Steve Gibson walks on water; you're a moron, and so's your old man

Everyone's an expert

See also:
Thank God someone's finally exposing this charlatan
You both make good points, but we're still leaning in Steve's direction

Dear Mr. Greene,
While I don't want to come across as strident, you don't seem to have read the "thousands of words on his Web site" you mention Steve Gibson as having written. There is one reason, and one reason only, that he believes the raw-socket capability in WinXP is going to lead to chaos - its use in zombie machines for DDoS attacks and the inability of ISPs to effectively filter out packets with spoofed IP addresses at the target router.

Of course all unix and unix-like machines already have this capability. Certainly it can be added to existing versions of Windows. Yes, DDoS attacks can now be launched from Win95 machines subverted by SubSeven trojans or IRC 'bots. None of that is an issue.

The issue is that:

1) There are thousands of Windows machines left running 24x7 on broadband networks (primarily @Home and RoadRunner) by clueless owners who have made no attempt at securing them.

2) DDoS attacks originating from even a large number of such machines can be filtered - at the point nearest the victim - by ISPs' high-bandwidth routers before they shut down lower-bandwidth customer links, if the source IP addresses are real and unchanging.

3) Hundreds of WinXP machines launching a DDoS attack using forged, possibly rapidly varying, IP addresses will not be filterable by the targeted victim's ISP, and will without doubt succeed in swamping his/her link.

Gibson (and others) aren't worried about WinXP or Linux machines in the hands of script kiddies, as you suggest. Nor are they especially worried about the ability of ISPs to trace infected machines and notify the owners, since none of the ISPs Gibson contacted showed any willingness to do this now. Your statement:

True, the boxes will eventually be found because their IPs are traceable, and admins will contact the owners and let them know they're infected -- but only long after the damage is done. Raw sockets in 'XP only marginally improve the situation for a malicious party. We really don't see an immense growth in packeting on the horizon.

completely misses the point of the unfilterability of IP packets with spoofed and variable IP addresses, by the victim's ISP (not the source ISP). I'm not sure whether or not Gibson is over-reacting, though if I had had his experience with a personal website I'd be awfully unhappy. But minimizing the problem of zombie machines provided with a raw socket interface is not a reasonable response to his concerns. And your further paragraph:

According to Gibson's paranoid delusions, everyone with a computer is a potential criminal, and the only reason the entire Net population hasn't yet exploded in some mass orgy of evil is because Microsoft has thus far refrained from unleashing the uncontrollable power of the raw socket.

misrepresents everything he says in his admittedly voluminous web pages. I don't know whether you actually believe this summary, or whether you intended it as hyperbole, but it doesn't serve you, or your publisher, well.
--Mark McCutcheon

I've read your article and it seemed good... then i read Steve Gibson homepage and become confuse.. were you talking about the same person i saw the page?

"(...)so he's decided to exploit the very threat he claims will make the Internet permanently unstable"

The way you say this makes it seems it's just a mad man. The way i readed it was a controled experience to serve as prove of concept, they are two diferent things... i don't think his ideia and work is to make internet

"All right, we'll allow that there'll be a few s'kiddies who might prefer to use their Win-XP boxes for such purposes. But they can already do so simply by installing Linux and doing a bit of reading."

Your losing the point here... the s'kiddies computer doesn't need raw sockets... it doesn't participate in the "attack". The machines that he controls need it. So are you sugesting that a flood program be created that in an automated way converts win98, me, etc... into linux?

"There will also be more Windows clients available for malicious misuse as 'XP grows in popularity; but one can already do heaps of packeting from Windows machines with SubSeven, and even launch the attack in bulk from IRC."

That's the problem and the only know way to work around it it's to filter packets. With winxp, that will be no more possible.

"Raw sockets in 'XP only marginally improve the situation for a malicious party."

If you call become "invisible", with capabilities to circunvent filters and make an attack unstopable a marginal thing.. then, you're right.

"Gibson, on the other hand, tells it like a loner in the desert, living, we would imagine, on locusts and wild honey for a bit too long a time."

You're not being inteligent and cordial here... it's just kind of an insult i think... well.. carry one...

"After being packeted into submission last month by a thirteen-year-old computer enthusiast called "Wicked", he's become obsessed with the mission of dissuading Microsoft from outfitting 'XP with the same capabilities as most of its competitors."

First i think this all thing was a joke... when i saw the potencial here... i'm getting a litle horried, let's see... We can make a program that can spoof packets and bypass filters, can be run in any port we want, can locate to a dynamic server and in the near future (see freenet project for a way to doing this) can detect infiltered nodes an reject them. Remember that this stuff it's not created by s'kiddies and it's released and used by them...

"According to Gibson's paranoid delusions, everyone with a computer is a potential criminal, and the only reason the entire Net population hasn't yet exploded in some mass orgy of evil is because Microsoft has thus far refrained from unleashing the uncontrollable power of the raw socket."

Here again, the way you wrote this... you make seam that we says that everyone will actively participate in a computer crime, in a attack, if i didn't read his page (and the majority didn't i'm sure) i would be
completely bad informed and with a bad impression of a man that's probably right. Raw sockets are for others things other than normal internet use, they are there to provide the "pros" with power to improve things and do thins in another way, not to the consumer just barely using the internet as it is... So, i share he's idea when he says that personal computers can live well without raw socks.
--Ricardo Cunha

Mr. Greene -
There was really no reason to "[sic]" Steve Gibson's quote, when all he did was use "Insure", the accepted American spelling, rather than "Ensure", the British spelling. In the US, "Ensure" is the trademarked name of a brand of liquid dietetic supplements for the aged and infirm.

Also, I would hardly refer to the author of SpinRite as a "Geek".
-- David Ratti

I rarely go out of my way to comment on a technical news article but this one I found so unprofessional I thought I would go ahead....

Firstly, your blasphemous use of scriptural quote, comparing the man to John the Baptist and then calling him paranoid & virtually placing the word "bastards" into his mouth - is really sick.

Secondly, the man is emphasizing the ease & prevalence of the exploit, not just the possibility. Your focus on the already-standing possiblility shows you don't even realize what Gibson is talking about. The point is that hundreds of thousands of people do not use WinpCap or Linux. If WinXP becomes a desktop OS for the average Joe, it can be exploited by trojan bots by the thousands without owners' awareness.

