RE: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
Oh man, this guy reminds me of Ken Rockwell of the digital photography realm. I'm sorry but Steve Gibson is far from a security expert, although he does say a lot of wild things and his web site is obviously designed to sell his products. Ironically, that is not so much different from Ken Rockwell either except Ken does it just to generate ad hits. There might be some remotely useful concepts that come out of Steve's diatribe, but I'm sorry, he's just not the real deal in any sense of the word. He seems to fall under the class of say outrageous stories to get tons of hits on your website, then sell them stuff or generate ad hits! So, I was interested in reading the Windows XP RAW Socket issue. The most common internet application uses RAW sockets: ping.exe (or ping for those Unix heads). ICMP packets has to be created via RAW sockets so Steve's claim seemed like it ready for an instant shoot down. It seems that grc.com does note this, and at first everything he says seems to make sense. There used to be a slight barrier to creating RAW sockets and now it is gone. 3rd party shims to allow RAW sockets would have made it a bit harder, but honestly, I doubt by much. Look at how advanced spyware hooks have become and it has nothing to do with RAW sockets, just pure user stupidity. So, I was going to give Steve some partial credit until I realized, there doesn't seem to be much point in spoofing IP addresses if you are behind a NATed device since the NATed device will always translate your outbound packets as well. In fact, some NAT translation devices might even REFUSE to translate IPs that are not considered local yet are showing up locally. In other words, Steve Gibson's claim that RAW sockets would make XP the choice of zombies because of it's ability to spoof IPs does not seem to be practical in the least for hackers. I would dare to say a large chunk of people are behind a NATed device rather than directly out in the open. Also, tons of people are purchasing firewall software which at least would help decrease the number of instant zombies. Also, why would I bother spoofing IPs on my zombies if I can take over a large number of zombies from major networks such as AOL and Comcast? Economically with regards to time spent, a hacker would just be far better off relying on initial spyware deployments to get a large enough spread to get the zombies needed to DoS any target successfully. Given that I have worked with Comcast with regards to DoSes, they admit being somewhat helpless against defending their own users from DoSes. It's a bit hard to convince the NOC to add on-the-fly access-control lists (firewall rules) to production routers just to protect an end user. They have enough issues as it is and throwing up potentially 30-40 acls (and this is WITHOUT spoofing) is hard enough. Yes, if they were spoofing it would be even worse especially if it was a high priority target such as a server. I'll admit that XP having more direct RAW socket support is an interesting revelation, but it certainly isn't enough to go running along with as a security hole of the century. Simply put, if Steve Gibson has more practical experience in the field with regards to security issues, maybe he would realize that some of his claims just aren't practical because a real hacker can achieve it far easily in other ways. I'm sure Gibson is also a little miffled about the major DDoS that blasted his website a while ago. Although, I'm sure if we could find out the majority of the systems that nailed him on that, it would be unix based OSes or server class Windows oses. While grc.com admitted that unix servers are the ideal platform for spoofers types, you aren't going to find XP machines at colo locations where they have significant bandwidth per successful hack ratios. In short, yeah Gibson, it was horrible you got DDoSed and finding ways to stop it would be great. No, it was not because of Windows XP's RAW Socket support. As for the WMF thing, you got to be kidding me. Planted by Microsoft? Microsoft already has tons of ways to allegedly backdoor information into the system, why would they used a be-fangled difficult attack vector? I don't think Gibson has had a lot of experience in developing large software base. I'm beginning to wonder if Gibson has a lot of real world experience to begin with. As many have agreed, the real Microsoft security problem is the fact that it runs as administrator by default. Harden that up a bit more and you will nearly all of these security issues mysteriously disappear. Hopefully Microsoft will get to a stage where this will be easier to do for most users. - Carroll Kong -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeuser Sent: Friday, January 20, 2006 7:09 PM To: The Hardware List Subject: Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft Gibson needs the tin foil hat... www.grcsucks.com
RE: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
At 11:30 AM 24/01/2006, Carroll Kong wrote: As many have agreed, the real Microsoft security problem is the fact that it runs as administrator by default. Harden that up a bit more and you will nearly all of these security issues mysteriously disappear. Hopefully Microsoft will get to a stage where this will be easier to do for most users. I'm not sure on that. I had a machine in a few weeks ago where all the users were limited users (I had to boot into Safe Mode to get in as Administrator.) So in theory there should have been no or very little spyware on the system, but it was loaded up with it. If running as a non-Admin user is supposed to protect users, shouldn't this machine have been largely immune to infection? T
