Slashdot Mirror
Net Security With "NanoProbes"
An anonymous reader writes that "Steve Gibson is working on something called NanoProbe technology. He describes it as advanced remote Internet security testing. " Lots of interesting stuff to think about in there (despite the fact that he says its designed for windows). Its quite technical, and apparently moving fairly quickly forward.
It doesn't explain how this works, so I can't keep the word "hoax" from popping up in my mind. Unless, of course, he is suggesting that everyone run his weirdo TCP/IP stack on their routers to cause this stuff to work.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I don't think many that have posted inflamitory diatribes here have bothered to investigate Gibson's work thoroughly. Even on the Nanoprobe page itself, it's stated clearly enough for anyone that cares to read. I let Gibson speak for Gibson:
Good question . . . because it is NOT for everyone.
The NanoProbe Technology, like all of my development work and the content of this web site, is highly targeted toward the Microsoft Windows client universe.
I know fully well that the Internet was first the domain of Unix and Unix-derived machines, and that such machines still dominate the server space. But, unlike most typical "Internet scanners", this system is not oriented toward locating the vulnerabilities of unknown machines.
It is first, and foremost, a Windows client security analyzer. It has this bias because we can do a significantly better job for the majority of today's Internet users -- who are Windows users -- by focusing upon the specific needs of that platform to the exclusion, where expedient, of all others.
(my emphasis)
It's called prioritizing, folx.
Gibson's aiming at this group of people for a very good reason; it's where the biggest problem is. If he can take steps to lessen that problem ... we all win. Fewer vulnerabilities == a better net.
/*
Just open a 'dos' box, type "format c:" but don't hit return yet, then compose a mail message to your 'target victim' and attach c:\windows\command\format.com to it, then - this is the tricky part - hit return in the dos box, answer 'Y' and hit return, then quickly hit 'send' in your mail program, but only real l337 h4x0rz can do it properly, wannabees and luz3rz end up formatting their own drives!
That reminds me of a text file going around in the mid 80's about how to upgrade your modem from 300 to 1200 baud - open the case, clip out some components, wrap some wire around a pencil and solder to some traces and you have - a dead modem.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
UNIX users, tending to be engineers, will immediately see through the BS he's spreading and laugh uproariously at his claims. Windows users, tending to be (on average) far less technical, should be able to drive much higher sales. Personally, I was immediately reminded of a used car salesman's pitch when I read this.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
It's funnier than that. Packets which are source routed are dropped by all sane TCP/IP implementations. Ditto for any with blank sequence numbers. Don't worry about some stupid sites blocking ICMP (ahemslashdotahem) as a form of "Security" .. nmap and other sane scanners just go ahead and try to TCP connect to a WellKnown port to get an ACK or an RST packet back. No big deal.
:-/
Life is not like Gibson Sci-Fi because people are not that ignorant of technology! Though there are certainly enough that try to prove me wrong
--
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Any router will, as long as it's been told to.
The trick is that most of the internet's routers know *not* to route those addresses...
If you're on RoadRunner and I'm on RoadRunner and I tell my gateway that to hit the 192.168.11 network, it needs to route packets to your gateway, it will, and maybe I can get into your network, assuming the two nodes are on the same segment and you don't have your gateway set up to deny incoming packets to those addresses.
But the point is, unless Mr. Gibson *is* on Roadrunner and his machine is sitting "right next to mine" on their network, no, there is absolutely no way his packets are going to get through my firewall to the machine at 192.168.1.5 behind it. They wouldn't get through anyway because I've told my firewall not to accept new connections to internal addresses.
If any of what he's saying has any basis in reality, he's just deprecated the use of firewalls since the whole *point* of firewalls is to restrict certain traffic.
I have the feeling that we're all still pretty safe though...
-=-=-=-=-
-=-=-=-=-
My mom's going to kick you in the face!
