Slashdot Mirror

Gibson is the king of hype. He jumps on whatever the current security "hot button" currently is, applies his own peculiar bit of spin, and then pats himself on the back for being so cleaver.

Remember, this is the guy who, dispite claiming to be a security expert, "invented" his own broken implementation of SYN Cookies (G.E.N.E.S.Y.S.) and then claimed he had no prior knowledge of the invention of SYN Cookies several years earlier by DJB et. al. See http://grc.com/r&d/nomoredos.htm

The preliminary tester link is posted in the news section of the
discussions at http://www.grc.com/groups/news

http://www.grc.com/miscfiles/MetaFix.exe

The preliminary tester link is posted in the news section of the
discussions at http://www.grc.com/groups/news

http://www.grc.com/miscfiles/MetaFix.exe

"It's good to see that this vulnerability is getting some exposure, but this article's synopsis is misleading. It is well known that the WMF vulnerability stems from an intentional feature in the design of WMF that allows code to be embedded into WMF images; this code is executed when the image is viewed. The original purpose of this was mainly to handle the cancellation of print jobs during spooling. This is a feature that has extreme security implications in the context of the Internet, but is from another time (Windows 95), when MS had very little interest in networking beyond trusted internal corporate environments. Over the years this code has lived on in Windows without being reviewed in the current context of Internet connectivity. Never ascribe to malice that which can be explained by incompetence. See http://en.wikipedia.org/wiki/2005_WMF_vulnerabilit y for a lot more detail.

I don't mean to make an ad hominem attack (this podcast is actually fairly accurate), but Steve isn't exactly known for being a respected researcher in the security industry - he's a bit of a poser. He frequently hypes issues to crazy levels and tries to make himself look like a hero/expert. In fact, he usually offers little insight and often tries to pass off regurgitation (often inaccurate) as original research. Just listen to him in this recording talking about "rolling up his sleeves" and "wrote all my own code", etc - trying to sound like he substantially contributed to the security industry. Look up his stuff on nano-probes (http://grc.com/np/np.htm) for some really ridiculous stuff. I am a security professional and can tell you that it's mostly BS and/or hyped/obfuscated wording for technologies and techniques that have been in common usage for years and years before he wrote this crap.

Much better resources and much more insightful experts are accessible. Try http://www.schneier.com/blog/ and http://isc.sans.org/diary.php for FAR more interesting information. No one I know or work with pays any attention to Steve Gibson, except as a source of humor. :)"

If you were using Windows, I'd suggest Wizmo, which can supposedly do what you want (and various other things) - including setting the amount of mouse movement at which it turns the monitors back on afterwards - but I'm not aware of a Linux equivalent.

Good idea! I had wondered if this was possible, but never tried it. The story you are talking about is titled NAT Router Security Solutions. Very cool! Now I just need to find a sale on routers...

JOhn

"If Microsoft Doesn't Fix Windows 98/ME, GRC will. Microsoft has "reclassified" the WMF vulnerability in Windows 95, 98, and ME as non-critical. This means that it will probably NOT be updated and patched for the WMF handling vulnerability that those older versions of Windows apparently have."

So, if Microsoft does not produce an update to repair those older versions of Windows, GRC (Steve Gibson) will make one available.

Source: http://www.grc.com/sn/notes-020.htm

- I just think that maybe in near future patches for Windows from outside Microsoft will became more common...

-xet7

This wouldn't have anything to do with the fact that the fix got leaked early, would it?

http://grc.com/sn/notes-020.htm

According to http://www.grc.com/sn/notes-020.htm, Microsoft actually patched this thing on December 28th. The built and digitally-signed GDI32.DLL carries that date.

I ran the vulnerability checker from http://www.grc.com/sn/notes-020.htm and it said I am not vulnerable when running under Wine 0.9.4. I'm not sure what it would have meant if it said I *was* vulnerable, but I'm happy all the same. I am scared stiff that one day my ~/.wine directory will become infested with all sorts of Windows viruses and spyware and I'll be forced to run rm -r ~/.wine. *shudder* These things are never easy to fix.

Maybe I should see if Norton Antivirus runs under Wine.

Just saw your post, might be a double but have you tried http://www.grc.com/sn/notes-020.htm

-Bart

the unofficial patch fixes the vulnerability through shimgvw.dll, which us win98 users dont have. but the actual problem is in GDI32.dll which is required for windows to function. so basically we're SOL atm.
info

Is 320x240 enough? I'm an Action Quake 2 addict, but not sure I can play on 320x240.