I think you better revisit Gibson's story of the Wicked cracker and focus on this idea of ease and prevalence without OS owner awareness. It has nothing to do with current possibilities with WinpCap and

Dear Sir,
Windows XP makes MILLIONS of novice users' computers into Distributed Denial of Service (DDoS) platforms, capable of SYN floods and with anonymous spoofing of IP addresses enabled by default. These millions of newbies have no clue about security, much less about how to defend their PC's against malicious hackers with their trojans and 'bots.

This has never been the case before on UNIX/Linux/Win2K systems, mostly managed by expert users who are presumably aware of the security issues, and who set up firewalls as if their jobs depend on it, (which they do).

I trust Steve Gibson's analysis of the problem. He did his homework.
Yours Very Truly,
--Brian Eargle

Let me quote you first:
"The raw sockets which have Gibson so steamed enable a machine to send or capture data independent of the operating system -- quite handy if you're a software developer or an advanced hobbyist. And while it's true that this also enhances the packet-flooding capabilities of a Windows machine by making it easy to spoof packets, it's also true that this function is already included in most other operating systems, and can be added to an existing Win-9x, 'ME, or '2K machine quite easily with a library called WinPcap ."

Now let me make sure I get this right. The only group you can show that MIGHT need this raw packet capability are advance hobbyists and developers and there is a library available to them that they can use now. Right? Then why the hell does it need to be in the OS? I am a Microsoft developer since 1981 and have come to their defense on damn near all points, but this just seems hare brained to me. If these two are indeed the only groups benefiting, then why have it at all? Especially since, by your own admission, it can really make finding the source of a DDOS attack a pain.

Steve's right. You're wrong.
--Gary Shell

Dear Thomas,
I read you recent affirmation of your opinion of Steve Gibson. I thought I'd just write to point out why you are wrong.

Briefly, Steve Gibson is claiming that the launch of Windows XP, with the ability to write raw packets, will make the DDOS problem much worse.

You rebutted this by saying that a script kiddie can already send spoofed packets by installing linux, and that is true. But Steve Gibson is not claiming that this makes any difference. No single machine could run an effective DOS attack, and no malicious party would want to run the risk of being traced by sending it from their machine. You also said that the launch of Windows XP will not affect the number of people actually running compromised windiows machines will not change. That is certainly true too. Again, this is not what Steve Gibson is claiming is the problem.

You claimed that dealing with a packet attack run from older Windows machines without packet spoofing is "a ghastly pain" and allowed that the spoofing potential of XP will make it "somewhat more of a pain". You imply that neither attack can be dealt with effectively. If you read Steve Gibson's long account of the attack on him carefully you will see that, after the initial surprise, he was usually able to counter the attacks 24-48 hours after they started, by filtering. It's quite clear that he was able to defend himself against the attacks once he figured out what was going on. To say that in this case filtering was "rarely more than briefly effective and caused him and his ISP days of exasperation" is simply misrepresentation.

You say "a bit worse than horrible is nothing to shriek about" and this is very weak. If "horrible" means an attack which knocks the website off the net until the routers can be configured to filter against the attack then "a bit worse" does not accurately describe an attack which cannot be defended against at all. Furthermore, spoofed packets are very difficultto trace.

Some other factual innaccuracies. You said "The boxes will eventually be found because their IPs are traceable, and admins will contact the owners and let them know they're infected". If you read Mr Gibson's original article you will see that in the large marjority of cases this did not happen. The large ISPs were not interested in doing so.

You also cast doubt on his assertion that there will be lots of compromised Windows XP boxes around which hackers can use as zombies in a DDOS attack. This is presumably what you mean by "He shows contempt for Windows users, assuming they're all complete idiots". Apart from misrepresenting his claims as perforative to Windows uses, you can see that Mr Gibson's first experience with an attack clearly shows that even one 13 year-old hacker had access to hundreds of such boxes.

Finally, why the personal tone? You clearly disagree with what he's got to say but why is it necessary to attack the man and not the issue? Is it because your arguments are weak? As a journalist I would hope that you would take time to contact him and allow him to express his views in your article to counter your own.

By the way, I'm not connected to any party in this. I'm just a bit saddened by reading a personal and inaccurate attack.
--Dr Andrew Ker

i think you're missing the point of Steve Gibson's article (this isn't a flame per se - i'm trying to be informed )

this is what Steve said: "Thanks to the fact that the fleet of attacking machines were Windows PC's, they were unable to send TCP SYN packets to our port 80 (which would have crippled us completely), and were only able to flood us with UDP and ICMP packets (which we could temporarily ignore)"

now what he seems to be saying is that at the moment, the most vulnerable machines to being "zobified" are windows PC's...which is fair enough. You can buy them out of the box, plug them into a phoneline with little idea of what you're doing.

The only Win2K machines tend to be business users (protected by firewalls, antivirus software etc. or home users who have a bit more technical know-how) WinXP will have the Unix port's enabled, as Win2K does, the difference being that WinXP will be for home users as well.

Now i don't know the full technical details of ports enabled, what it enables you to do, but what he's saying seems to make sense to me. The number of machine's on the internet isn't going to increase, the number of vulnerable machines on the internet isn't going to increase, but the number of vulnerable machines, with the potential to do a lot more damage is.

that's how i see it anyway. If you think i'm talking b*llocks (which is always a possibility) and you have any good links to where i can understand what i'm trying to talk about, feel free to let me know.
--not signed

You keep making a single flawed point - that packet filtering is ineffective against DDos attacks. This is not true - packet filtering is frequently enough to see off an attack - the only caveat is that the filtering needs to be done at a high enough level (in the routing hierarchy) that the attacker's attacking bandwidth is less than that available at the filtering point.

You also seem to think that it always takes a long time to find the infected boxes "...only long after the damage is done". This is absolute rubbish - there are plenty of cases where the attacking IP's could be traced within minutes of the attack starting, and enabling machines to be blocked at the source ISP. You can get out your modem, dial freeserve and wahay - new IP address, and a safe connection on which to trace the attacking IPs. The only problem here is if the source ISP are lazy/stupid/etc and refuse to co-operate or e.g. don't bother turning up to the office most days.

