Slashdot Mirror
TCP/MS, We'll Cure What Ails You
Cringely can string some words together from time to time, and this week's installment is a pretty good one. He's been reading a little too much Gibson (raw sockets have nothing to do with the spread of MSTD [?] 's), but overall, he's probably right. When the time is ripe, I think we'll see a move exactly like this.
But it sounds to me like he wants MS to make a secure email product that would never, ever do something without the user's permission.
I kinda found that funny, given MS's history.
Besides, I severly doubt that the DOJ will look favorably upon this move, or even if ms will have the fortitude and the gonads to even propose such a thing.
Yes, it would be cool, but I honestly think the folks in redmond don't have the ability to carry out something like this, on such a large scale and have it work properly from day one.
I'm actually not sure who could design the protocol - perhaps a think tank of the best programmers around the world hired by several governments for actually good money?
And yes, I read the last paragraph, and I still think XP's only redeeming feature is allowing us to write our own IP headers.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
It doesn't matter that the network is insecure, only your computer needs to be secure and the keyserver.
PGP or GPG is great for e-mail, but not for the socket exploits the article discusses. So when your computer or a keyserver is rendered insecure because of TCP/IP socket insecurities on an XP machine (client or keyserver), then what do you have? Properly written, a virus could enter thru an app that allows insecure raw socket access, and could send nicely authenticated e-mails that begin with "Hello, my friend..." You get the drift.
why doesnn't someone do something constructive with micro$ofts ripe virus breeding ground ? why not have a virus spread in a more controlled fashion, doing nothing destructive so as to avoid detection for 3-4 months. at some critical time (pre-christmas) format C: on evey m$ machine everywhere. now wouldn't that be bad for business ?
Lets make a distinction here. The vast majority of so-called e-mail virii are VB virii, that exploit weaknesses in Outlooks security to hide inside attachements and run without the users knowledge. They think they're opening a picture of AnnaK, instead they get infected. Just how is a virus of this variety going to run in a mailer like mutt that doesn't have built-in scripting??? You have to detach the attachement, then set it's permissions to executable, then execute it. Only a total fool would do that.
Yes, UNIX-type system have worms, but they're a damn sight harder to write, and do a lot less damage. Yes we will see more of them, but at least we try to build systems that will fight them, not welcome them with open arms.
While they have the ability, unfortunatly it's almost impossible to use them properly, at least using NT and Office 97. In order to run Office 97 on NT, your NT system directory must be world writable. Once you allow this, then any user can replace any DLL, and get any privlage they want.
I'm with you here. I spent forever going over perl so that the ISP I was working for at the time would still have a functioning billing system.
[ approaching AI ]
No, the convention was a ^Z, but only if the file didn't end on a block boundary. CP/M didn't keep track of file sizes, just blocks used so there was no way of knowing where the last character in the file was. Unless it fell at the end of the last block in the file.
None of the applications you mention use raw sockets. They all (like 99% of network apps) use TCP or UDP sockets. The application never gets to touch the raw IP header data. There's no need.
Strags
I think there are serious problems with his article, but the overall points seemed to be:
the second point is more important. I just read not too many days ago that large corporations were complaining about the "flaws" of the internet that made it difficult for business-as-usual to be conducted on the internet in the manner they prefer... specifically, things such as pay-per-view (or per song) are difficult to impliment if someone offering the same service for free can send packets with equal priority to those sent by AOL or an RIAA-approved webcaster.
While I can't help with 2-4, I wrote 2 things that help with #1. My web site offers to ability to Test Your E-mail Defenses by e-mailing you a harmless VBScript file. (It reads your registry, but doesn't change anything or send any info out.)
I also wrote Script Sentry which traps those VBS scripts (as well as DOC, XLS, SHS, SHB, REG, HTA, and more), shows you details as to what it would do if run, and lets you decide whether or not you really want to run it. So if a user opens up that new Love Letter they just got in the mail and sees a "This will change your registry" message, hopefully they will be scared/wise enough to cancel the action.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
What ever happened to the good old days when virii were a thing to be admired, were hand crafted in assembler to use the fewest instructions, and took talent? It seems nowadays everything requires the user to click an attachment in their outlook program. Theres nothing creative about that!
VMS on the other hand has very typed files, the files are much more than a simple stream of bytes. FTP'ing in ascii apparently does a bit more than simply sort out the CR/no CR thing that unix-windows xfers do. But then you get cool stuff like indexed file support in the OS, which I miss turribly. (If I'm not mistaken, re windows unix ascii ftp xfers, LF == NL.)
Very well written and accurate portrayal of Microsoft and their vision of computing. While Cringly's idea of TCP/MS may seem far-fetched, you are right on the money regarding their desire for such a protocol. If Microsoft could embrace and extend the internet, it would in a heartbeat. If that ever did happen, it would be the end of the free internet as we know it.