If it's not, they could render at 3 times width and then do ClearType.

Err..

This "patch" is more of a loader. It hooks every program loaded, and redirects the vulnerable function to its own implementation, which disables the buggy functionality and passes everything else back to the original buggy implementation. Sort of like overzealous sanity checking.

It does not modify the original code (gdi32.dll) on disk. After Microsoft's patch, it will still try to load, and either 1) the function will change and workaround will realize this and fail to load (since it checks the 5 initial bytes of the vulnerable function to see which version it's patching), or 2) it will load, still neuter the previously-vulnerable path, and continue as normal.

The source code is included; read it. (Unfortunately, the source code was not a separate download, and therefore we can't read it before installing :( )

See also http://www.grc.com/groups/securitynow:423

I have posted fixes that have been reviewed by SANS (The Intenet Storm Center) at www.HelpProtectMyComputer.com\WMFflaw.html.

I did not develop the fix, Ilfak Guilfanov did, and I found it on Steve Gibson's site.

Please forward the information to as many people as possible to protect their computers and to limit the damage. Thanks. Steve (Smokeydog)

Ok, ignore my other message, I trust him.

Parent is a troll who obviously didn't even RTFA. This patch is legit, it comes with complete source code, and it's been verified good by at least one third party, Steve Gibson of GRC.com. It immunizes against the vulnerability and has no known ill effects. It's as good a counter-measure as there can be before an official fix is released.

That's about as helpful as advising tsunami victims that they move.

For those who want actual advice: http://www.hexblog.com/ -- a fix which creates a hook to disable the affected code. The fix has been analyzed by Steve Gibson.

There seems to be a first fix.

There is now a "Windows WMF Metafile Vulnerability HotFix" available from Ilfak Guilfanov. Have a look here http://www.hexblog.com/2005/12/wmf_vuln.html

The problem - and the fix - has been discussed also at GRC.com's Security Now podcast. Check out this link http://www.grc.com/sn/notes-020.htm

There is information available on temporary fixes from the following sites
http://isc.sans.org/diary.php?rss&storyid=996
http://www.f-secure.com/weblog/#00000760
http://www.grc.com/sn/notes-020.htm

be aware the runnable patch is completely unofficial, the only action microsoft suggest is unregistering a vulnerable dll which only mitigates the most common method of exploitation while not fixing the underlying problem.
NFI how long it will take microsoft to have an official patch out, but from the sans site, it doesnt look promising that it will appear soon.

• Digital Life TV
• Digg/Diggnation
• This Week in Tech
• Inside the Net
• Security Now!

Steve Gibson has info about nat routers etc, he suggests basically two nat routers with wireless between them both so if the wireless is compromised your second nat router blocks anything behind it.

Posted anonymously as I have mod points.... oooh the power *cackle* (or something)

shield up is also a good website to check your security

My opinion: Notice that the story is a special kind of public relations. It's an ad.

The ONLY Anti-Spyware that makes sense is ZoneAlarm Security Suite, which includes anti-spyware and anti-virus in one program with the best firewall. But they didn't review that one.

There are more and more "reviews" like that one, in which the real purpose is to try to keep customers away from the best product.

For information about computer industry abuses, read Ed Foster's Gripelog. In this case:

Case Against Zone Labs is 180 Degrees Off

Why ZoneAlarm is the best firewall: LeakTest shows other firewalls allow phoning home.

Aye, nothing new here. These have been around for years, easy to manage too, operator just sits in an IRC channel and issues commands from there. Microsoft just wants to embrace and extend.

A few things they've come up with have been used (ClearType off the top of my head,

ClearType was re-invented by Microsoft. It was done first by Apple. Now what innovation has Microsoft shown?

http://grc.com/ctwho.htm Sub-Pixel Font Rendering

Enjoy,

And, if we're going by Security Now's definition of a "rootkit", Norton SystemWorks is a rootkit because its Undelete component hides files from the operating system that are really still there, SystemWorks just fools all applications into thinking they're not there.

Any program that uses the operating system hooks to find out what is going on risks being fooled. The only way around it is to do what RootkitRevealer does, ignore what the OS is saying and go byte-level reading the disk to see what you get, then if you like compare it with what the OS is reporting to see if there's any differences.