From my reading of the Gibson article, the people he's really annoyed about are incompetent/negligent ISPs.
--Adam Martin

The minute you have one-tenth the knowledge that Steve Gibson has about internet security, maybe, maybe!, people will take your crap seriously. Your whole argument about Gibson being mad amounts to saying, "if it's bad enough already, who cares if it's made worse". That is utter and total crap! it's like saying, oh well, there's so much poverty in the world, let's just fire everyone and steal all their money, it won't make a difference because it's so bad already! Steve was not saying that WinXP will make more zombie infected machines, what he is saying is that it will make DDoS attacks much harder to block and stop. You said yourself that there is no effective way to stop packeting, well filtering works to a degree, and it's the only thing that works at all! If I.P's can be spoofed then there is no way whatsoever to stop packeting attacks. I guess the real point here is, does raw sockets support do anything besides allowing for spoofed packets? If it doesn't then it should be eliminated from WinXP because if it doesn't do anything BESIDES creating a massive security hole, then it's bad thing and should be removed. If it does do something worthwhile, then it should be evaluated in contrast to what harm it can do. I do agree with you that Gibson is making too big a deal out of this, but it is a major issue and you shouldn't make light out of it.
--not signed

If you read his article you would see that he did mainly stop Wicked's attacks by filtering. Subsequent attacks he could not block, but if the worst came to the worst he could have at least blocked the IPs of most of the attacking machines. The fact he is a alleged security expert and he still could not stop the attacks should point to the serious nature of DDOS attacks and not take into question Steve Gibson's abilities.

The ability to spoof the source of packets makes them untraceable, without manually going into every router and switch in-between to see the current port allocation tables. Currently in a worst case scenario it's at least possible to trace a Windows machine. Remember Windows machines will make up the vast majority of DDOS clients (zombies).

I don't think he is -- I think perhaps you have missed the point of his article.

Also Microsoft's article somewhat conveniently fails to address some important points :

1) Microsoft OSes are by far the most common

2) They're used by people with little knowledge of computers on average, as compared to other OSes.

3) There are more Trojans around for Microsoft OSes (see point 1)

4) Most XP boxes will not be set-up by default to require all executing software be signed -- as 99% of users will have at least one piece of legacy software

5) Although many of Microsoft's points are valid they still do not stop someone downloading an executable which happens to contain a DDOS client and executing it. (Trojan)

I'm sorry, normally your articles are well written, but not this one. It sounds like your are angry more than anything else. Aren't you supposed writing an unbiased article?

I expect better from The Register.
--Stephen Bland

Hi Thomas,
I read your original article, and your defensive follow-up, and, to use your unbiased journalistic language, I thought it was bollocks.

Sure, Gibson's ransom-note style of web-page design doesn't do much to lend credibility to his message, but that's no reason to argue that every point he makes is false. In fact, most of the points that you
make aren't actually at odds with anything Gibson is saying, although the way you line-up your straw men makes it look as though you are destroying every last shred of credibility Gibson might have.

He never pretends that he has a magic cure that will stop Windows boxes from being hacked. In fact, the only thing he is claiming is that the spoofing potential of XP raw sockets will make dealing with
a packet attack more of a pain - a point which you claim to agree with... although you then go and attempt to argue against that by pointing out that 'Gibson's attempts at filtering were rarely more
than briefly effective' - another claim which seems to be only slightly related to what actually happened.

You've littered your argument with claims like 'he shows contempt for Windows users', which, as far as I can tell, you have made up just to try and hide the fact that there is no substance to anything in your article. Ad hominems are always a good form of attack when you've got no other legs to stand on.

As far as I can tell, Gibson's attempts at filtering landed him with the IP addresses of all the machines 0wned by Wicked, gave him a chance to reverse-engineer the zombie program and talk to its author, AND let him block the attack. In a slightly better world, he might have been able to let the owners of the hacked machines know how to tighten their own security, and the FBI could have easily tracked down the culprit.

None of this would have been remotely feasible with the current Internet infrastructure if the machines had been able to fake their IP addresses.

Hope to see more factual reporting in the future... Keep up the good work.

Hi Thomas,
To be honest little of what you say seems reasonably thought through.

"As I pointed out in the previous article, malicious kiddies can already take over Windows machines with Trojans like SubSeven and use them for heavy packeting without the owner's knowledge."

But, as Steve points out, in a manner it's possible to filter

"but filtering isn't the answer to a severe packet attack"

It can work, as Steve has proven. Therefore it effectively makes the barrier to entry for a DDoS attack higher.

"The real solutions to packeting are capital intensive, like load balancing and content distribution"

a) load balancing won't help against a DDoS AFAIK, since you can simply attack the machine doing the distributing (hence no requests get passed on

b) content distribution suffers similar weakness: the DDoS attack only has to hit the entry points

"Let's say just for fun that there's a consistent number of infected Windows machines x on the Net."

Well let's not say that since it's a pretty silly thing to say? People *are* still buying computers. More people are joining the net every day. Broadband is slowly taking off but this will accelerate as the technology matures. All this makes the potential of x a rapidly increasing number.

"When those insecure and maliciously potent Windows XP machines are mated to high-bandwidth Internet connections, we are going to experience an escalation of Internet terrorism the likes of which has never been seen before."

And where have you heard warnings like this before? Perhaps time around the turning of the millenium? It was through bold warnings like this that large companies woke up and poured previously unthinkable
amounts on money into ensuring y2k compliance. Otherwise they would simply buried their heads in the sand and there *would* have been a y2k disaster. We can look back and think those urging fixing the y2k
problems as 'loopy' since nothing happened, or we can thank them for prompting a change in attitude and ensuring nothing did happen.

Personally I think Steve is doing a good job in warning us. I would like to see everyone running a decent firewall and software that scans the host machine for vulnerabilities, but that isn't going to happen. Disabling raw sockets in XP could be the next best thing. The kind of people that run XP are only going to be people that just want to run Word and Excel, and occasionally browse the web and check up on
email. Why would they want the raw socket ability?

