things I've ever heard?

I think it did. It's not documented, but where you put SOCK_STREAM or SOCK_DGRAM to select TCP/IP or UDP, you can also put SOCK_RAW to get a raw socket.

Raw sockets is supported under Win9x, but not fully. It's only supported for the ICMP protocol, and you can't include your own IP header, and thus can not do spoofing (even for ICMP based packets).

It's important to note that Steve Gibson's "nanoprobe" technology is really just hand-crafted IP packets (probably using Win2k), and just a mutation of existing "stealth-scanning" techniques, which have been around for a while (ala nmap).

said by JacobNero:

---

M$ doesnt make mistakes.

---

I think the 30 or so people who bought MS Bob might beg to differ with you on that one...

"I think the 30 or so people who bought MS Bob might beg to differ with you on that one..."

Could it have been that the thirty or so people made a bad purchasing decision?

no

95/98 allowed you to program raw sockets, but it
didn't work -- at least in the application I'm
familiar with. So the application had to be redone with
UDP.

Okay people,

Put yourself in Microsoft's shoes.
If someone with Gibson's stature in the Security World, says you have a problem by including this technology in a new product, what would YOUR response be ??

I need to PROTECT this new product, because if I claim that he is RIGHT, who is going to buy it ???

Microsoft responded in the ONLY way it could. Whether the response is CORRECT or NOT, is up to us to decide. An who are we ?? We are BETA TESTERS. the only difference is we Beta Test FINAL product.

Pete...

said by promano:

---

I need to PROTECT this new product, because if I claim that he is RIGHT, who is going to buy it ???

---

Me, I guess. Given that I've been running Win 2000 for most of this year, and given that raw sockets apparently showed up in Win 2000 rather than Win XP, there's no new security risk.

(Win 2000 is 'NT V5'. Win XP is 'NT V5.something')

Actually, even Gibson would presumably agree that the risk to me is not from me buying Win XP, but from some bad guy buying Win XP. So maybe the security problem will increase sales to bad guys who would otherwise not bother with it?

I agree with your real point, which I take to be that Microsoft would defend their product, no matter what the issue was.

Well, the thing is Windows 2000 is more for the technical person. They understand the limits, vulnerablities, and the security for it. However, XP appears to be geared towards for the "home user." The average user does not really know about raw sockets or how or why to use them. Therefore, the user won't know how to protect their system from hackers/viruses (in a general sense.)

According to Gibson, should XP get into people's homes, it will become very easy to spoof ip addresses and become vulnerable to DDos atatcks or even participating in them.

The bad guys will easily find pirated copies of Win XP, not buy it.

No the problem is not in the bad guy buying windows xp. Any worthy hacker uses *nix already which is easy to dos with. The problem is when every machine comes with the ability to DOS someone. There are already viruses made that are used to take command of peoples machines and use them to flood machines without the user knowing it. This will just make it more easier for the hackers to DOS people being must people will run windows XP.

You guys didn't reads Steve's EXCELLENT articles. The problem is NOT you or me or the bad guys buying XP. The problem is the PUBLIC (zombies) buying XP.

The issue is once hacked into XP can HIDE its identity. currently when a hacker calls his 500+ army of hacked computers to action, they start sending out tons of data to the intended victim. They being windows boxes can NOT hide their IP addresses in their packets, and thus routers can easily say (no more packets from X because IP X is doing bad stuff). With XP the hackers army of hacked windows XP boxes will hide their IP addresses with RAW SOCKETS and be UNBLOCABLE!!! (by current TCP/IP configuration.)

That is the point. MS does NOT argue that point. they argue that their boxes are uhh 'hack resistant'

Not to mention that M$ has supplied no good reason why its enabling this feature. Its just a Bonehead move that WILL burn them. Its not saving face because the abuse is a guarantee. If I know it, you can dang well bet hackers know it. Yea I know, MS has every right to add features to its OS that linux, etc. have.

Personally adding it to winXP server is fine by me, but adding it to winXP home is not fine.
[text was edited by author 2001-06-12 00:26:22]

said by dnoyeB:

---

You guys didn't reads Steve's EXCELLENT articles. The problem is NOT you or me or the bad guys buying XP. The problem is the PUBLIC (zombies) buying XP.