Actually, rootkits go out of their way to be undetected.
(Shamelessly stolen from grc.com)
"What happens is, they essentially modify the way the OS itself works. They're compromising the operating system kernel. You know, in operating system terminology we have the notion of a kernel, which is the OS core. And then you've got applications which run as sort of clients of that operating system. So a program you're running, you know, Corel Draw or Outlook or whatever, that's a client of the operating system. Well, so are the spyware scanners. So when you're running even a spyware scanner, it's saying to the operating system - in fact, for example, there are two API calls that's "find first file" and "find next file." So if you ever want to, like, do a directory listing, you'll say "find first file *.*," and it gives you the first file. And then you successively call "find next," "find next," "find next," until it returns no more files. That's all there is to it. So that's - so anything that's scanning your system is basically doing that.

Well, imagine if something altered the way the "find first" and "find next" operated, so that it was intercepting the response back to you, out of the operating system, back to any application that was asking, so that if it was about to report one of its own files, it would call - it would say, whoops, and call "find next" again on your behalf, skipping over that file. Suddenly any program running on the operating system will not see any of those stealthed, rootkitted files. They just disappear. "

link
http://www.grc.com/sn/SN-009.htm

Later versions of CuteFTP supposedly don't contain Aureate. Supposedly. You may or may not believe them. Better to not use CuteFTP, any other Globalscape product, any Aureate/Radiate product, or any product that ever contained Aureate. Here's a old list of programs known to contain Aureate.

Aureate changed its name to Radiate. In 2001, they settled a class action over privacy issues.

Radiate tried again with "Go!Zilla". Some versions of Go!Zilla have adware and/or spyware. The current makers of GoZilla claim "The current Go!Zilla software contains no advertising. There are several older, out-of-date versions of Go!Zilla which contain advertising from 3rd parties." But then they say "Go!Zilla will make certain partner software programs available to you during the Go!Zilla trial version's installation. These products are not necessary to the function of Go!Zilla, and you may decide if wish to install them. Make sure you read the installation prompts carefully to insure you get the best installation for you. Each partner program has its own privacy policy, and Go!Zilla is careful to screen partners for product quality and responsible privacy policies."

Or, in other words, "we're going to load up your machine with adware if you're not very, very careful during the install."

Aureate/Radiate appears to be defunct. Unclear whether they went bankrupt, were acquired, or are on the lam.

AdAware can be helpful if your system is infected with Aureate/Radiate, although it may not find attacks downloaded via the security holes.

For more details about Aureate, Radiate, and CuteFTP, click here (long .pdf).

You most certainly chose right.

I have to use IE anyway for webdev, and all I ever use it for is the BBC and for going "hmm, now why doesn't this work?"

Also, having read this http://www.grc.com/downloaders.htm coupled with the fact that realplayer always tries to dial out on any PC I've ever seen it on I decided to keep well away from realplayer.

But yeah you still chose right, cause it sure sticks in the throat to have to use IE for anything other than showing how shit IE is.

I read about this on GRC.com's news page back on the 5th. He has / had duel T1's with Cognet and servers hosted by Level 3, so he was unable to reach his servers accept through a backup cable modem.

This method of making passwords was mentioned on the Security Now podcast by steve gibson, (grc.com)

Here's the link
http://www.grc.com/securitynow.htm

DO NOT scan/test a company's network without their permission! This is the fast track to a jail cell. Like QuantumG said (albeit a little sarcastically), get a sales manager and expect to pay out a lot of money in advertising.

If you think you're post was well composed, I would recommend some English/technical writing classes. If you recognize your post has some grammar problems and you know your writing skills are good, I would not worry about it.

Check out Bruce Schneier, Counterpane Internet Security, or SecurityFocus. Gibson Research Corporation is another site to check out. This is just a start to getting some background on the basics and depth of IT "security".

I would say from the post you are not coming from a security background. Assuming you have an IT Bachelors degree, the minimum I would recommend is for you to study for some basic security certifications (such as the CompTIA Security+ and the MCSE/MCSA: Security on Windows Server 2003 specialization) and take them if you have not already. On top of this, I would recommend doing research into security conferences and possibly even local university classes on IT security (although I recommend these with a grain of salt as there is a lot of variance between the quality and type of information offered currently). There are whole books written on this subject, so visit your local bookstores and research what they have available. My rule of thumb in evaluating books is to see how in depth they get with their subjects. If they just talk in general about their subjects with no specific examples, I typically look for something else (unless it is an introductory book, of course).