I do not think you have understood why Steve Gibson is worried about raw sockets in WinXP - it is not that "XP is going to increase the number of infected victims", as you stated in your recent article . You are correct that there is no reason to think WinXP will increase the number of 'victims' machines. But that is not the point.

In his description of the series of DDOS attacks on his internet connections, the first attack crippled his connections for 17 hours - mostly due to getting a hold of someone at his ISP so they could filter out the bad packets. These filters were not permanent, it sounds as if the ISP removed them after a day or so. Initial subsequent attacks were stopped when he was able to more quickly get a hold of Verio and setup
filters again.

I believe they were able to filter out the bad packets based on the source addresses. Gibson's fear is that when a single 13-year old is able to launch DDOS attacks from 400+ untraceable machines, these
attacks will be much harder to defend against - for anyone. Real solutions are not "intensive, like load balancing and content distribution" - that is just avoiding the problem by throwing money at it.

In future articles, I would suggest really reading and understanding someone's position, rather than brining up a non-issue (as you have done here). Given Microsoft's history, your trusting that they have made
WinXP 'secure' against user actions (that IS how the trojans get installed) really questions your grasp of the issue and history.
--Jeremy Silver

I read your article "Steve Gibson IS off his rocker" with interest. Your attempt to clarify one passage in your first article, "The boxes will eventually be found because their IPs are traceable, and admins will contact the owners and let them know they're infected -- but only long after the damage is done. Raw sockets in XP only marginally improve the situation for a malicious party." misses the point. No one misunderstood you, and it had nothing to do with the "transparency" of your phrasing. You "spelling it out" more clearly does nothing to acquit yourself of your mistake. In fact, not to get off the point too much, but your whole article seemed more an attempt to defend yourself than illuminate the issue, which summed up, is this:

Everyone understands the nature of Trojan Horses such as subseven, and we all understand that a primary component of the problem is infecting the clients in the first place, which, as you say, does not increase with the release of XP. What changes with the release of XP is, as you know, the ability to spoof the packets. You dismiss this out of hand, but really it is the central point. Steve WAS able to make the attacks stop (despite your intimations to the contrary), by filtering the sources of the offending packets. XP makes this impossible.

You may think this is not much of a problem, but you don't really know. With identifiable zombies, you can alert the owner and block the source. This removes the threat from you and may well remove the machine from cracker circulation. I don't think it's outrageous to suggest that without being able to do those things, a big problem now might explode.

I really enjoy the sarcasm and wit of the Register, probably to some degree because I agree with you most of the time.. It's interesting, then, when I read the sarcasm and wit employed foolishly to defend ones ego.
--not signed

You couldn't actually put any real hard facts in this article could you? You merely repeated what you said and used insults to try and justify your point of view.

So moron, don't come running when some 13yr old "script kiddie" with the power of raw sockets decides to throw a combination of syn/ack attacks, ip spoofing, buffer overflow and ping of death DDOS attacks at your site.

If your article is journalism at it's finest then no wonder no-one believes you or the politicians.
--Richard John Purves

"Let's say just for fun that there's a consistent number of infected Windows machines x on the Net. There's nothing in Gibson's reckoning which affects that number. There's nothing in Windows-XP that affects it, and nothing in raw sockets either. We still have x victims out there. "

Before WinXP: Machines running older versions of Windows are unable to spoof packets. Victims know the source machines are infected with "zombies", they report them, decreasing the number. If I flood my victim with non-spoofed packets from my high bandwidth link alone, with no "zombies", the attack could easily be filtered within seconds.

After WinXP: Machines running WinXP are able to spoof packets. Victims cannot find out their IP address, and cannot report them. If I flood my victim with spoofed packets from my high bandwidth link (AS STEVE POINTED OUT), there would be no need for "zombies" as I could flood my victim with spoofed packets from my connection, as they cannot be filtered.

It seems some people just cant grasp these basics. People like that write for TheRegister. People unlike that write for TheInquirer.
--Matt Brown

I just finished reading Gibson's text and yours, I don't understand yours. His was quite clear. This stuf isn't personal you know.

By by
--not signed

I sincerely believe it is you, sir, who missed the point. Gibson is not claiming that raw sockets in XP will in and of itself multiply packeting-DoS on the Net. The genuine threat of raw sockets and the ability to spoof source IP, is that traditional firewalls (which apply rules based on IP address classes) will have hardly any way at all to deal with this effectively. Not to mention (per his examples) most ISPs are either brain-dead, or don't care about user-end security, or both.

The other side of the coin is that, while Unix sockets have had source-IP spoofing since the beginning of existence, Unix systems have traditionally been administered by more technical and security conscious users. The insidious point that Gibson is making, is that Windows XP is being marketed to every Joe, Sam, and dog out there. Microsoft preaches ease of use and dumb over dirty, so why should you expect these people to even be aware that their systems might be compromised in such a way, much less know what to do about it?

I'm waiting to see just what the next "Snow White" will do. Gibson may be an evangelist, but there are many chilling facts in what he brings to light.

I submit that you are off your own rocker. The problem is not that more boxes will be comprimised. The problem is that the comprimised boxes will be harder to track down. Oh, and yes... filters do help. They are not a panacea but they are a good addition to an effective defense strategy. Microsoft is not opening a new door to vandalism, but it is making it easier. As such, there is NO reason to include the new functionality.

I realize that journalism is more successful when it is exciting, shocking, etc... However, this has opened the way for ridicule... directed at you. You are losing readership. Me.

Oh, and I do know what I'm talking about. I designed and wrote network monitoring systems. Know the term Sniffer(tm)? Maybe you'll remember the name of the company that made that term popular.
--Brian Smith

Why do you hate Gibson so much? Is it because he is sucessful and completely self employed? Tis you who need to get out of the Beltway and relax. Windows does not need raw UNIX sockets. Or do you actually accept all the Redmond Mafia spin and vapor speak. July and Aug are almost upon us. Get the Hell out od D.C. and RELAX. Don't sit there anymore and let you brain bake in the humidity.
--not signed

Mr. Greene,
I probably disagree with Steve Gibson on the issue of raw sockets in XP, but you miss his point and you clearly know little about him.

First of all, I'm not sure I've ever seen him claim to be a security specialist, although he clearly is in my belief. I'd be glad if you can show me where he makes this claim.