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
Realize that he first wrote about the raw sockets in 2001. Back then most people were NOT behind NATs or firewalls. Most users didn't even know what they were and their only experience was hooking their computer up directly to the net using a modem. Now, they are doing the same process but using an always on broadband connection. Couple that with the ease of hacking and taking control of windows PCs and the ability to create raw sockets and you have a potential nightmare. Have you forgotten about the massive worm attacks that partially crippled parts of the net a few years ago? And yes, getting massive zombie swarms to use in an attack is much easier but IP spoofing is still a huge advantage. If I am getting attacked from a set of machines, I can just tell my ISP or firewall to filter out packets from those specific addresses. Attack over. But if each of those zombies is spoofing a random IP address and keeps changing it every few seconds, now I can't filter the attack as easily. And did you even read the section about spoofing the addresses of the hub routers? That was the second attack that hit him, using spoofed packets. Sure, the doomsday scenario he predicted didn't come totally true. Why? Because there is no incentive. Instead of evolving towards malicious destruction of the net, the hacker community has evolved towards MAKING MONEY. Nowadays, all the exploits, hacks, and attacks you see are mainly aimed towards getting code installed for the purpose of delivering adware, spyware, or malware. There is still some DDoS attacks that are done for profit or ransom, but there is a whole lot more money to be made in the other rackets. And I really believe that is why Gibson's prediction of mass DDoS attacks never came true. Of course his predictions about spyware and the such DID come true. Shields Up isn't the best program out right now, but a few years ago it was the ONLY program and it was pretty damn good for its time. Once again the market evolved and now there are tons of companies making anti-spyware, malware, and adware products. All of them are building on the original concept and work that Gibson did. I am willing to overlook Gibson's flair for the dramatic, the occasional pimping of his products, and him being wrong on a few details. Name one site on the net that doesn't do those things. And most of his products he doesn't charge for - like the software he wrote to detect the WMF bug. I still find his dissection of internet and computer security issues very interesting and very useful. -- Brian
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
At 12:23 PM 24/01/2006, Brian Weeden wrote: I am willing to overlook Gibson's flair for the dramatic, the occasional pimping of his products, and him being wrong on a few details. Name one site on the net that doesn't do those things. And most of his products he doesn't charge for - like the software he wrote to detect the WMF bug. I still find his dissection of internet and computer security issues very interesting and very useful. I agree. He certainly appears to be trying to explain in simple terms the security issues that Internet users face. He doesn't charge for this, and he occasionally mentions Spinrite (which is how he makes his living, and which does work, regardless of what the naysayers say.) If someone can prove that he is spreading disinformation in his Podcast, then I'd be very interested in hearing it. T
RE: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
And yes, getting massive zombie swarms to use in an attack is much easier but IP spoofing is still a huge advantage. If I am getting attacked from a set of machines, I can just tell my ISP or firewall to filter out packets from those specific addresses. Attack over. But if each of those zombies is spoofing a random IP address and keeps changing it every few seconds, now I can't filter the attack as easily. And did you even read the section about spoofing the addresses of the hub routers? That was the second attack that hit him, using spoofed packets. Yes, and there are enough hosts out there to do this with or without XP RAW sockets. Would it have been much worse with the addition of XP hosts? Maybe, but after a certain point you have enough DoS power that it's diminishing returns. By the way, did you also know that nearly all IP spoofing can be defeated if all ISPs properly configured their edge routers? Most of them do not do it because it is additional work, planning, and load on their routers. Sure, the doomsday scenario he predicted didn't come totally true. Why? Because there is no incentive. Instead of evolving towards malicious destruction of the net, the hacker community has evolved towards MAKING MONEY. Nowadays, all the exploits, hacks, and attacks you see are mainly aimed towards getting code installed for the purpose of delivering adware, spyware, or malware. There is still some DDoS attacks that are done for profit or ransom, but