---

Yep, you're exactly right. My mistake.

But ... I was commenting on the question 'who is going to buy it?'. So this converts to asking whether this brouhaha will affect whether the zombies will or will not buy Windows XP.

I think they will. I don't think they'll notice the fuss!

A clueful ISP can easily block this by filtering on source IP address - if the source IP is not the one assigned to the connection, reject the packet. Better yet, reject, log, monitor the log, and follow up.

This is a perfectly useless argument that works as well for any criticism of any product. Does Windows XP steal your credit card numbers and send them to druglords@cali.columbia.com? Of course Microsoft would deny it! They could never admit such a thing!

They could see that he is right and agree with him and change that. But they have to save face and say lots of BS and ignore him.

Microsoft is just trying to broaden the appeal of XP. Corporate customers don't care, maybe the 13 year old hackers will.

I'm in Steve's corner. Go get'em, Steve...

If you ask me, XP is a piece of crap and Windows 2000 Professional is still the best OS out there, even for gaming.

I've been using Win2k for a long time now (over a year and a half) and I've never had a crash, bug, freeze - anything. I've also been using Win2k with emulators and games (Half-Life, Quake 3 Arena, Unreal Tournament, etc).

XP on the other hand? What a buggy piece of CRAP. XP crashed on me on a restart...THE FIRST ONE I did. Wow...how's THAT for security.

I believe Steve Gibson; I've checked out a lot of stuff on his site before, and he's not a LYING sack or something like that. He spends *his* quality time doing research on things like this - and I'm suprised that people have the audacity to claim that he's not telling the truth. Pardon me, but what does Steve have to gain by lying? Will he earn money off Microsoft not selling their products? (Or anyone for that matter?!?) No. Does Microsoft LOSE money if people don't buy their products? Yes. Therefore - wouldn't Microsoft lie their @$$es off just to "calm the public's concern" so that people *still* buy their product, in turn earning Microsoft revenue? Hell yeah they would; anyone thinking otherwise is a few cans short of a six-pack.

I don't know. Win2k doesnt like my latest system, but WinME loves it. No OS is absolutely the best.

said by zerodash:

---

I believe Steve Gibson; I've checked out a lot of stuff on his site before, and he's not a LYING sack or something like that. He spends *his* quality time doing research on things like this - and I'm suprised that people have the audacity to claim that he's not telling the truth

---

Where'd you see claims that he was lying?

The way it seems to me is: Gibson examined the facts, and concluded that there's a huge disaster in the making. Other people--and I don't mean Microsoft, since they obviously have a vested interest--have examined the facts, and have concluded that it's not a big deal. No dishonesty implied on either side.

And who are these people that have examined the facts and where can one find the conclusions of their research?

XP is a BETA don't except it to be perfect till its final
It bothers me how idiots download beta software and except it to be perfect. You beta test to fix the bugs! You can cry loudly if they don't get fixed by the final; but for now there is no reason to cry about XP bugs.
[text was edited by author 2001-06-12 14:52:30]

Uhmmm actually XP Is the final release for the next OS. Hell aren't they still release Service Packs for NT 4.0? Wouldn't it be nice to have an OS on the market 3 years BEFORE they start the programming of the new one to get all the kinks out. Or most anyway. 2000 was put together in roughly two years. Let the OS sit on the market and work the bugs out. Then relase a killer OS. Oh wait!!! That would not keep with the, we need to change things consistantly to keep people on there toes. Can't get to comfortable can we.

Ummmm - Nope, you're missing the point.

An earlier post claims that the version of XP they're running is buggy. XP is currently in Beta 2, with RC1 & 2 due "real soon" - final release isn't due until October.

This whole process is to try to get rid of bugs *before* the final release!