In your second article, you still don't get it. He's not saying there will be more machines acting as Zombies. He's simply saying that existing Zombies will be far more difficult to deal with. It is a valid concern.

Now the diatribe (respectfully submitted):

Ever since the 1980s, I've considered Steve Gibson to be the single best 80x86 Assembly Language programmer I know of. His Spinrite program has returned hard drives to life for me. I know plenty of utilities. There is nothing to compare with Spinrite. There is nothing in its class. There is nothing that can do what it can do. Dead drives are alive thanks to him. How many stories would you like to hear? For more than 13 years I've considered Spinrite to be the single best program ever written.

I don't know a lot about Steve Gibson, but I know that he loves computers and technology and I believe he has a love/hate relationship with Windows/DOS/Microsoft/Intel as many of us do. He programs for this platform and this is the platform he considers important. I admit that he sometimes seems naive about other platforms and especially Unix, but when this guy needs to learn something, he digs into authoritative sources (RFPs and direct information from manufacturers) and studies like few people in the world. Then he produces something which may look a little funny, might sound a little funny, and maybe is too wordy, but performs amazingly useful functions which no one else is providing. And I'm never afraid his stuff is going to mess up my system.

Steve Gibson wrote other disk utilities as well as making improvements to Spinrite which gave me some control over Zip and Jaz disk recovery and disaster protection which Iomega has never been able to do. Iomega would do Dell to license GRC technology, to make it available to their customers who don't have the time or knowledge to find his site on their own. The GRC Iomega utilities are free for those who can find the site and take the time to wade through his chatty information. At least he tries to tell us what he's doing, unlike almost everything else I have to use or program. Yes, you can see if your Zip disks are on the verge of disaster and you can find out for free. For real, precisely, exactly. Not something you can do with the underpowered and misleading utilities Iomega provides.

Steve Gibson's Shields-Up site is invaluable to me when I'm setting up machines, which I have to do much more often that I like. Any time (and I mean every time) that I set up a machine, as soon as it's on the Internet I go to his site to double check the security of the work I've done. I know of no better site. I recommend his site to anyone who asks me for help setting machines up. If you have a machine on the internet and you haven't checked this site you are not done. (with the possible exception of those who are inside a well built and maintained Intranet)

Furthermore, I learned about the search engine and ZoneAlarm from Steve Gibson first. I'll spare you long descriptions of how much these are worth to me. I learned about these because I'm on his email list. He sends the fewest emails of any list I'm on and the sum total of the information is higher than any other. He sends so few emails I'm sometimes afraid that I'm no longer on the list, but I am.

Steve Gibson never berates people who use technology, as far as I have seen. He berates companies for not making things easier, more reliable, and more secure for the typical users of their technologies. This is a very different thing.

You know what? I oughta send this guy some more money. He doesn't charge me for Spinrite often enough. Let me put it this way: if Steve Gibson sent me an email asking for $100 to support his efforts, I'd send it. His efforts have been worth thousands of dollars to me.
Thank you for your time,
--Jim Turtora

Geeze Thomas,
You lay pretty hard into Mr. Gibson with little technical information and no solutions. It's like answering his problem with a doldrums "So." Why do you try so hard to insult the man, so little to understand him, and not at all to provide a solution to the problem?

The problem isn't that people could be infected, or that Windows XP has a greater potential for infection, it is that Windows is the more popular OS and this is a soup in a can solution to s'kiddies to unleashing hell on the internet. If s'kiddies had to upload a new Winsock, write the packet code, and then distribute it to existing clients, well, few to none script kiddies are going to go through the trouble to do that. Nor does the average possess the intelligence. But with the same approach they take today, but applied to Windows XP, they can infect a warez crack or Anna Kornikovia VBS email script and deliver their zombies with little resistance. Now the target of this attack can't defend the way Mr. Gibson was able to by successfully filtering the ported traffic at the router level. The target, pray it isn't one of our businesses, is screwed.

Windows XP has mass potential to be installed on the average Joe's computer. And the average Joe would have no clue they were infected. I work in the MIS department at a school district in California. And I can tell you that 80% of the computer users have no clue how in install or remove software. Furthermore, 95% of them wouldn't know how to trouble shoot why their cable modems would suddenly lit solid with outbound traffic. Or even know that was a problem. They pass along countless hoaxed virus warnings in email. And some even follow the steps to format their hard drive because the email from "Bill Gates" said so.

The problem is not the number of infected victims as you iterate. It is the undeniable inability to block or filter out the traffic. What's your answer?

Probably along with the common answers, that there isn't a problem. Right? Or, what was it? Oh, I know... You said, "The real solutions to packeting are capital intensive, like load balancing and content distribution." Bollocks.
good day,

In your article "Steve Gibson really is off his rocker" l ... you said Steve Gibson is literaly a roaming lunatic. I beg to differ.

Having fixed and "uncompomised" a number of machines, it is obvious that there is a lot of infected machines today. It is also painfully obvious that most users cannot protect themselves or even detect the presence of subsevens without the use of specific software. Also, after experiencing it personnally, most ISP don't give a f**k what users are doing on either side of the fence (I was trying to trace someone actually sending some sort of zombie-like software through e-mail). Unless you're some sort of authority, an ISP will either ignore you or be vaguely polite, to the tune of some legal mumbo jumbo about being preoccupied about your health and not being able to pick up the phone and call the police because all the lines a busy (...). And when that's not the problem, we have M$, who's proven they prefer to patch things up afterwards than plan security ahead in the first place.

All of this is reason for great concern.

Now what Steve Gibson is REALLY saying is that there are loads of issues at hand and NO ONE CARES. Everyone sticks their heads in the sand hoping everything will turn out allright all by itself. Of course it won't. Also there is no public debate about this. There is only medias hyping attacks and attempts to compromise security.

I think what Steve's strategy is to make the most noise possible about these DOS attacks to bring about some practical changes in the way operating systems are built. It also to bring to the forefront the obvious questions about ethical behaviour on internet and the obvious temptation to lock everything down to ensure absolute security. We are long overdue for a public debate on that one.