there is a whole lot more money to be made in the other rackets. And I really believe that is why Gibson's prediction of mass DDoS attacks never came true. Right, there is no incentive which is the number one reason why a lot of people were never significantly afraid of 'hackers' wiping out things like root DNS servers and such. Who would be dumb enough to wipe out their own infrastructure except a megalomanic? I never could understand the allure of writing viruses that would wipe out people's harddisks for fun. Of course his predictions about spyware and the such DID come true. Shields Up isn't the best program out right now, but a few years ago it was the ONLY program and it was pretty damn good for its time. Once again the market evolved and now there are tons of companies making anti-spyware, malware, and adware products. All of them are building on the original concept and work that Gibson did. I don't know about giving Gibson credit for originating the idea. That's always a tough cookie to crack, but he was probably one of the more visible ones early on. Well, the spyware idea is an ancient idea from ages of lore. The idea that your computer is watching you and logging everything you do. That's the kind of stuff people were fearful of even in the DOS days but it was just ridiculously impractical. Or those who insist Windows 3.11 is the last one without the mysterious Backdoor (tm)! Many respectable security experts long since argued ActiveX was a dangerous technology during the ActiveX vs Javascript wars (back when Netscape was still alive) and this was probably before Gibson mentioned the word spyware. I am willing to overlook Gibson's flair for the dramatic, the occasional pimping of his products, and him being wrong on a few details. Name one site on the net that doesn't do those things. And most of his products he doesn't charge for - like the software he wrote to detect the WMF bug. I still find his dissection of internet and computer security issues very interesting and very useful. -- Brian Well, it isn't related to 'computers' but www.bythom.com is pretty good. :) You don't have to charge for information to be indirectly using it for economic gain. In fact, that's the new small business model for this type of thing. But I digress. I did say earlier he has some things to say and offer, but all in all take it with a grain of salt. There are tons of other security experts who are far more respectable and even then you shouldn't always take what they say as gospel. - Carroll Kong
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
Listen to his Podcast and decide for yourself. He makes a compelling argument whether you think he's nutty or not. @:D Hayes Elkins wrote: http://www.informationweek.com/news/showArticle.jhtml%3Bjsessionid%3DKAJMC5WZJL0XQQSNDBGCKHSCJUMEKJVN?articleID=177100970
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
I listened to his Podcast today before work and he was very very careful not to directly accuse MS of pulling a fast one but there was no doubt he believes its not a bug but a deliberate feature. @:D Wayne Johnson wrote: At 02:00 PM 1/20/2006, Thane Sherrington (S) typed: What? Pressure from MS? That's nuts! You don't think Steve might have heard from some MSFT atty's after that scathing article? If one makes false claims without documentation or without stating that this is my opinion then he certainly might have heard from their atty's. --+-- Wayne D. Johnson Ashland, OH, USA 44805 http://www.wavijo.com
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
Okay this is from the SysInternals writeup (very good btw, thanks for the link). Here is what Gibson based his conclusions on: 1. There is no need for WMF files to include support for the SetAbortProc API. 2. Even if an abort procedure is set by a WMF file, Windows shouldn't execute it unless some abort condition is triggered, which should never occur when executing a WMF file. 3. He could only get his WMF file's abort procedure to execute when he specified certain invalid values for the size of the record containing the SetAbortProc command. 4. Windows executes code embedded within the SetAbortProc record rather than expect the record to reference a procedure within the application executing the WMF file. Given that same sort of evidence I would have concluded the same exact thing. And I hope many of the other security professionals would have as well. SysInternals goes on to explain why some of Gibson's reasoning was incorrect, and I can see where he made his mistakes. But then there is this comment that follows the blog (one of many good ones): While I applaud your efforts to explain the *details* of this vulnerability (and nicely done too) and why it may have been allowed to exist, there's one point Gibson brought up you didn't cover: Why, if as you claim that this was seen as a 'feature' in days so long ago (Win 3.x) that code inside a .wmf file could rely upon 'hard-coded addresses when patches didn't exist,' did Microsoft make sure embedded-code-execution couldn't happen under Windows 9x (in fact adding extra code to keep it from ever doing so!) yet still allow it (or more correctly added it to?) their Windows NT series? Therefore, it seems at least one person in the 'NT development' dept. (who could have checked how Windows 9x handled .WMF files) chose to allow for