[Many politechnicals have sent along this link describing distributed denial of service attacks, which is relevant: http://grc.com/dos/grcdos.htm --Declan] ******** Date: 02 Jun 2001 12:26:58 -0400 From: Jered Floyd <jeredat_private> To: declanat_private Cc: steveat_private Subject: Re: FC: Time to get restraining order against Windows XP for bad security? Declan McCullagh <iat_private> writes: > Windows XP reportedly -- I have not verified this -- includes a > default configuration that permits IP spoofing. IP spoofing can > result in security breaches unless countermeasures such as > encryption are used. As well they should. Anything that increases the use of end-to-end security on the Internet is a good thing. But, do tell me, how is this configuration any different from, oh, any UNIX-based operating system? root users have been able to open raw sockets and spoof addresses for years and years. Are Mr. Gibson and Mr. Crocker going to go on a crusade against all Linux distributions next? --Jered ******** Date: Sat, 02 Jun 2001 12:37:59 -0400 To: Jered Floyd <jeredat_private> From: Steve Crocker <steveat_private> Subject: Re: FC: Time to get restraining order against Windows XP for bad security? Cc: declanat_private, steveat_private I applaud the success of Linux, but Linux and Windows differ in a few crucial respects. 1. There are many, many more Windows systems on the net than Linux. 2. The average sophistication of Windows users is far less than Linux users. 3. Windows systems are far easier to penetrate than Linux systems. The issue in this thread is not whether it's possible for the owner of the system to send out hostile packets but whether third parties, including 13 year old children, can orchestrate widespread penetrations of computers of unsuspecting users, and then use those computers to mount distributed denial of service attacks on whatever site catches their attention. Steve ******** Date: 02 Jun 2001 14:26:59 -0400 From: Jered Floyd <jeredat_private> To: Steve Crocker <steveat_private> Cc: declanat_private Subject: Re: FC: Time to get restraining order against Windows XP for bad security? Steve, I appreciate the quick reply! I certainly agree that your threeq points are currently true: > 1. There are many, many more Windows systems on the net than Linux. > > 2. The average sophistication of Windows users is far less than Linux users. > > 3. Windows systems are far easier to penetrate than Linux systems. However all signs point to this rapidly changing. Linux market share is increasing, and commodity OSes like Mac OS X are based around UNIX-like environments. The average sophistication of a UNIX user is dropping and will continue to drop as more embedded and light-weight systems are built around stable OSes. The fact that Windows systems are easier to penetrate is strongly dependent on the fact that there are a) more Windows systems, so they are a more enticing target, and b) Microsoft has been extremely lax about their security policies. In the not-to-distant future, it is likely that your 3 points will not hold. At that point in time, will you then recommend that all UNIX vendors disable the ability to open raw sockets? As little as I am inclined to defend Microsoft, it seems in this case to be unfair to ask them to explicitly do less that other OSes; it's certainly unfair to do so through legal means. One could argue that, "Windows users are not sophisticated enough to need extended functionality from their operating system," I suppose. But IP spoofing is an issue that can be (and is) addressed through other means. For example, many ISPs now enforce egress packet filtering, so that packets from addresses not belonging to them are blocked. If you want to attack Microsoft for being a bad network citizen, there are far better examples of their misbehaviour. Allowing IP spoofing is not a violation of Internet standards. On the other hand, in Windows 2000 Microsoft introduced a 'Go Faster' button; a checkbox on the network control panel to optimize network performance. What this option does is tell Windows to ignore peer requests on TCP window sizes, used for congestion control on busy networks. Windows instead always uses the largest window size, which optimizes *your* connection, but essentially disables all non-Windows machines on your network. This explictly violates the TCP specification. I would much rather see an attempt to get a restraining order against Microsoft for that reason, rather than for providing a service other OSes already offer. --Jered ******** Date: Sat, 02 Jun 2001 13:06:09 -0700 To: declanat_private From: Bill Stewart <bill.stewartat_private> Subject: Re: FC: Time to get restraining order against Windows XP for bad security? Cc: politechat_private, steveat_private In-Reply-To: <5.0.2.1.0.20010601205617.025a2bf0at_private> Declan - I wasn't going to send this comment to Dave Farber's list, but your politech list is a less formal setting so here's my comment. Steve's suggestion that MS should be encouraged to ship their software in a configuration that's less capable of causing new damage as well as less capable of being infected is good, and is something they've been flamed about for years. But suggesting a temporary restraining order is highly inappropriate. Legislatures and judges generally don't have the technical smarts to make rulings about issues like that that understand the complex implications of their orders beyond the initial goals they're trying to achieve. Furthermore, the obvious implementation of such an order wouldn't help the problem, because the invader who takes over a system to install the DDOS clients owns the machine thoroughly enough that they can install a fix that repairs the inability to spoof. (A script kiddie probably couldn't write such a thing, but somebody with real hacking skills could, and the kiddies could use it.) Also, Linux and the BSD operating systems have spoofing capabilities now. And annoying as it is to an old Unix hacker to have to say this, but my Windows machine on DSL has never been broken into, while the Linux machine on the same LAN has been trashed repeatedly, though nobody's bothered it since I installed RedHat 7.1, which has a more secure default configuration. This is partly because the Windows machine runs Win95 and Netscape 3, doesn't get used for anything dangerous like IRC or gaming, and the only servers on it aren't well-known targets. ******** Date: Fri, 1 Jun 2001 18:54:18 -0700 From: Troy Davis <troyat_private> To: declanat_private Subject: Re: FC: Time to get restraining order against Windows XP for bad security? In-Reply-To: <5.0.2.1.0.20010601205617.025a2bf0at_private>; from iat_private on Fri, Jun 01, 2001 at 09:09:18PM -0400 On Fri, Jun 01, 2001 at 09:09:18PM -0400, Declan McCullagh <iat_private> wrote: > Windows XP reportedly -- I have not verified this -- includes a default > configuration that permits IP spoofing. IP spoofing can result in security > breaches unless countermeasures such as encryption are used. Background: > http://www.linux.com/security/newsitem.phtml?sid=11&aid=8999 > http://webopedia.internet.com/TERM/I/IP_spoofing.html Should Windows be afforded less flexibility to add features than, say, Unix? Just about every variant I run Unix and can't say I welcome the idea of every Windows luser having the ability to start a smurf attack or spoofed SYN flood, but I also don't think Microsoft is the one to fault here; they're adding a feature that competitive operating systems already have. The folks to complain about (and to) are ISPs that aren't filtering traffic with source IPs not within their netblocks (ie, spoofed traffic). Cheers, Troy ******** From: "David Klotz" <buckyat_private> To: <declanat_private> Subject: Re: Time to get restraining order against Linux? Date: Sat, 2 Jun 2001 08:38:16 -0500 Declan, This may relate to the fact that Microsoft has now implemented TCP/IP correctly, which means that users of XP can now spoof IP addresses. In previous versions of Windows, the implementation was done incorrectly. This "feature" made it impossible to spoof IP addresses on Win9X or NT 4.0 and below. I would like to point out to all the MS bashers out there that Linux "by default" comes enabled to allow spoofing. Anyone can install Linux on their computers and with a simple precompiled app, or a set of C libraries for the more adventurous, can spoof to their hearts content. Despite this, I've neber seen an email stating "Time to get a restraining order agains RedHat for bad security"... Dave Klotz ******** Date: Sat, 02 Jun 2001 15:01:05 +1200 To: Declan McCullagh <declanat_private> From: Craig Carey <researchat_private> Subject: Spoofing scanning: Microsoft is right >>Date: Fri, 01 Jun 2001 14:24:09 -0400 >>To: farberat_private >>From: Steve Crocker <steveat_private> >>Subject: TRO for W2K and XP? >> >>Perhaps Microsoft should be encouraged to ship W2000 and XP with stronger >>security and a default configuration that prevents IP spoofing. I think >>it's inappropriate for a major vendor to release a product which has a >>high likelihood of causing its purchasers security problems and which >>will be used used as a platform for attacks on others. A temporary >>restraining order might be a reasonable form of "encouragement." What an unfriendly comment. If they had that security, direct writes to the port would have to be done, or else people would install the more friendly of FreeBSD and Linux. I getting near to finishing a 1,600 line program named "The Razor" that allows simulation of hacking attacks. It is coded in Ada 95 and it uses libnet PPS. In October 1999 I sent by accident 136 HTTP get requests to port 6000 when surveying for ports holding proxies and my ISP's ISP then tried to shut me down by taking the ISP offline. They man was misled into believing I had lost telnet access. He said that the Swedish embassy had contacted the NZ Police and was trying to stop me scanning. A subsequent and delayed Official Information Act 1982 request to the NZ Police uncovered nothing. The Police sometimes like to handle those requests well. I complained about my ISP to the Privacy Commissioner who informally invigated immediately prior to my having to leave. In a letter from the Office of the Privacy Commissioner I explained that I would be likely writing software to spoof hacking to allow me and others to shut down censoring. As I reasoned, it was no hindrance to an investigation by the Privacy Commissioner, even though USA would be a likely target (and certainly Sweden will at a slight risk). The ISPs network administrators seem to oppose censoring too readily over here, partly out of a concern at all that unfriendly mail that comes from USA network admins saying that "others may be at risk". It would take perhaps 1000 complaints from USA alleging others are at risk but I am not, before the start of something a lawyer could take an interest in would appear. If a US person intrudes into 1 PC then they are in a lot of legal trouble, but with perhaps 10 embassies involved and some expecting more than weak explanations about the low security the entire USA (not poor Microsoft) has, then once that is fixed then some hindrances about prosecuting would be fixed. I only just opened my letter from the Privacy Commissioner in the last 15 minutes. The NZ ISP is sure to disregard any request from the Privacy Commissioner. He has already lost privacy wrt. the upstream ISP over not supplying my 136 complaints. Then I set up a group and attacks are bartered. This is a part of new rationale behind that small US company keeping the raw sockets options. If they don't they could be a target. I ran a test and I found out that spoofing attacks seem to be totally safe when done from one rather large NZ ISP. http://www.privacy.org.nz/legislation/legislation.html (principle 6 allows access) I don't know who this man is, but at least in NZ the Office of the Privacy Commissioner is in favor of IP number spoofing attacks of American government and private sector agencies, or at least the rigour and flawless scrutinisability of their reasoning allows that view to be simulated. I would be discontent if in USA, where you have no Privacy Commissioner that is a model part of the government like the Ombudsman (both free to use) but instead the Secret Service. PS. I was reading your messages. Over here the Privacy Commissioner would rule against publishing Social Security numbers. The information is held for a purpose and publishing it does not agree with purpose (principle 11) (ditto 'leaking' under principle 5). The ISU is censoring my homepage and proxy-methods-list mailing list and I want to have them and they Interior Minister, Nayef whatshisname, stop that and take it back to how it was at about January 2001. E-mail: Craig Carey <researchat_private> (backup terratopeat_private) Auckland, NZ. STV, voting method too flawed to use in NZ: http://www.ijs.co.nz/ifpp.htm ******** ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Jun 02 2001 - 13:31:00 PDT