Sorry if the whole thing seems rather weak, I admin I'm sleeping between the paragraphs. And it's getting worse ...
--Obi Wan Celeri

Hmm... I'm not sure he is, y'know. His point was that your average internet user (i.e. non-technical homebody) knows about computer security as I do about microsurgery, which is to say that they've heard about it, they know lots fo clever people do lots of clever things in that department, but they havem't a clue what they are.

Now add into this that we're talking Microsoft here, a company whose built-in security can be described using two words: one of which is chocolate, and the other of which is fireguard.

So, we have a lot of insecure PCs with the ability to get infected. So far, so good. This means we're not really going to be able to stop traditional trojans like SubSeven, etc. But at least we can trace boxes because we know the source IP.

But raw sockets means a program can construct its own packet, and spoof its source IP, changing them every second, or even every packet if it wants. This presents a nightmare scenario - buried under that mountain of IP packets is the real IP address, but we need to pick apart the route it's come from to find it. The thing is that the most obvious tool to do this - traceroute - will give us the route to a
foreign host. That means we can't really get hold of the actual source IP, because unlike a mail message, there's nothing in the TCP/IP specification that will add the routing to the packet as it goes along.

So I'm afraid I have to agree with Mr G on this one. As for his figure of 90% of Windows users being idiots... don't you think he might have
underestimated the percentage on that one?

Steve Gibson really is off his rocker
I hope that you will be as forthcoming when what he predicts becomes reality.
--not signed

Hi, Just like to add my 2cents.

Scenerario: If you have 2 hackers.

1st has 5 Zombie Machines Running Win98, doing DOS attacks. Can block these 5 because you know where they are coming from.

2nd has 5 Zombie Machines Running WinXP, as above, except that the ip's spoofed for every packet sent, spoofed ip address are random.

Please tell me which is easier to stop.
--not signed

Dear Thomas Greene,

I am getting very tired with these articles about DROP IT ALREADY. Gibson is simply trying to point out that when XP machines become infected (which with the bone-headed computer users, will happen) that these attacks will be un-filterable....

When a Windows 9x machine sends packets, lack of raw-sockets means that that computers "fingerprint" (IP) is put on each packet. But with Raw-Sockets on WinXP, that "fingerprint" will be a phony.

I.E. You are wrong, you are too much of a baby to admit it, so you sit there using your writing "power" (as you wish it would be) to gain attention to yourself.

Please stop this at once.
Thank you.
--not signed

Dear Mr. Greene:
Essentially what you're saying, if I read your article correctly, is that the change in the Internet's infrastructure brought about by the mass-market of Windows XP will not be a problem for corporations willing to spend the necessary amount of money on defeating the more serious styles of attack.
So where does this leave JoeSmallBusiness.Com?
Large corporations have to spend more cash, small corporations get it in the shorts, all because Bill Gates was too cheap to fix the problem and you were too arrogant to admit it was one.

Thomas Greene, you really are off your rocker.
--Jacob Day

Thomas, I have followed your flame war against Steve Gibson with quite some interest. My brother-in-law is a networking specialist, and I have been involved with PC technology at all levels for 19 years (my first machine was a 1Mhz Ohio Scientific C1P!). We both have broadband, and we have both been hit by smaller attacks in the past.

You have missed the central point - for anyone BUT corporate sites, filtering is and will remain the only effective method of dealing with DDOS attacks. Yes, the ISP can be slow at setting them up -but not always. Recently, my brother-in-law ran a test for a smaller client of his, and orchestrated a self-inflicted DDOS attack on his client's test site. Their ISP, BBN (or Genuity as they are now known) had a filter in place within 20 minutes, WITHOUT A PHONE CALL TO THEM, and the attack was rendered ineffective. Just because Gibson's ISP hadn't yet LEARNED how to monitor and effectively set up filters previously does not mean they will forget how to now. The NEXT DDOS on Gibson's ISP is likely to be met with a much faster response - because they can clone Steve's solution - which was VERY effective once it was in place.
But WInXP will render all of this filtering knowledge obsolete, and probably difficult to reconstruct - with the spoofing available in XP/UNIX/Linux, no one knows HOW to examine packets for authenticity. So we have therefore lost the only tool available for shielding personal/small business IPs.

As for MS's claim about defending against the initial compromise - well, that just doesn't hold water. It's a simple problem off all the eggs in one, well-known, basket. A NetBUS script could EASILY alter my firewall settings by building new rules (it's just a file!), and grant itself unlimited and undetected access to my broadband - provided they know my firewall software make, or have a large library of attacks. Right now, script kiddies don't know what security software I have - they are just hoping I don't have any. Unfortunately, with the levels of security in XP, few people will buy off-the-shelf firewall and anti-virus software. THAT is the problem - anyone who can compromise XP's security by writing a NetBUS script that alters local firewall config files on an infected PC can write that script once, and know that it will work on nearly ALL XP boxes.

The only way for this to be stopped is for XP users to not run "unknown" executables while logged in with Admin privileges, and make sure that all firewall settings require admin to modify the settings and files. However, given that there is so much that you need admin to do in Win2000 at present, I suspect most XP users will continue to run as members of the admin group, and the script kiddies will have their way...
One other point - in all of your flaming of Steve, you have never mentioned ONE ADVANTAGE of having low-level IP services available.

In effect, you did a cost/benefit analysis without mentioning any benefits - only by personal flaming. Highly unprofessional, IMHO, and makes me wonder if you have a commercial interest in MS, or are just getting paid by the word (hack, and not the computer type).
--Robert Hill

Mr. Green,
I think that you are a bit extreme in claiming that Steve Gibson is off his rocker, and your article inaccurately portrays what is stated on the site. I read the accounts of the attacks, his claims about XP making the specific attack that he fought worse, and the Microsoft response to his so called "loopy" claim.

Microsoft has, by far, the most machines on the 'Net--so it is probably inaccurate for you or Microsoft to claim that spoofing does not have the ability to dramatically increase with XP. Yes, you can already take advantage of raw sockets on Sun, Dec, etc. machines, but there isn't a significant malefactor community focusing on those platforms.