Mini-review states:
While all this sounds quite impressive to the uneducated, this really comes down to a mix of things that could be done in the UNIX world with a combination of nmap, netcat and forcing anyone who you want to scan to connect to your web server.
If someone really saw a need to do this, all that would really be needed would be Apache with a custom module as the web server (having the scanee connect to your web server is what gives you one of the paths back through NAT firewalls), some nifty perl scripts to control netcat (to generate the "hand-crafted" packets and record the results), and maybe a nice MySQL || DB2 || whatever database on the back end for long term storage of your results.
Heck, with a custom Apache module and a database on the backend, you could set a cookie in the scanee's browser so that you could automagically let the scanee pull up the results of the last few scans you did on on him.
The summary: I feel for anyone who has spent that much time coding custom TCP stacks, custom webservers, and custom who knows what else in ASM, just to do what perl, apache, a bit of C++, a simple DB and netcat could do. What I feel for such a person will remain unstated.
--------------------------------
There is no backbone cabal.
But are they numbered? I want packet 31337.
___
__
Do ya feel happy-go-lucky, punk?
Am I missing something? What is the big deal?
Our NanoProbes are able to (benignly) penetrate a user's stealth firewall to verify the presence of the system hidden behind. Since our NanoProbes are able to bypass stealthing
He seems to claim that his packets cannot be blocked....watch me (or anyone else) block them. Seems high on ego, low on content.
No, it means each packet is carved from only the finest oak by third-generation master craftsmen in rural Vermont and comes with a signed certificate of authenticity.
Bruce
Bruce
You are the real Bruce Perens.
hand crafted packets?
/dev/eth0.
Does that mean you sit there tapping out the packet contents with your space bar?
Is this anything more sophistacted than ping?
Too bad it's for Windows only, it would take a dedicated Linux hacker minutes of grueling work to send those packets out
Er- I love how he says that packets can move at twice the temporal density. Ignoring the units mismatch (does this mean I can now read slashdot at twice the pressure, or get in my car and do 0-60 at twice the volume?), isn't this just a marketroid way of saying twice as fast?
The whole thing strikes me as self-congradulatory drivel. He may have found a way to do something useful/cool, but it's hard to see through all the bull splattered on the page.
Sending non-standard packets to get information; sounds kinda familiar. Like nmap, or queso.
But I suppose when you want to sell something like this for a lot of money, the Marketspeak gets pretty thick. I think it's really funny that this is specifically a Windows hack^H^H^H^Hprobing tool, too.
Ah well, it's not as bad as "Digital DNA"; I spent a good afternoon trying to find out information on that until I realized that it meant nothing, stood for nothing, and is basically a stupid abbreviation for "Motorola Technology". They had PRESS RELEASES full of MARKETDROIDS saying things like "It's DNA of the digital variety". WTF??? Grow me a digital person, marketdroid!
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
This was definitely a somewhat silly annoucement; it sounds early. Basically though, proving that windows blows is an honorable goal.
/. eats him alive, since anything ever done without full disclosure at any time is naturally the root of all evil. (actually, antibacterial soap in the home is the root of all (some) evil. www.cdc.gov)
Temporal Density is a perfectly fine unit. If you can get twice as many of these packets through the same bandwidth in a given time, you have twice the temporal density. What he's saying about nanopackets is really that he's done lowlevel work by hand to get the packets as small as possible. This is how beautifully efficient things are done.
NP is not his primarly technology. His primary technology is the methodology of the floods. He's simply claiming they are twice as fast and possibly more capable, because he's using the best possible substructure for his floods, nanopackets.
Then what he does after that is give out a bunch of things it can do, without saying HOW, either because it's proprietary or because he doesn't know yet. This is why
He did not say it couldn't be blocked, he said it worked on stealthed computers. Certainly, if a secure router routes no outside packets, ever, then there can be no TCP/IP vulnerability (except in router security, or in there being another router or takeable machine on the internal network) But a stealthed machine which at some times has some interaction with the outside world has to respond to some kind of packet sometime, by definition. It would certainly ignore ping. Whether he succeeds at this I don't know, but it certainly is theoretically possible to succeed, at least in any specific case. (and a sufficiently long list of specific cases...)