arbitrary code execution instead. It's not a coding error: The 'mistake' was for Microsoft during many code reviews to allow it to continue that way in Win 2000, XP and beyond until an exploit finally made use of it! And this one: Mark, I don't claim to be the expert that either you or Steve Gibson are. I am fans of both and have been for many years. But there is one flaw in your argument that even I can spot. You stated, about the ability to run code inline with the SetAbortProc: The actual reason is lost with the original developer of the API, but my guess is that he or she was being as flexible as possible. That defines a back door. Code put in place by a developer that is not documented in the requirements or specifications! This may not be a back door intentionally placed by Microsoft, but it smells awfully much like a backdoor put in intentionally by someone at Microsoft. I completely agree. Gibson and the guy and SysInternals came up with the exact same results. One concluded that it was a backdoor, the other concluded that it was bad code written for an unkown reason, which could be exploited as a backdoor. IMHO, everyone who looks at this function and code knows what it is. Gibson is the only security expert with the balls to call it what everyone is thinking - a backdoor. And it's because you cannot prove it one way or the other. Everyone else doesn't want to risk the wrath of M$ unless they have proof. And even the term backdoor can be used differently. It's like the differnence betwen hacker and cracker. To us geeks there is a subtle but real difference between those camps. To the non-geek world they are exactly the same. I think the same semantics is at play here between the words badly coded feature and backdoor. The other thing I can't understand is why there seems to be a very vocal number of poeple out there who seem to use every single opportunity to bash and flame and destroy Gibson. I've been through all his stuff and I think the worst he can be accused of is sometimes going overboard on the ramifications of some of the problems he has found. -- Brian
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
I really don't get why folks like to bash Gibson. I've been reading this stuff for many years now. He's a good guy as far as I can see. He's also entertaining from a technical POV. Moreover, he doesn't seem to be a MS yes man, either. And when he points out stuff like this, which no one will ever be able to lay solid claim/blame for, at least there is some meaningful basis to his comments. As far as I can tell, he's definitely not nutty or and certinly not full of shit. Perhaps he's a bit like the boy who cries wolf, because he comes up with stuff that is potentially a big deal...but ends up not being so because of his efforts. Perhaps he should be elevated to some kind of PC sainthood. :) Brian Weeden wrote: Okay this is from the SysInternals writeup (very good btw, thanks for the link). Here is what Gibson based his conclusions on: 1. There is no need for WMF files to include support for the SetAbortProc API. 2. Even if an abort procedure is set by a WMF file, Windows shouldn't execute it unless some abort condition is triggered, which should never occur when executing a WMF file. 3. He could only get his WMF file's abort procedure to execute when he specified certain invalid values for the size of the record containing the SetAbortProc command. 4. Windows executes code embedded within the SetAbortProc record rather than expect the record to reference a procedure within the application executing the WMF file. Given that same sort of evidence I would have concluded the same exact thing. And I hope many of the other security professionals would have as well. SysInternals goes on to explain why some of Gibson's reasoning was incorrect, and I can see where he made his mistakes. But then there is this comment that follows the blog (one of many good ones): While I applaud your efforts to explain the *details* of this vulnerability (and nicely done too) and why it may have been allowed to exist, there's one point Gibson brought up you didn't cover: Why, if as you claim that this was seen as a 'feature' in days so long ago (Win 3.x) that code inside a .wmf file could rely upon 'hard-coded addresses when patches didn't exist,' did Microsoft make sure embedded-code-execution couldn't happen under Windows 9x (in fact adding extra code to keep it from ever doing so!) yet still allow it (or more correctly added it to?) their Windows NT series? Therefore, it seems at least one person in the 'NT development' dept. (who could have checked how Windows 9x handled .WMF files) chose to allow for arbitrary code execution instead. It's not a coding error: The 'mistake' was for Microsoft during many code reviews to allow it to continue that way in Win 2000, XP and beyond until an exploit finally made use of it! And this one: Mark, I don't claim to be the expert that either you or Steve Gibson are. I am fans of both and have been for many years. But there is one flaw in your argument that even I can spot. You stated, about the ability to run code inline with the SetAbortProc: The actual reason is lost with the original developer of the API, but my guess is that he or she was being as flexible as possible. That defines a back door. Code put in place by a developer that is not documented