Mr. Gibson is saying that the spoofing can dramatically increase with XP--rendering the filtering defense useless. Sure there are other issues, and greater issues, but don't get nasty because of a font choice. I believe that the guy is actually trying to provide a service to the community. I think that Microsoft tries too, but their focus on security is secondary--and there is so *much* code that it is *impossible* to secure. All you have done is taken a shot at someone who seems to be a decent fellow. Maybe he is a bit of a geek, but he seems to be intelligent, hard-working, and honest. Why take shots?
Thank you,
--Fritz Ames

Interesting columns, mate, but you didn't seem to really impale his true complaint. ... Packet spoofing makes an attack harder to filter out (you did note this),, but the inability of Sub7 victims to be spoofed might be a mild deterrent to script kiddies.

If the zombies can all be spoofed, and accountability is difficult or impossible to extract from their ISPs, then more and more mischief makers may go on a rampage.

I don't agree with Gibson that this WILL happen, but the possibility of this is rather sobering.

This is of concern because 24/7 "always on" consumer broadband is really catching on here in the states. And, my firewall logs stray pings day and night from various US cable internet machines that are hosting Sub7 on its default IP, 27374. It's freaky -- my "neighbors" out there are infected and waiting for commands to launch packet attacks. Poor sods.
--not signed

You will have to try to explain yourself again. Either I don't understand you or... you don't understand that easy spoofing with Windows machines can be the next major problem of the Internet.

When spoofed attack already exist, usually some UNIX machine is used for a "Zombie". Their number is perhap limited and often time, a backup link is all is needed to survive an attack.

The fairly recent popularity of Linux make it clear that this era was comming to an end. Spoofed attack are now much more effective and attack from what appear to be a few hundreds machines do occurs. However, Windows XP will exacerbate the problem greatly.

When you get DDOS by windows machines, this is not a few tens of machine comming at you. This is hundreds and thousands of machines. Guest what, they can hammer your link, the backup link and the uplink routers... You cannot do much unless you have an OC-12 and your backup append to be an OC-3 but end-up needing only a fractionnal T-1.

Now, the funny think is that if every packet have a spoofed address, tracing the origin of a packet become...say...difficult. Actually, is might well be that only a "Tier 1" ISP will be able to do some work to find the offending machines. Potantially, one by one... And the game is not over since most of the offending machines will be on the network of Tier 2 or 3 ISP (political game will start).

Windows XP will be install by ten of thousands on the Internet (Perhap, millions). Several Thousands will have insecure configuration and many will never get a single security patch for their lifetime that can exceed 5 years in some cases. Of course, count on Microsoft, like any other software developer to have introduce new security flaw in their product.
In a few years from now, you can even think that it will be possible to DDOS the "Internet" by attacking some strategic backbone equipment and then, the Internet can take days or weeks to fully recover.

So, it look like that microsoft can help a great deal. Gibson is right.
--Jean-Yves Landry

While your mother might feel better after reading your article. Anyone that knows anything about security, and networking knows that XP being the OS installed on most the machines in the future will be a bad thing.

Let me point out some serious flaws in your article:

The raw sockets which have Gibson so steamed enable a machine to send or capture data independent of the operating system -- quite handy if you're a software developer or an advanced hobbyist. And while it's true that this also enhances the packet-flooding capabilities of a Windows machine by making it easy to spoof packets, it's also true that this function is already included in most other operating systems, and can be added to an existing Win-9x, 'ME, or '2K machine quite easily with a library called WinPcap.

Most other OS'es do NOT, I repeat NOT have this ability. My guess is that Win9x machines are on 95% of the computers in the world. The other 5% are a split of servers running NT/2000, and the many flavors of *nix. Yes it can be added in. Should we not lock our car doors, because someone can just break the window and get in? Of course not. We should, and can lock our doors. Just as we should hope that Microsoft will not make it so that when your mother brings home her Best Buy Compaq Presario, and she gets infected with a Trojan/zombie it's ready to wreak havoc out of the box.

If a hobbyist wants added ability to support the full TCP/IP implementation, they can then patch it themselves.

All right, we'll allow that there'll be a few s'kiddies who might prefer to use their Win-XP boxes for such purposes. But they can already do so simply by installing Linux and doing a bit of reading'

These "kiddies" can use any OS they want to control their bots. It's your mothers computer who's been compromised which will be used to attack sites in the future, and no filtering in the world will be able to stop it. No way to trace the IP of the source machine. Nadda, zip, nil. Wait till these scripts these kiddies use, are programmed to use all 3 classes of networks, spanning the entire range of IP's. Wait till these script kiddes use your mothers email program and a mail server which allows relaying, or maybe just flooding "" with Spam mail. And knowing how pathetic Microslop products are about security in the first place. The true hackers will have found some vulnerability in XP that allow them to hack their way in, opening the door for the script kiddies. It will only take Microslop 3 months to release a patch, and are they going mail a CD to your mother, who has no clue about security? Oh yes the auto-update will patch it.

Doubtfully, the true hackers will have that disabled first thing. Time for your mom to break out her Compaq Quick Restore CD.

Gibson, on the other hand, tells it like a loner in the desert, living, we would imagine, on locusts and wild honey for a bit too long a time.

No Steve tells it like it is. We are only going to see more and more attacks. I'm just an average citizen, working in the IT industry, but I'll bet paycheck for paycheck a year from now it will be worse. DoS attacks will be more common because any script kiddie can hide behind a spoofed IP, without installing Linux. (So they can still play Diablo, while DoS'ing someone And control hundreds of zombies hidden on computers, much like your and my mothers, and their friends.

He's written thousands of words on his Web site, denouncing Microsoft for putting something like real power into a consumer operating system. He's written memos to the company; he's warned all his site's visitors; but he's still not satisfied. The "XP Christmas of Death" is coming, he warns, immediately after which all the little s'kiddies will gleefully baptize us with fire.

Consumers have no need to spoof packets do they? Name one application which needs spoofed packets? Name one advantage of having a fully implemented TCP/IP stack. Name one thing that consumers will be able to do with it, that they can't do now? Does your mother have a need to send spoofed packets? SYN, or ACK packets? I think not. And for real power like a gun, don't you think people should be trained how to use it, much like the military does? Not like your mother is going to learn to even be able to notice her machine has been zombied. Microslop can give users a decent OS for once (okay W2K is their best effort yet) and it can be secure, stable, and so on without a full RFC aka Unix compliant implementation of a TCP/IP stack.