If Steve says;
"He points out that, with 4,000 being reported a week, such an explosion is already underway--something Gibson attributes to the number of relatively inexperienced home users running Linux and Unix machines, which allow the host IP address of a data packet to be spoofed. "

and MS doesn't support raw sockets in 9x (OS's) (oddly they do and the most "critical and hackable part of a raw socket)
So that means that there seems to be a real problem with Unix and Linux, maybe he should be yelling at the Unix and Linux guys to get "raw sockets" out of the aforementiond OS's...my god what happens when nobody wants to register XP and they all go out and buy Linux...the world is going to end! Ohhhh Noooo!...Hey folks just remember keep 9x and don't ever buy Linux or Unix....or OS/2 and never run a VAX.....it will kill the Internet!

First it's Microsoft then it's Linux and Unix...one day it's bots and then we find out it's his own server crashing...What's next OS/2 WARP! is an alien creation?

And for those that think there is "no good reason" for MS to have raw sockets...talk to the same people that have been arguing that they SHOULD have had raw sockets from the begining....oddly MS doesn't add an INDUSTRY standard compliance and they get bitched at, then they do and they get bitched at.

[text was edited by author 2001-06-12 01:30:01]

I agree...didn't this come from LINUX/UNIX....and now people are bitching at Microsoft..so I think this was a "*nix" problem first...and using the $ for an S in microSoft is not really funny anymore....

But aren't windows machines in 80+% of the personal computers used in homes. Should the maker not have some sort of concious to fix this problem that exists in the hundreds of millions of machine in the world??? Just a thought.

There isn't a "fix" it's like saying..."ohhh my he can run a ping of death because he has TCP/IP on his machine...yeah no kidding...so what do we do get rid of TCP/IP/ See what I mean? It's an essential part of Internet commerce to have sockets (that's one of the reasons MS dogs on web servers, they can't do the constuct now)

Even Steve himself admits most of the problem is *nix right now...So if there are millions of misconfigured *nix machines out there that could be doing this "right now" why aren't they?

I think the reason he is going after MS instead of Unix/Linux is because of the huge number of users who will run XP compared to the tiny percentage who run Unix/Linux.

I don't know, the most popular Web OS is a Unix or Linux variant...I would worry more about BIG machines running raw socket on big pipes then little machines.

Actually, Swinson, you're showing your lack of knowledge on this one. I'm not bashing you here, so keep the flame resistant pants off, it's ok. What Micro$oft has seemingly done here in XP (and yes, I think that the beta is pretty good - albeit only for a Micro$oft product) is to implement, as you said, a very hackable version of raw sockets. I don't care what M$ says, breaking into ANY M$ half-assed OS is NOT very difficult, and most people make it quite easy by accepting the Microsoft installed networking defaults. What Steve is saying here (and I MUCH value Steve's opinions and knowledge over ANYONE from M$, as I was previously employed by the company), is that there really is "no good reason", as you say, for M$ to have raw sockets implemented in the first place. With Micro$oft Windows servers still using SMB and, in some cases, NetBEUI (oh God...), there's NO need for it. AD doesn't use it, NetBIOS doesn't use it, and neither do any other current M$ hacked schemes and protocols. Or, is this something they plan to use *somehow* with .NET??? Why can't any of you see the bigger picture here??? M$ isn't making the product more standards compliant!!! They're making it even easier to exploit! My JOB is to hack systems running all OSes, and crachers (and hackers, to a lesser degree) who start DDOS exploits and the like, will just eat this up? Step back from the chalkboard so you can see what's written on it people...

.Net uses raw sockets and it makes it more portable to other platforms. I understand exactly what raw sockets does or doesn't do, I understand pretty well where microsoft is coming from on implementing it. If you don't think there is a good reason to install raw socket capability then I can see where your knowledge stops and starts.
I'm glad you have a job as a hacker, it makes me feel a bit safer knowing that someone that doens't understand the portability feature of raw sockets is attempting to make the net safer.
The fact that you ignore that there are tons of systems out there, and have been for more than the couple years Steve has decided to "focus" on the "problem", shows that raw socket problems and a root hack have not had that much of an impact on DDoS attacks at all. Most attacks are very simple trojan install and run or grabs of public IP's with tons of bandwidth, after that there is a bunch of server compromise attacks generated from lots of web servers NOT running an MS product. How do these systems get jacked, poor configuration and stupid users...with or without raw socket capability...there are TONS easier hacks out there.
maybe your still just a bit disgruntled.
[text was edited by author 2001-06-13 12:59:42]