Finally, just remember security is different to everyone (even in the business/corporate world). One company might just need you to identify their weak spots, patch them, and setup a plan to make sure they stay patched. Another company might need you to analyze everything from weak spots/patches to physical security of IT assets. Your job as a consultant would be to identify what they need (Business 101).

Hope this helps.

It is possible to spoof IP addresses, e-mail addresss and even MAC addresses, so how does the RIAA know who was really doing the downloading? There is also the problem of the large numbers of zombie or 'bot nets of hijacked computers. According to a BBC article there are over one million computers on the Internet which have been hijacked to pump out spam and viruses. If any of these mothers have computers which are zombies, then who knows who is really controlling their computers and doing the downloading?

Today many homes also have 802.11b wireless networks and in about 50% of the home networks they have not enabled the optional security features. Those home networks are wide open. A wardriver or neighbor with a laptop could use their network to access the Internet and download or upload files.

Average mothers like these are probably clueless about computer security. Do they download all the latest security patches. Do they use a firewall and know how to properly configure it? Do they go to the "Shields up" section of grc.com to test their firewall afterwards. If they are using a Windows computer do they know to be careful about clicking on attachments? Do they download the latest virus signatures and scan for viruses regularly? Do they regularly scan for spyware using something like Ad-Aware or Spybot Search and Destroy? Do they use hard to guess passwords? If they are using Windows XP did they install Service Pack 2?

I don't see how the RIAA can reasonably assume that an inexperienced Windows user's computer is not actually a Zombie computer being operated at times by some hacker. I have never used P2P networks and do not actually know much about them. But, it seems to me that problems like zombies, spoofed IP addresses and spoofed Mac addresses would cause many innocent mothers to be targeted.

Unfortunately that's pretty lame. Remember, the data may be digital, but the magnetic pulse content on the media is analog. Even overwriting one set of the same bit over and over doesn't guarantee wiping the signature off the disk, even if your Mac thinks it's blank. Steve Gibson documented this in his stuff on SpinRite:
http://www.grc.com/srphysics.htm

Fortunately, DBAN is also available for PowerPC machines.

idiots. its your http user agent that they count. https://www.grc.com/x/ne.dll?rh1dkyd2 most web browsers out there send information. and if you really care sbout what it sends you can change it using about:config

Correct me if I'm wrong but haven't there already been warnings about Plug and Play prior to this? I know at least one security website that had warnings about Plug and Play a long time ago, along with a handy utility to disable it. See below.

http://grc.com/UnPnP/UnPnP.htm

You'll notice this was circa December 2001, fully 4 years before these new exploits.

This is OLD news. Steve Gibson warned us about "UnPlug N Pray" way back in 2001. http://grc.com/UnPnP/UnPnP.htm

I don't know nearly enough about network design to... well, design one or administor one, but I had a feeling this article was bogus--or you know, pseudo-bogus at least.

The clue was, first it starts out making an extraordinary claim about throwing away the firewall, then when you actually read the brief, it starts backpeddling. Like: "Well, er, you can't *quite* get rid of the firewall, but you *almost* can! really! almost. well, er maybe... ok, *sort* of at least..."
---
Now that I think about, assuming your summary is correct (and for the moment, I feel safe making that assumption), the guy saying "throw away your firewall", but really he just discovered network configuration, reminds me a lot of Steve Gibson (http://www.grc.com/

steve gibson did this a few years ago

http://www.grc.com/dos/grcdos.htm

if they can get into these botnets, and if theyre the good guys, why dont they tell these damned machines to patch themselves or warn the user/owner?

Sounds like a new spin on something Steve Gibson did a few years ago. Very interesting read.

This sounds like Steve Gibson at Gibson Research.

http://www.grc.com/dos/grcdos.htm

This is the story about them being DDOS'ed and him cracking the IRC channel that was being used to run the bots.

not only "flaming awful", but invasive as well, see here: http://www.grc.com/downloaders.htm (apologies for the old article, but well worth the read imo)

Have you been to http://www.grc.com/freepopular.htm? One of his tools, Wizmo (for XP), is accessed from the command line and can do a variety of things with a simple command(including sleeping and hibernating a machine, among other things. It's not a big app either.

Gibsons story (http://www.grc.com/dos/grcdos.htm) makes for a great read - and he did put up a list - and it worked pretty well.