One more thing at the start of your article, You quoted the bible, you better keep it handy. Maybe you can throw it at your cable modem and unplug it. And do us people in the IT industry a favor, and go write some home and garden article. You don't know jack about network security, and handing a loaded gun to someone that doesn't even know it's a gun. (WinXP)
--Shawn McNeece

Mr. Greene:
I believe you need do more research before writing such a malignant article regarding Mr Gibson. Mr. Gibson knows more than you can imagine regarding security. His research concerning Windows XP has been thorough and his conclusions accurate. I used to be a "white-hat hacker," though those experiences were for the challenge and to avenge various attacks against my friends. Since then, however, I have
become a network specialist working not only with businesses in Southern California, but for a large government agency as well. I, too, have explored the new capabilities in Windows XP, including the ease with which the full raw sockets can be used to take advantage of others. What Gibson states is unfortunately quite true, whether you wish to believe it or not. I am unsure as to what sort of research you
did before writing your articles in The Register, but from what I can tell, you are simply attacking the author, lacking any real evidence or support for your arguments.

As you have to admit in your own article Gibson seems to be 'a security expert' and it can be assumed you are not, so maybe he is not 'talking absolute bollocks'. When a new item is to be developed the experts are the ones that are consulted and Gibson's is one of those expert's opinion. Only that, but a grounded opinion.

It is clear that avoiding spoofing will NOT stop DoS attacks but at least will help to point out the origin of those and, at large, will help in reduce them (by letting educate the owners of the Zombies or by letting the attacker's ISP be warned). But with spoofed packets there will be absolutely impossible to do such a thing so we will be PROMOTING DoS attacks by allowing the performers never be pointed out.

You claim that 'Gibson is ranting as if raw sockets are going to multiply the number of infected machines connected to the Internet. But that simply isn't true; the same primary obstacle to getting an attack started remains, spoofing or none, as Microsoft pointed out in their well-reasoned reply to Gibson: an attacker first has to compromise a number of client machines with which to packet the target system' and that 'There's nothing in Windows-XP that affects it, and nothing in raw sockets either. We still have x victims out there'.

But I think that is NOT the point. The point is that hackers will quickly UPDATE all the already compromised machines with the new spoofing version of sub-seven or whatever you like with nearly no effort. From that point on there will be impossible to detect and point out those machines. With a well established 'Zombies base' they can then redirect all their efforts to compromise and gain control of new machines without worrying about anoyone discovering their already working Zombies. So we can expect things will be going worse in a steep curve. And with very little effort from hackers. I beleive that not avoiding that is in fact promoting it.

MS can't claim that as they have not done any harm they are not responsible. If they build up the weapon that allow others cause harm I think they are, at least, ethically responsible, because they know and are advertised of the future damages.

The claims from Microsoft are scaring; if by mouth of a MS teechie 'anyone could get a "certificate" with which to sign a malicious driver', How is it supposed XP will protect us against 'unsigned' (read untrusted) drivers and other threats?. If the security model is deprecated by those that are promoting it we better turn the computer off.

Anyway, writting a driver is by far more difficult than writing a exe file so we can expect a lot less 'certificated spoofing drivers' than 'spoofing exes'. So I adhere to Gibson's claim that MS is wrong and that an increase of 'trash traffic' is been expected in a near future. An remember, we all pay for that litter traffic so we will all pay for this mistake.

Being paranoid is the only countermeassure we have and it has shown insufficient. So think about not being security paranoid. May be windows users are no idiots but they surely do not too concerned about security as far as it can be seen.

If you fire a gun you can at least say where is the bullet comming from. But when bullets are able to turn corners there will be no way to stop the shooting. And at the end everybody will get injuried.

And finally, all this discussion will not deserve a single minute should raw sockets be a vital element for XP to work. But MS has demonstrated with NT that this is not true.
--Miguel Erill.

I think it's only a blind who can not see what Gibson is talking about...It goes beyond your knowledge and understanding of security.

I guess I can't see the point of your article. Other than slandering Steve Gibson's name, what is it that you are trying to say? That he is not entitled to his own opinion?

You admit in your column that spoofing makes things more difficult. Sure it does. And it also makes it harder to trace back and find the person(s) responsible for DDoS attacks. All that aside, I still don't see the point of your column, other than to cast aspersions at someone whose opinion is different than your own.

I for one have had to deal with innumerable holes in Windows, and the sheer popularity of the platform makes it a popular target. I think what's really of concern here is that although Microsoft issues patches for their security problems, sometimes they must be prodded into doing so. The average user should not be required to spend excess amounts of time learning how to prevent problems when the problems can be more easily prevented at a software development level. It's easy to say they need to be responsible, but it is what it is, and the vast majority of Windows users at home do not have a fundamental understanding of what their operating system is really doing. It's the reason that technical support exists.

But once again can you please explain what the point of your rant was, other than to say you're correct without any substantial evidence to prove your point? I found it rather crude mud-slinging instead of responsible journalism.
--not signed

Hello Mr. Greene,
I am not trying to be a typical respondent that is flaming you because of you opinions of Mr. Gibson's take on raw sockets in XP. But it is attitudes such as yours that will leave the Internet even more vulnerable to attack byscript kiddies. You seem to be telling the clueless masses that it is OK to run an insecure and wide open machine on the Internet. Here in America, the people that do this can be held liable for any attacks launched from there machines regardless of if the were cognizant of it or not.

I have to agree with Mr. Gibson. Why make it any easier for these bozos to make zombies of security incompetent peoples machines? I just doesn't make sense. And the argument that these kids could just install Linux and read a book is non-sense. As someone who is making a career of UNIX/Linux, I can tell you that a 13 year old that has mastered Windows and launching script attacks from it/to it, will have a lot tougher time trying to figure out the same things in UNIX/Linux. There is a lot more to overcome when attempting to compromise a UNIX/Linux box as opposed to a Windows machine, not to mention the severe learning curve when coming from a Windows environment.

And the amount of people adopting DSL and cable access is just going to aid in turning the Internet into a big playground for script kiddies and wanna-be hackers.

Thanks for taking the time to read this.
--Tom Wilson


Other stories you might like

Biting the hand that feeds IT © 1998–2021