in the requirements or specifications! This may not be a back door intentionally placed by Microsoft, but it smells awfully much like a backdoor put in intentionally by someone at Microsoft. I completely agree. Gibson and the guy and SysInternals came up with the exact same results. One concluded that it was a backdoor, the other concluded that it was bad code written for an unkown reason, which could be exploited as a backdoor. IMHO, everyone who looks at this function and code knows what it is. Gibson is the only security expert with the balls to call it what everyone is thinking - a backdoor. And it's because you cannot prove it one way or the other. Everyone else doesn't want to risk the wrath of M$ unless they have proof. And even the term backdoor can be used differently. It's like the differnence betwen hacker and cracker. To us geeks there is a subtle but real difference between those camps. To the non-geek world they are exactly the same. I think the same semantics is at play here between the words badly coded feature and backdoor. The other thing I can't understand is why there seems to be a very vocal number of poeple out there who seem to use every single opportunity to bash and flame and destroy Gibson. I've been through all his stuff and I think the worst he can be accused of is sometimes going overboard on the ramifications of some of the problems he has found. -- Brian
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
I was dismayed about the spinrite (dis)info I found on grcsucks.com. Anthony Q. Martin wrote: I really don't get why folks like to bash Gibson. I've been reading -- Cheers, joeuser (still looking for the 'any' key)
[H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
http://www.informationweek.com/news/showArticle.jhtml%3Bjsessionid%3DKAJMC5WZJL0XQQSNDBGCKHSCJUMEKJVN?articleID=177100970
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
Listen to episode 22: http://grc.com/securitynow.htm This was on Digg last week. Every person that I have heard saying Gibson is a moron over this has not had their facts straight. Listen to the podcast, look at his reports, hell look at his source code. His arguement that you need 2 or 3 very specific things to happen to trigger the WMF vulnerability, things that prevent the WMF files from working as intended. Which in my mind is the exact definition of a backdoor. Of course M$ will deny it. The only other option is to say yes, one of two things are true: 1. We have a rogue programmer who put their own backdoor in all version of our software since win2k 2. We deliberately put in a backdoor so we can access and patch every copy of windows in an emergency, even if they have firewalls and autoupdate disabled. -- Brian
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
At 11:41 AM 20/01/2006, Brian Weeden wrote: His arguement that you need 2 or 3 very specific things to happen to trigger the WMF vulnerability, things that prevent the WMF files from working as intended. Which in my mind is the exact definition of a backdoor. He backpeddled on this wildly this week, of course. T
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
At 01:09 PM 1/20/2006, Thane Sherrington (S) typed: He backpeddled on this wildly this week, of course. That wouldn't be because of legal pressure from MSFT's atty now would it? ;-) --+-- Wayne D. Johnson Ashland, OH, USA 44805 http://www.wavijo.com
RE: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
If your going to put a backdoor you would want to put it in something that is remotely exploitable like a network service or something. You don't want to have to socially engineer the user of the computer to either download your attachment or visit a website. That's too much work especially if its supposedly a conspiracy to be able to access any computer. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Weeden Sent: Friday, January 20, 2006 7:41 AM To: The Hardware List Subject: Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft Listen to episode 22: http://grc.com/securitynow.htm This was on Digg last week. Every person that I have heard saying Gibson is a moron over this has not had their facts straight. Listen to the podcast, look at his reports, hell look at his source code. His arguement that you need 2 or 3 very specific things to happen to trigger the WMF vulnerability, things that prevent the WMF files from working as intended. Which in my mind is the exact definition of a backdoor. Of course M$ will deny it. The only other option is to say yes, one of two things are true: 1. We have a rogue programmer who put their own backdoor in all version of our software since win2k 2. We deliberately put in a backdoor so we can access and patch every copy of windows in an emergency, even if they have firewalls and autoupdate disabled. -- Brian
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
I'm still waiting for the internet to break like Steve Gibson said it would when Windows 2000 was released. Mesdaq, Ali wrote: If your going to put a backdoor you would want to put it in something that is remotely exploitable like a network service or something. You don't want to have to socially engineer the user of the computer to either download your attachment or visit a website. That's too much work especially if its supposedly a conspiracy to be able to access any computer.
