[ISN] Steve Gibson really is off his rocker

From: InfoSec News (isnat_private)
Date: Mon Jun 25 2001 - 02:48:45 PDT

  • Next message: InfoSec News: "Re: [ISN] USA Today as DoD cyber-war propaganda mouthpiece"

    By Thomas C Greene in Washington
    Posted: 25/06/2001 at 08:38 GMT
    My recent column ridiculing security specialist Steve Gibson's claim
    that raw-socket functionality slated for Windows-XP is a major threat
    attracted more flames than I can hope to post on this page.
    Briefly, Gibson predicts that the ability of XP's raw sockets to send
    and forward spoofed packets will result in massive denial of service
    attacks which no one will be able to stop. I say he's loopy.
    Most e-mail critics claimed that I'd missed Gibson's central point,
    which is that XP boxes will be used as "zombies" (as the half-tech
    press likes to call infected clients) to forward packets from a
    malicious operator, because I'd written:
    We'll allow that there'll be a few s'kiddies who might prefer to use
    their Win-XP boxes for such purposes. But they can already do so
    simply by installing Linux and doing a bit of reading.
    Apparently, many failed to read further, because in the next paragraph
    I did recognize the "zombie" potential:
    There will also be more Windows clients available for malicious misuse
    as XP grows in popularity; but one can already do heaps of packeting
    from Windows machines with SubSeven, and even launch the attack in
    bulk from IRC.
    Of course I dismissed Gibson's exaggerated concerns about it:
    The boxes will eventually be found because their IPs are traceable,
    and admins will contact the owners and let them know they're infected
    -- but only long after the damage is done. Raw sockets in XP only
    marginally improve the situation for a malicious party.
    Perhaps my phrasing wasn't quite transparent enough -- so let me spell
    it out clearly this time: Steve Gibson is talking absolute bollocks.
    Here's why:
    As I pointed out in the previous article, malicious kiddies can
    already take over Windows machines with Trojans like SubSeven and use
    them for heavy packeting without the owner's knowledge. Raw socket
    functionality does not in itself make a machine more or less
    vulnerable to such infection.
    Furthermore, malicious operators can already do heaps of packet damage
    using Windows clients without spoofing. Gibson is right that spoofing
    makes packets nearly impossible to filter, but filtering isn't the
    answer to a severe packet attack, as anyone who's had to deal with one
    can attest.
    The real solutions to packeting are capital intensive, like load
    balancing and content distribution. Unfortunately, they're quite
    expensive solutions, and few besides well-heeled commercial entities
    can afford to put them to use.
    Gibson learned that much for himself the hard way; he finally had to
    cry uncle to a thirteen-year-old packeteer named "Wicked", even though
    the kid tormenting him wasn't using compromised boxes capable of
    sending spoofed packets. Nevertheless Gibson -- a security expert --
    couldn't make it stop.
    Gibson's attempts at filtering were rarely more than briefly effective
    and caused him and his ISP days of exasperation, according to his own
    account. So if packeting without spoofing is already brutally
    effective, why does he insist that the inability to filter
    XP-forwarded packets will lead to an Internet melt-down?
    Because he's loopy, that's why.
    Gibson is ranting as if raw sockets are going to multiply the number
    of infected machines connected to the Internet. But that simply isn't
    true; the same primary obstacle to getting an attack started remains,
    spoofing or none, as Microsoft pointed out in their well-reasoned
    reply to Gibson: an attacker first has to compromise a number of
    client machines with which to packet the target system.
    Let's say just for fun that there's a consistent number of infected
    Windows machines x on the Net. There's nothing in Gibson's reckoning
    which affects that number. There's nothing in Windows-XP that affects
    it, and nothing in raw sockets either. We still have x victims out
    We've seen from Gibson's account that dealing with a packet attack in
    the absence of spoofing is a ghastly pain. I allow that the spoofing
    potential of XP raw sockets will make it somewhat more of a pain, but
    a bit worse than horrible is nothing to shriek about.
    In spite of Gibson's paranoid three-storey-tall red lettering and
    multiple exclamation points and bold-bordered tables, nothing in XP is
    going to increase the number of infected victims.
    He shows contempt for Windows users, assuming they're all complete
    idiots (presumably with the circular argument that they must be morons
    because they're using Windows), and strongly implies that they can
    only hurt themselves with a fully-featured OS.
    Gibson writes it in giant letters:
    When those insecure and maliciously potent Windows XP machines are
    mated to high-bandwidth Internet connections, we are going to
    experience an escalation of Internet terrorism the likes of which has
    never been seen before.
    Madness writ large. The man seriously needs a holiday.
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Mon Jun 25 2001 - 03:38:37 PDT