• you run everything as an admin. If you try not to, things break. So you leave it as is until the day you'll visit a mallicious webpage and/or run a mallicious app. Or what about your privacy? ANY user on a windows system can read/modify any of your private files because they are all admins!
• the messenger service (not MSN messenger) is running and you are subject to spamming delivered directly on your desktop!
• UPnP is on by default and wide open to the rest of the world. I haven't met any windows user who needs UPnP and yet it's on by default.
• DCOM is again on by default and wide open to the rest of the world. Again, I haven't met any windows user who needs UPnP and yet it's on by default.
• there are countless other needless services that although they are useless, if you try to shut them down, things will break! So you end up leaving them running with your machine potentially owned at any moment!
• there are countless windows specific accounts and groups in your machine that pose a security risk, but if you try to remove any, your system will break!
• Internet Explorer is integrated into Windows. So any flaw in IE results in a OS compromise. That smells like bad design doesn't it? Oh wait...they did it to counter the anti-trust lawsuit. That says something about MS priorities. Profits come first, user security - who cares?
• ActiveX. Need I say more?

• you run everything as an admin. If you try not to, things break. So you leave it as is until the day you'll visit a mallicious webpage and/or run a mallicious app. Or what about your privacy? ANY user on a windows system can read/modify any of your private files because they are all admins!
• the messenger service (not MSN messenger) is running and you are subject to spamming delivered directly on your desktop!
• UPnP is on by default and wide open to the rest of the world. I haven't met any windows user who needs UPnP and yet it's on by default.
• DCOM is again on by default and wide open to the rest of the world. Again, I haven't met any windows user who needs UPnP and yet it's on by default.
• there are countless other needless services that although they are useless, if you try to shut them down, things will break! So you end up leaving them running with your machine potentially owned at any moment!
• there are countless windows specific accounts and groups in your machine that pose a security risk, but if you try to remove any, your system will break!
• Internet Explorer is integrated into Windows. So any flaw in IE results in a OS compromise. That smells like bad design doesn't it? Oh wait...they did it to counter the anti-trust lawsuit. That says something about MS priorities. Profits come first, user security - who cares?
• ActiveX. Need I say more?

• you run everything as an admin. If you try not to, things break. So you leave it as is until the day you'll visit a mallicious webpage and/or run a mallicious app. Or what about your privacy? ANY user on a windows system can read/modify any of your private files because they are all admins!
• the messenger service (not MSN messenger) is running and you are subject to spamming delivered directly on your desktop!
• UPnP is on by default and wide open to the rest of the world. I haven't met any windows user who needs UPnP and yet it's on by default.
• DCOM is again on by default and wide open to the rest of the world. Again, I haven't met any windows user who needs UPnP and yet it's on by default.
• there are countless other needless services that although they are useless, if you try to shut them down, things will break! So you end up leaving them running with your machine potentially owned at any moment!
• there are countless windows specific accounts and groups in your machine that pose a security risk, but if you try to remove any, your system will break!
• Internet Explorer is integrated into Windows. So any flaw in IE results in a OS compromise. That smells like bad design doesn't it? Oh wait...they did it to counter the anti-trust lawsuit. That says something about MS priorities. Profits come first, user security - who cares?
• ActiveX. Need I say more?

True enough, but they were very good about replacing the affected drives regardless of whether they were still under warranty or not. I think the quality of a company's warranty says a lot about the people running it and their intentions. Commitment to customer satisfaction is quite rare and I can only hope that Iomega still maintains that same commitment.

I agree with you to an extent, but they'd be much better off to just make quality products from the start, rather than replacing a defective product with another potentially defective one. I'm more concerned with the quality of the product that with the quality of the warranty. If it's a great product, then I might not even have to care about the warranty.

Taken from a link provider by another /.er:

Minutes, hours, or days after the clicking is first heard, the drive -- and usually one or more of the user's cartridges -- suddenly dies without warning. And since people tend to rely heavily upon their Zip and Jaz cartridges for the storage of their important data, this typically results in spontaneous, catastrophic, irreversible, loss of all their data.

So, it's great that I have a new drive that might betray me like its predecessor, but what about all of my DATA? Oh, I see, I'm SOL...

Let's hope this new drive never emits a "click, click, click" sound.

Actually, I'm shocked to see some innovation from IoMega -- I had written them off as dead. I hope it works out well for them.