Yes, XP will make raw sockets available on many machines that don't use it now. Yes, this could present a DDoS problem. But there are two problems with Steve's argument here:

• Under XP, the 'automatic critical updates' system is even more aggressive than it is under Win2000; it defaults to 'automatically download and notify me of critical updates' right out of the box, rather than being something that has to be explicitly downloaded from Windows Update. If Microsoft releases a patch for a security problem, there's a very high chance that an XP machine that connects to the Internet regularly will wind up getting that patch soon enough. (And if the machine isn't connected to the Internet, then there's no DDoS threat.)


• I think that Steve is blaming the wrong party here. Yes, users can be expected to be largely clueless about security issues. Yes, a user with a broadband connection can cause network havoc in a variety of ways. And that's precisely why ISPs that sell broadband connections to consumers must be expected to assume that users will sometimes do havoc-causing things (either accidentally or intentionally), and must be expected to implement their network to minimize and isolate the results. (Who is more dangerous: the clueless person with a gun, or the man with a truckload of guns passing them out to the clueless people?)
  
  In this case, by Steve's own argument, the thing that allows raw sockets to be dangerous in a consumer's hands is that they can be used to spoof packet source addresses, and thus camouflage the source of DDoS attacks. Well, heck, users have been accidentally spoofing the source address of their packets since somewhere around the week after the Internet was first invented, simply by mistyping their machine's IP address in their network settings. As a broadband service provider, if the border routers that serve my users aren't configured to drop outgoing packets with clearly-incorrect source addresses on the floor--and better yet, to immediately alert my Clue Patrol to locate the offending user and administer a reconfiguration with all necessary force--then I am a greater threat to the Internet than a hundred thousand newbies with raw sockets will ever be.

There are already tons of Linux users out there. And almost every single OSes today support RAW socket, even Macintosh (Mac OS X which is based on Darwin/BSD unix). Also Windows 2000 has been pirated so many times over and over that little kids like the one who DDoSed grc.com can surely obtain a pirated copy of win2k to utilize its raw socket on the net. However,
THE FACT THAT IP SPOOFING ATTACKS HAVE NOT BEEN EXPLODED
YET IS BECAUSE MOST INTERNET BACKBONES TODAY HAVE
STARTED TO RUN DESTINATION/ORIGIN SCANS ON IP TRAFFIC
ON THEIR BORDER ROUTERS. MEANING, SPOOFED IP ADDRESSES
ARE REJECTED BY EITHER LOCAL ISP, LOCAL ISP'S UPSTREAM
PROVIDER, OR THE BACKBONE THE LOCAL ISP IS CONNECTED TO.

I have already tested raw socket based program that is programmed to spoof its IP header in many of the networks. And the result is:
IP Spoofing: Blocked or allowed?
RoadRunner Cable: Blocked
Exodus Communications: Blocked
@Home Network: Blocked
AboveNET: Blocked
Earthlink: Allowed
Cable & Wireless: Blocked
UUNET: Blocked
NOTE: The above results only represent the testing values within specific location of each backbones. The above results do not describe whether the whole backbone allows or blocks the IP spoofing in all of its border routers.

I think Gibson needs to take a break. For sh!t sakes, it's OK. Plus, Gibson's network site runs on Cisco router to link with T1 trunks, so he SURELY CAN BLOCK SPOOFED IP TRAFFIC FROM ENTERING HIS NETWORK. For the love of god, he needs to chill out and stop b!tching in public. He is just making himself look stupid.

All this stuff about DDoS and spoofing etc...

Would a lot of this be slowed down if IPv6 was used?

I have read Steve Gibson's Point of view. »grc.com/dos/sockettome.htm And I have read Microsoft's point of view. »www.microsoft.com/techne ··· kets.asp But for a more balanced point of view I found this to be of interest »www.theregister.co.uk/co ··· 623.html
[text was edited by author 2001-09-25 01:05:03]