Oh man, this guy reminds me of Ken Rockwell of the digital photography realm. I'm sorry but Steve Gibson is far from a security expert, although he does say a lot of wild things and his web site is obviously designed to sell his products. Ironically, that is not so much different from Ken Rockwell either except Ken does it just to generate ad hits. There might be some remotely useful concepts that come out of Steve's diatribe, but I'm sorry, he's just not the real deal in any sense of the word. He seems to fall under the class of "say outrageous stories to get tons of hits on your website, then sell them stuff or generate ad hits!"
So, I was interested in reading the Windows XP RAW Socket "issue". The most common internet application uses RAW sockets: ping.exe (or ping for those Unix heads). ICMP packets has to be created via RAW sockets so Steve's claim seemed like it ready for an instant shoot down. It seems that grc.com does note this, and at first everything he says seems to make sense. There used to be a slight barrier to creating RAW sockets and now it is gone. 3rd party shims to allow RAW sockets would have made it a bit harder, but honestly, I doubt by much. Look at how advanced spyware hooks have become and it has nothing to do with RAW sockets, just pure user stupidity. So, I was going to give Steve some partial credit until I realized, there doesn't seem to be much point in spoofing IP addresses if you are behind a NATed device since the NATed device will always translate your outbound packets as well. In fact, some NAT translation devices might even REFUSE to translate IPs that are not considered local yet are showing up locally. In other words, Steve Gibson's claim that RAW sockets would make XP the choice of zombies because of it's ability to spoof IPs does not seem to be practical in the least for hackers. I would dare to say a large chunk of people are behind a NATed device rather than directly out in the open. Also, tons of people are purchasing firewall software which at least would help decrease the number of instant zombies. Also, why would I bother spoofing IPs on my zombies if I can take over a large number of zombies from major networks such as AOL and Comcast? Economically with regards to time spent, a hacker would just be far better off relying on initial spyware deployments to get a large enough spread to get the zombies needed to DoS any target successfully. Given that I have worked with Comcast with regards to DoSes, they admit being somewhat helpless against defending their own users from DoSes. It's a bit hard to convince the NOC to add "on-the-fly" access-control lists (firewall rules) to production routers just to protect an end user. They have enough issues as it is and throwing up potentially 30-40 acls (and this is WITHOUT spoofing) is hard enough. Yes, if they were spoofing it would be even worse especially if it was a high priority target such as a server. I'll admit that XP having more direct RAW socket support is an interesting revelation, but it certainly isn't enough to go running along with as a security hole of the century. Simply put, if Steve Gibson has more practical experience in the field with regards to security issues, maybe he would realize that some of his claims just aren't practical because a real hacker can achieve it far easily in other ways. I'm sure Gibson is also a little miffled about the major DDoS that blasted his website a while ago. Although, I'm sure if we could find out the majority of the systems that nailed him on that, it would be unix based OSes or server class Windows oses. While grc.com admitted that unix servers are the ideal platform for spoofers types, you aren't going to find XP machines at colo locations where they have significant bandwidth per successful hack ratios. In short, yeah Gibson, it was horrible you got DDoSed and finding ways to stop it would be great. No, it was not because of Windows XP's RAW Socket support. As for the WMF thing, you got to be kidding me. Planted by Microsoft? Microsoft already has tons of ways to allegedly "backdoor" information into the system, why would they used a be-fangled difficult attack vector? I don't think Gibson has had a lot of experience in developing large software base. I'm beginning to wonder if Gibson has a lot of real world experience to begin with. As many have agreed, the real Microsoft security problem is the fact that it runs as "administrator" by default. Harden that up a bit more and you will nearly all of these security issues mysteriously disappear. Hopefully Microsoft will get to a stage where this will be easier to do for most users. - Carroll Kong > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joeuser > Sent: Friday, January 20, 2006 7:09 PM > To: The Hardware List > Subject: Re: [H] Nutty Steve Gibson claims WMF bug was > planted by Microsoft > > Gibson needs the tin foil hat... www.grcsucks.com I think is > the address > > > > Wayne Johnson wrote: > > > Sorry I did not read the transcript & as long as he was > just stating > > his opinion then he can say anything he wants. It's up to us to > > determine if we need Joe User's tin hat or not. ;-) > > > -- > Cheers, > joeuser (still looking for the 'any' key) >