I have at least 1 issue with GENESIS, which I should probably mail to him. In principle, he seems to have found the theoretical limit of this type of security inspection (@ packet level only) and if it all works as planned, it'll be great.
But he basically needs to provide more details, or not have a press release, or at least have a higher fact/buzzword ratio.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
There must be a killing to be made by selling network tools that caress, fondle, grope, kiss, lick, and suck.
"Our potent NetGrope Technology can unhook the access control on the back of most firewalls, thereby letting you caress the bouncing packets beyond."
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Yeah, and I suppose that we should only support new technology and programs that aren't wearing the Microsoft fetters, right? This bible-thumper's bias is going a little too far. It seems that on Slashdot, any idea, however promising it may be for the future, is shunned if it doesn't run on Linux. And I suppose that Rob's gonna say that the next DOOM will suck because it's being designed on Windows 2000. Open your mind and take those blinders off!
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
On the face of it, and based on a cursory read of the article, not the worst idea at all. And this guy definitely seems to have his heart in the right place on several issues.
Still, I'm not entirely clear as to why a bias towards Windows platforms seems to be such an important issue. Is there really that much difference in the requirements for a UNIX box? Given the number of Apache servers out there, I would think that ignoring UNIX platforms is a less than wise decision.
Still, he does describe the theory behind the approach. I don't doubt that there will soon be similar efforts for non-Windows platforms, if this method holds up to its promises. Invulnerability to DDoS alone is motivator enough.
-TBHiX-
What kind of pervert thinks all this stuff up?!
--
. . . make sure that default passwords aren't used and slap the heck out of the folks with "God" access when they aren't? Now that's something that's needed.
--
-- Geof F. Morris
From the web site:
"Aren't NanoProbes just IP packets?
Of course they are."
I think that just about sums this up. They've put a fancy name on an existing technology, and claimed "innovation and invention." 'nmap' uses this sort of thing every day, it seems. Sure, they may have tweaked the packets to elicit specific responses from the target, but how is that any different than existing fingerprinting techniques? I don't think it is(although, I'm don't really know a whole heck of a lot about this stuff).
I used to really respect GRC. Their "ShieldUp!" was pretty darned cool, but these announcements all sound like bloddy half-baked press releases. I could be proven wrong, but this sounds really lame.
Dave
'Round the firewall,
Out the modem,
Through the router,
Down the wire,
Barclay family motto:
Aut agere aut mori.
(Either action or death.)
That page is so full of marketroid(tm) rubbish, I can't make any sense out of it. It seems like an implementation of tcp/ip fingerprinting, but enhanced with drug abuse by the author.
I suppose you can't underestimate the power of catch buzzwords. Transmeta couldn't raise any finance until they renamed their tech to CodeMorphing. The BDU's will probably fall for it.
"If this particular probe were
to be dropped into the Internet, it would route itself to the machine at IP address
[ 208.47.125.33 ] which is the United States NSA (National Security Agency). This
NanoProbe asks the machine to verify its existence on the Internet."
Wow! You mean you're writing ICMP? Sounds cool!
Really, "self-routing"? Um, so I guess if I use just these I don't need routers. Sorry, but self-routing doesn't work with dumb media. So he figured out how to cram ICMP type packets into smaller packets. So?
"While you wait, real-time, operation"
Yeah, ping just takes so damn long to run...
It think perhaps this guy should go back to writing his newbie-helpers and quit trying to play in the big leauges.
--Maarken
So what we have here is somebody who has taken the idea of portscanning, promisc detection, tcp fingerprinting, etc... and then injected it with many many drugs...
Wonder if this is any relation to _THE_ Gibson? Would be fitting wouldn't it...
