MS security chief talks raw sockets with the Reg

And agrees with us, not surprisingly

Blackhat: In the course of covering the Blackhat and Defcon conferences here in sunny Vegas, I had occasion to sit down with MS Security Program Manager Scott Culp, who, I'd heard, has become a fan of our Steve Gibson raw sockets coverage. It's not every day that The Reg and Microsoft can discuss a topic on which we agree in large part, so no doubt you'll enjoy the following as a light refreshment:


[Gibson's] argument has been that the inclusion of raw sockets is both necessary and sufficient for distributed denial of service attacks; and there are actually two parts to the answer. The first one is, 'are DDoS attacks going to happen?' Yes. They will happen; and they will happen on Windows XP. That's not an argument; you're going to see them. What we're saying is, you're going to se them regardless -- raw sockets are utterly irrelevant to the question of DDoS attacks on Windows XP, because if someone can compromise a machine....they'll have every ability they want. Control of the machine is the hurdle; the availability of raw sockets is not the hurdle. Once you've got control of the machine, if you don't have the raw [socket functionality] there you can add it.

Greene: And you can packet targets desperately into submission without spoofing. But his point of course is that with the spoofing potential now, it will become even worse and more uncontrollable. You've got a compromised machine, and once you've compromised it the raw socket functionality becomes an enhancement.

Culp:It may be a convenience, but it can't be too much of a convenience, because Gibson himself was attacked by people who had to install WinPcap or something like that on the machines.

But the second part is, OK, so if it's not going to cause DDoS attacks, could we remove it without any loss of functionality? And guess what: raw sockets are used for a whole bunch of security functionality in Windows XP. Internet connection firewall is one. IPsec [IP security protocol] is another one. It's used by network diagnostic tools. It's also used by games.

Here's where the argument gets funny. Because the counter-argument is, 'so are you saying if you didn't provide raw sockets that you couldn't do Internet connection firewall?' No, I didn't say that. What I said was, the Internet connection firewall is using the raw sockets that are built in to Windows XP. And the next question is, 'why not just get rid of raw sockets and do the network functions [without low-level IP services]?' And the answer is, 'yeah, we could do that.' But that brings us right back to the same argument again. It's only software. Now we're going to have socket software in all of these different features so we don't have a native OS function that provides the socket features. All the bad guys can do the same thing. We're right back to the same problem.

If we can move it out of the OS, that's sort of your proof that anyone else could have done it as well.

Greene: My other question is -- according to The Register's constant suspicion of all companies with more than fifty people [laughter] -- that there are other things one's imagination could come up with using raw sockets in a consumer OS; it could smack of low-level user authentication, low-level software identification, things like that which could go hand-in-hand with the .NET initiative in a way that a lot of people might find threatening.

Culp: [laughs] No way.... It's just a networking function. All it is is a full implementation of the sockets protocol. And we've been lambasted, rightly, over the years about following the standards and implementing them fully, and if one vendor isn't fully implementing the standards then that [breaks] interoperability.... There's nothing under the covers there as far as metering software use or anything like that.

Greene: But stuff could be metered or turned off, arbitrarily. You know what I mean -- there could be a kind of extortion: 'we want more subscription money; we want to raise the price of something; we want you to upgrade, so we're disabling your software.' This kind of low-level network functionality with the .NET scheme could be perceived as [potentially malicious].

Culp: So the Microsoft Department of Evil has now cooked up some scheme to foist on the public. [laughter] If we required the functionality provided by the raw sockets implementation, and if we didn't provide it in the OS, then we'd just put it into the Evil Software somewhere else. If that were the intent, again, raw sockets isn't the enabling technology. It has nothing to do with raw sockets. Anything you wanted to do through software that required those [evil] networking functions, if the OS didn't provide it immediately, you could provide it through device drivers.

It's a service that it makes sense to provide at the OS level. From a rationality point of view, what's the sense of providing a ninety-percent implementation of commonly-used networking functions? The only thing you do is force people to write the last ten percent themselves or go out and buy a piece of third-party software that implements the last ten percent.

Greene: Because Microsoft is a very large corporation, and it does own a terribly large share of a particular market, people sometimes feel threatened. Sometimes it's envy; sometimes it's just being cynical and looking at past experiences with other enormous corporations with unusually large shares of certain markets and how they've behaved, but you may find that people are afraid, not that Gibson is right, but that this networking protocol dovetails into .NET, into software hosting, and into product activation where some information can be gathered and used.

We've said what isn't up -- with Gibson -- so let me ask what's really up with raw sockets? Why are you behind this?

Culp: And the real reason is, there's just no sense providing a ninety-percent implementation of the networking functions. No more than it makes sense to provide a ninety-percent implementation of TCP/IP. I mean, we could do that. You've got a TCP stack that gives you ninety percent of what you need, and you've got to come up with the last ten percent or buy a third party product, and people would say, 'what, are you nuts? Give me the last ten percent for crying out loud.'

Greene: I think there will be good third-party applications now that developers can write with the full socket implementation in mind. I look forward to seeing some of them. I also look forward to seeing what the malicious scripters will come up with.

Culp: Well they're another third party that's going to use it [laughter]. But the way to deny that section of the development community is not to pull ten percent of the networking out; it's 'don't let them run bad code on your machine in the first place.'

And there you have it, for now. In the next day or two I'll be siting down with a few of my favorite whitehat hackers and network cognoscenti here to kick around a few ideas about how XP raw sockets

might be

deployed to the consumer's disadvantage, both by Microsoft and other corporate software vendors, and as well by the blackhat community, so stay tuned. ®

Related Stories

Steve Gibson really is off his rocker
The Gibson Letters

Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading

Biting the hand that feeds IT © 1998–2022