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
At 02:13 PM 20/01/2006, Wayne Johnson wrote: At 01:09 PM 1/20/2006, Thane Sherrington (S) typed: He backpeddled on this wildly this week, of course. That wouldn't be because of legal pressure from MSFT's atty now would it? ;-) What? Pressure from MS? That's nuts! T
RE: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
At 02:21 PM 20/01/2006, Mesdaq, Ali wrote: If your going to put a backdoor you would want to put it in something that is remotely exploitable like a network service or something. You don't want to have to socially engineer the user of the computer to either download your attachment or visit a website. That's too much work especially if its supposedly a conspiracy to be able to access any computer. His argument is it's a backdoor to allow MS to run code on your computer when you visit their webpage, even if the browser is completely locked down. I think it's a very reasonable argument, and seems to fit with MS's practices. Rather than fixing bugs and security problems, they spend time and money on poorly thought out copyprotection. T
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
At 02:49 PM 20/01/2006, Ben Ruset wrote: I'm still waiting for the internet to break like Steve Gibson said it would when Windows 2000 was released. It did. You missed it. :) T
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
Any day now... Ben Ruset wrote: I'm still waiting for the internet to break like Steve Gibson said it would when Windows 2000 was released. -- Cheers, joeuser (still looking for the 'any' key)
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
At 02:00 PM 1/20/2006, Thane Sherrington (S) typed: What? Pressure from MS? That's nuts! You don't think Steve might have heard from some MSFT atty's after that scathing article? If one makes false claims without documentation or without stating that this is my opinion then he certainly might have heard from their atty's. --+-- Wayne D. Johnson Ashland, OH, USA 44805 http://www.wavijo.com
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
On 1/20/06, Wayne Johnson [EMAIL PROTECTED] wrote: You don't think Steve might have heard from some MSFT atty's after that scathing article? If one makes false claims without documentation or without stating that this is my opinion then he certainly might have heard from their atty's. If anyone bothered to actually listen to the original podcast or read the transcript, he did say this was his opinion and he did say that he had no proof and no way to verify it. I still agree with his thoughts, although we will never know the truth. -- Brian
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
At 03:17 PM 1/20/2006, Brian Weeden typed: If anyone bothered to actually listen to the original podcast or read the transcript, he did say this was his opinion and he did say that he had no proof and no way to verify it. Sorry I did not read the transcript as long as he was just stating his opinion then he can say anything he wants. It's up to us to determine if we need Joe User's tin hat or not. ;-) --+-- Wayne D. Johnson Ashland, OH, USA 44805 http://www.wavijo.com
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
At 13:49 01/20/06, Ben Ruset wrote: I'm still waiting for the internet to break like Steve Gibson said it would when Windows 2000 was released. Gibson warned about the inclusion of raw sockets in Win2k. Everyone laughed. Since then, Microsoft has quietly eliminated the raw sockets with patches. To his credit, Gibson never made a big deal about their elimination. Regards, Bill
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
Gibson needs the tin foil hat... www.grcsucks.com I think is the address Wayne Johnson wrote: Sorry I did not read the transcript as long as he was just stating his opinion then he can say anything he wants. It's up to us to determine if we need Joe User's tin hat or not. ;-) -- Cheers, joeuser (still looking for the 'any' key)
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
Everyone laughed because raw sockets is not a real problem. *nix systems have had the ability to generate raw sockets for years. Things like clustering and VRRP depend on the ability to generate packets that appear to come from virtualized (or spoofed!) IP addresses. Bill Cohane wrote: At 13:49 01/20/06, Ben Ruset wrote: I'm still waiting for the internet to break like Steve Gibson said it would when Windows 2000 was released. Gibson warned about the inclusion of raw sockets in Win2k. Everyone laughed. Since then, Microsoft has quietly eliminated the raw sockets with patches. To his credit, Gibson never made a big deal about their elimination. Regards, Bill
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