---
Play Six Pack Man. I
(Not sure whether his program is open osurce or not, but answer the question)
Open source is about scratching an itch that you have. Steve Gibson is a windows user. He has an itch. He's scratching. Oh hell's yeah.
--
Peace,
Lord Omlette
ICQ# 77863057
[o]_O
You may have heard that Slashdot was recently "hacked". The preliminary stages of this hacking were made possible with nanoprobe-like technology.
I, Bob Jones III, was part of the elite "hacking" team. I added a module to the "lameness filter" that prevents the following kinds of posting errors:
Mr. Taco: It is hopeless to try to correct this error. I have added this code block to the firmware of your RAID arrays, so if you erase the module, it will be instantly rewritten. I am doing this to save the souls of all Slashdot readers and lead them toward CHRIST.
Sincerely,
Bob Jones III
Could this nano-probe technology be Steve's fabled project x?
PROJECT-X's display will expose crucial information that's been hidden inside your computer by people who have their best interests in mind, not yours.
It automatically finds easter eggs?
I DO know how bizarre this sounds. "Hidden truths?" "Other people in control?" "Unnerving secrets buried in our computers?" I wouldn't blame you for thinking that I'm being deliberately over-dramatic, and you might wonder what I've been smoking out here in Southern California. Or whether, perhaps, I've become a little too involved with the X-Files TV show.
Currently I'm thinking about dolphin sex.. but that's what happens when you read /. posts :-(
I don't yet know for sure that I can even do what PROJECT-X requires..
This is the line I like the most.. it sounds like the guy is trying to write the all-in-one point-and-click hacking tool or something. 'Yeah.. just type in the IP address and click go.. you'll automatically be placed in a shell account as root.. or if it's windows.. NetBus will automatically be installed for you.. ??'
Has anyone joined the mailing list to 'apprised of my progress'?
Idi
- I don't have a .sig .. I type this in by hand each time!
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
I'm not quite sure what CmdrTaco is talking about. This affects Linux users - it affects all users. The idea of a "shrunken" packet is not terribly new, but speedwise having a packet be as small as this, and still contain a variety of extra useful information about its destination and whereabouts, would be useful in pinging servers.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
1) The TCP offset (TCP header length) is set to 6, which means that the TCP header length should be 24, and the packet shown only has a 20 byte header.
2) The Sequence number is 0, which should never happen on a SYN packet and would be easily picked up by any intrusion detection system (like Snort).
3) The IP datagram length field shows 44-bytes, but once again we're only shown 40-bytes. Where'd those other 4 bytes go?
Beyond that, this is a standard SYN packet, hardly revolutionary.
The packet at the top is a simple ICMP ECHO packet (ping), which is presumably being filtered at the NSA's gateway. That's why a response has "never been received"... Ooh, spooky!
The other claims are so much fluff. Temporal density? Just because the packet's got half as many bits as the equivalent ECHO packet from MS doesn't mean that the extra nanosecond saved is going to be added onto your life.
These packet's aren't stealthed by any measure, they're only stealthed to the uninitiated because most peoples eyes glaze over when confronted with binary data. What we've been presented with is a an ICMP ECHO packet and a TCP SYN packet.
Let's look at the other claims:
"While you wait, real-time operation"
Explanation: When you execute the program, it runs and reports back to you.
"Continuous host-presence verification"
Explanation: When you run the scan, it pings the target to make sure it's up. Contrary to the claims on the web page, every other scanner under the sun that's used for any large scale application (like nmap, CyberCop, ISS, etc) does this.
"Comprehensive host IP address determination"
Explanation: Resolves DNS names, can make other DNS queries.
"Host stealth technology detection, penetration, and appraisal"
Explanation: If the host is discovered, it will be scanned! If the host can be reached through the firewall, it'll also be scanned. If the firewall is filtering the traffic, the program will attempt to get through but probably won't unless some well known vulnerability can be exploited.
