Steve Gibson really is off his rocker

Sorry y'all....


My recent column ridiculing security specialist Steve Gibson's claim that raw-socket functionality slated for Windows XP is a major threat attracted more flames than I can hope to post on this page.

Briefly, Gibson predicts that the ability of XP's raw sockets to send and forward spoofed packets will result in massive denial of service attacks which no one will be able to stop. I say he's loopy.

Most e-mail critics claimed that I'd missed Gibson's central point, which is that XP boxes will be used as "zombies" (as the half-tech press likes to call infected clients) to forward packets from a malicious operator, because I'd written:

We'll allow that there'll be a few s'kiddies who might prefer to use their Win-XP boxes for such purposes. But they can already do so simply by installing Linux and doing a bit of reading.

Apparently, many failed to read further, because in the next paragraph I did recognize the "zombie" potential:

There will also be more Windows clients available for malicious misuse as XP grows in popularity; but one can already do heaps of packeting from Windows machines with SubSeven, and even launch the attack in bulk from IRC.

Of course I dismissed Gibson's exaggerated concerns about it:

The boxes will eventually be found because their IPs are traceable, and admins will contact the owners and let them know they're infected -- but only long after the damage is done. Raw sockets in XP only marginally improve the situation for a malicious party.

Perhaps my phrasing wasn't quite transparent enough - so let me spell it out clearly this time: Steve Gibson is talking absolute bollocks.

Here's why:

As I pointed out in the previous article, malicious kiddies can already take over Windows machines with Trojans like SubSeven and use them for heavy packeting without the owner's knowledge. Raw socket functionality does not in itself make a machine more or less vulnerable to such infection.

Furthermore, malicious operators can already do heaps of packet damage using Windows clients without spoofing. Gibson is right that spoofing makes packets nearly impossible to filter, but filtering isn't the answer to a severe packet attack, as anyone who's had to deal with one can attest.

The real solutions to packeting are capital intensive, like load balancing and content distribution. Unfortunately, they're quite expensive solutions, and few besides well-heeled commercial entities can afford to put them to use.

Gibson learned that much for himself the hard way; he finally had to cry uncle to a thirteen-year-old packeteer named "Wicked", even though the kid tormenting him wasn't using compromised boxes capable of sending spoofed packets. Nevertheless Gibson - a security expert - couldn't make it stop.

Gibson's attempts at filtering were rarely more than briefly effective and caused him and his ISP days of exasperation, according to his own account. So if packeting without spoofing is already brutally effective, why does he insist that the inability to filter XP-forwarded packets will lead to an Internet melt-down?

Because he's loopy, that's why.

Gibson is ranting as if raw sockets are going to multiply the number of infected machines connected to the Internet. But that simply isn't true; the same primary obstacle to getting an attack started remains, spoofing or none, as Microsoft pointed out in their well-reasoned reply to Gibson: an attacker first has to compromise a number of client machines with which to packet the target system.

Let's say just for fun that there's a consistent number of infected Windows machines x on the Net. There's nothing in Gibson's reckoning which affects that number. There's nothing in Windows-XP that affects it, and nothing in raw sockets either. We still have x victims out there.

We've seen from Gibson's account that dealing with a packet attack in the absence of spoofing is a ghastly pain. I allow that the spoofing potential of XP raw sockets will make it somewhat more of a pain, but a bit worse than horrible is nothing to shriek about.

In spite of Gibson's paranoid three-storey-tall red lettering and multiple exclamation points and bold-bordered tables, nothing in XP is going to increase the number of infected victims.

He shows contempt for Windows users, assuming they're all complete idiots (presumably with the circular argument that they must be morons because they're using Windows), and strongly implies that they can only hurt themselves with a fully-featured OS.

Gibson writes it in giant letters:

When those insecure and maliciously potent Windows XP machines are mated to high-bandwidth Internet connections, we are going to experience an escalation of Internet terrorism the likes of which has never been seen before.

Madness writ large. The man seriously needs a holiday. ®


Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading

Biting the hand that feeds IT © 1998–2022