At 20:06 01/20/06, Ben Ruset wrote: Everyone laughed because raw sockets is not a real problem. *nix systems have had the ability to generate raw sockets for years. Things like clustering and VRRP depend on the ability to generate packets that appear to come from virtualized (or spoofed!) IP addresses. Raw sockets on Windows could have been a much bigger problem than those *nix systems because for every *nix system user, there were probably a thousand clueless people using Windows. Besides the fact that there aren't as many *nix users (as windows users), most of those *nix users are not so clueless. I don't see why people are so quick to attack Gibson. He puts out many free security utilities and spends a lot of effort educating windows users. Regards, Bill
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
Raw sockets itself is not a problem. For a given Unix system the majority of people who have the power to use raw sockets know how to do it properly. Gibson's beef was that you now have millions of copies of Windows 2000 with raw sockets on by default and every single copy could be infected by malware/viruses that abuse raw sockets. He argued that there was no good reason to include them in Windows 2000 because no average windows user knew enough to use them properly or needed them. And it left a huge hole that could be exploited. Which it was by every worm and virus that rampaged the net in the last few years. Doesn't anyone actually listen to what people say before they spout off? On 1/20/06, Ben Ruset [EMAIL PROTECTED] wrote: Everyone laughed because raw sockets is not a real problem. *nix systems have had the ability to generate raw sockets for years. Things like clustering and VRRP depend on the ability to generate packets that appear to come from virtualized (or spoofed!) IP addresses. Bill Cohane wrote: At 13:49 01/20/06, Ben Ruset wrote: I'm still waiting for the internet to break like Steve Gibson said it would when Windows 2000 was released. Gibson warned about the inclusion of raw sockets in Win2k. Everyone laughed. Since then, Microsoft has quietly eliminated the raw sockets with patches. To his credit, Gibson never made a big deal about their elimination. Regards, Bill -- Brian
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
Raw sockets support is not something that you turn on or turn off. It's part of the TCP/IP stack. I mean I guess they could have shipped a crippled TCP/IP stack with Windows 2000 Pro and left raw socket support in Win2k Server, but then you're talking about maintaining two codebases for a problem that just simply is not a big deal. I understand the argument that Gibson was trying to make. All I'm saying is that it's stupid to bash Windows for having a feature that's part of TCP/IP. I don't think that your average Linux user would know enough to use or need raw socket support either. Brian Weeden wrote: Raw sockets itself is not a problem. For a given Unix system the majority of people who have the power to use raw sockets know how to do it properly. Gibson's beef was that you now have millions of copies of Windows 2000 with raw sockets on by default and every single copy could be infected by malware/viruses that abuse raw sockets. He argued that there was no good reason to include them in Windows 2000 because no average windows user knew enough to use them properly or needed them. And it left a huge hole that could be exploited. Which it was by every worm and virus that rampaged the net in the last few years. Doesn't anyone actually listen to what people say before they spout off?
Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft
And a very well-written rebuttal (by someone a hell of a lot more reputable than Gibson): http://www.sysinternals.com/blog/2006/01/inside-wmf-backdoor.html Or, would you like to tell him he doesn't have his facts straight, either? Is it possible Steve is right? Yeah, it is possible. Is it anywhere near likely? Reading Mark's rebuttal, I think the answer is a pretty definitive hell no. - Original Message - From: Brian Weeden [EMAIL PROTECTED] To: The Hardware List hardware@hardwaregroup.com Sent: Friday, January 20, 2006 9:41 AM Subject: Re: [H] Nutty Steve Gibson claims WMF bug was planted by Microsoft Listen to episode 22: http://grc.com/securitynow.htm This was on Digg last week. Every person that I have heard saying Gibson is a moron over this has not had their facts straight. Listen to the podcast, look at his reports, hell look at his source code. His arguement that you need 2 or 3 very specific things to happen to trigger the WMF vulnerability, things that prevent the WMF files from working as intended. Which in my mind is the exact definition of a backdoor. Of course M$ will deny it. The only other option is to say yes, one of two things are true: 1. We have a rogue programmer who put their own backdoor in all version of our software since win2k 2. We deliberately put in a backdoor so we can access and patch every copy of windows in an emergency, even if they have firewalls and autoupdate disabled. -- Brian