"True firewall, versus simple packet filter, discrimination"
Explanation: They see if their packets are rejected outright or if some sort of connection establishment is allowed.
"Special "Half-Open" TCP connection "SYN" probing"
Explanation: This was special about four years ago, but now it's just called a SYN scan. This is different than a full SYN scan in that the connection is dropped after receiving the returned SYN-ACK packet instead of letting the connection complete. This is different from a free port scanner like nmap in exactly 0 ways.
"Advanced TCP non-connection "ACK" probing"
Explanation: They can do ACK scans as well. This is completely revoloutionary unless you've used almost any other free scanner in the past four years.
"Fragmented and reordered packet filtering vulnerability assessment
Explanation: nmap + fragrouter = this capability, plus more!
"UDP/ICMP reflection response probing"
Explanation: If you send a properly formatted UDP packet to port 137 on MS boxen that allow it, you'll get a response back. If it's not available, you'll get an ICMP UNREACHABLE. My god, the amazing powers of this software aren't to be believed!!
"Differential source IP analysis"
Explanation: IP spoofing! Revolutionary! Nmap has only had this capability for (at least) four years, but these guys have made it revolutionary by sticking it in their product to jack with badly misconfigured firewalls. Amazing!
"Personal Router vulnerability assessment"
Explanation: If you're behind a NAT, there's a chance that the nanoprobe may notice!
"Last-Hop Router vulnerability assessment"
Explanation: If your router/NAT is badly misconfigured, a nanoprobe may be able to see some of the other addresses that the thing is configured to talk to.
"Active protocol testing"
Explanation: Application layer testing, such as trying to brute force passwords on SMB shares. This has never been done before, unless of course you count the NetBIOS Auditing Tool (nat) program from the mid 90s...
"Packet round trip time (RTT) profiling"
Explanation: This is useful if you're trying to see if there's any time based elements to see if you're talking to a firewall or directly to the host. Righteous.
"Absolutely spoof proof"
Explanation: "We can't be spoofed because we make our own packets!" What about man in the middle attacks guys? Are you talking IPv6 or over an encrypted tunnel? No? Oops, you can be spoofed.
Anybody remember the FreeVeracity BS from a few weeks back? I smell repeat! There's no magic here, other than the fact that this got posted to Slashdot at all.
Why is it only for Windows? Because Steve Gibson wrote it. He likes to write "hand-crafted" assembly language, for x86 platforms. So he wrote it for Windows.
Maybe it reads like a press release. But don't forget... when he finally has something to release, he is going to give it away free (like beer). He isn't spamming this page out by email, he isn't trying to trick anyone out of their money, so why are people so worked up?
He wrote, and gave away, a cool utility for Zip disk owners. He also wrote and gave away some other stuff, and let's not forget how cool his Shields Up! page has always been.
Even if we moderate his latest web page (-1, marketdroid-speak) he has plenty of karma left over.
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely
What crap.
-=-=-=-=-
-=-=-=-=-
My mom's going to kick you in the face!
These 'nanoprobes' are just minimalist valid packets, headers with zero data.
The page is full of anthropomorphism and redundant quasi-technical terms just thrown in to make it look impressive. When you actually look for some hard facts, they're fairly lacking.
So what that they're less than half the size of the ping packets produced by MS ping, which always sends 32 bytes of data. Can we say ping -s 1 host? Sends 232-bit packets (224 header + 8 bits data). (It gets 9-byte replies = 224 + 9*8 = 296-bit replies... still not far off the 224-bit of the minimalist packets).
There's no actual evidence presented that the lack of data in the packet causes them to be processed in such a radically different way as is suggested, bypassing any and all firewalls, NAT and proxies.
Looks like sensationalist hype so far. They may have some use in highlighting exception cases in software (who'd expect zero length data anyway), and his customised TCP/IP suite will probably just be used to send more pings per second.