Unfortunately, only the free-thinkers would see it that way. The mindless herd of end users that follows Microsoft would know no different. They would continue to surf and enjoy their digital playground and carry with them the same illusion of freedom they have about the rest of America. These same people never knowing about the DMCA, Sklyarov, DeCSS, or fair-use, (because the media practices awareness control over the public) would just assume that's the way it's always been. The movie, "The Matrix," at least metaphorically speaking, is not far from the truth. In the future, I see a day when people are too "attached" to a system to let go. In this future, I see people who can't define their own reality or even define freedom because of the constraints that are placed upon them since birth. In other words, they will have lost the ability to step outside the box and question the facade they call "reality".
Maybe I've read "Brave New World" one too many times, but the parent post and Cringly's article make for a great introduction to a new 1984esque type of novel. Ok, so I got a little carried away there. LOL.. Anyhow, what I meant convey was that the average user would probably not care since they use windows anyway. They would see all the neat new services that passport provides and consider it a "feature." As scary as this may sound to you, the average joe user knows no better. However, with IPv6 right around the corner, I don't see Microsoft embracing TCP/IP. But have no doubt, if Microsoft could change the very protocol of the internet in yet another attempt capture even more marketshare, I have no doubt that they would at least try. That is what scares me about this company - the complete and total disregard for the open standards that allowed them to become so big in the first place.
As posted to microsoft.public.win2000.general:
Come on, Bill.
I know you've got this great vision for a wonderful Internet and a computer on every desktop and all that stuff. I've met you in person on two occasions, and found you to be friendly, personable, brilliantly intelligent, and I know you believe very strongly that your vision of the computer industry isn't flawed. I even grudginly like you for your passion, courage, vision, strength and business acumen. Most damningly towards wanting to hate you, I also believe you and Melinda are true philanthropists.
But I'll still bet money that I had an e-mail address before you did. And you and I both know that this has to stop. At this point, I tell my consulting customers that running IIS is as irresponsible as drinking and driving. My procmail filter automatically sends all e-mails from Outlook mail clients to /dev/null. Like drinking and driving affects all road users,
the many blatant security flaws in Windows and related programs affect all
Internet users.
Please make it stop.
Copied and pasted from my (Apache on UNIX) webserver log:
(D'oh! Slashdot Lameness filter sees all the capital Ns of the Code Red worm buffer overflow and won't let me paste, so you'll have to see it here.)
Fire and Meat. Yummy.
If MS were to charge for such a protocol, they would not make any money. You talk only about client machines. What about servers, Web servers in particular, around 70% run a UNIX variant.
Basically all your clients have one protocol but the servers have another, so you have two options. Change the clients back or charge MS to put their protocol on the servers, yes charge MS!!
How many sysadmins, not MCSE's, sysadmins are going to pay to put a MS protocol on their servers. Zero springs to mind.
Or you could just Copyright TCP/IP when microsoft change it to TCP/MS and then charge them extortionate amounts to use it again. cha ching!!!
Why, in my day, we only had ONE character which had to be multiplexed by switching 104 times per second, and machines were networked with string and dixie cups - and we were GRATEFUL for it!!
It's 10 PM. Do you know if you're un-American?
How can malaria be a human disease? I've been infected 20 times yet the black man down the hall has never been infected at all.
Raw sockets are an application programming interface (API) whereby the application is able to control the contents of IP packet headers directly. This means that an application, for instance, can transmit a packet with a forged source IP address - thus disguising its origin. This is often used to conceal the source of a DoS attack.
Linux provides raw sockets, but only the root user is able to utilise them (and rightly so). Cringely's article doesn't make it clear as to whether or not there's any kind of user-based protection under XP, or whether anything and everything can access raw sockets under XP.
Strags
Wasn't a hoax, but it was sure overhyped. We all had a good laugh at the expense of a guy I know who stocked up on toilet paper, drums of water, canned food, etc...think he's still tryiing to work his way through that useless stockpile. Some people are pretty gullible.
MS's IPv6 stack is actually under quite an open license, relatively speaking considering MS's typical licenses. MS's Research Department actually seems quite warm with open-source technologies. Their business side, however, is a totally different story :-(. Try out their IPv6 stack at http://research.microsoft.com/msripv6/ if you're unfortunate enough to be running Windows, and read the license agreement. Prepare to be quite pleasantly surprised :).
And I'm sorry, but if you open a file sent from someone you've never heard of promising to display a naked celebrity, you get what's coming.
The annoying bit about SirCam is that not are the people who open the attachment affected with a loss of privacy, but entirely random people have to sit and wait for sometimes huge attachments to download.
Slow down your shoveling boy... you might hurt yourself.
So exactly how can Microsoft's IPv6 stack be proprietary, when they don't own the routers, switches, et al? You see, if they change the format of the packets, then the router needs to accept the new format. Since CISCO should be setting up their IPv6 stuff to the agreed standard, that leaves Microsoft little choice.
Microsoft's network protocol implementations have always been fairly standard and able to interact with the world at large. I don't see that changing in the future.
As for IPv6, I don't see that really rolling out until XP covers much of the marketplace. XP (and the Server 2002 editions) should have native IPv6 support.
Stop spewing FUD. It isn't any more endearing than when Microsoft does it.
Natural != (nontoxic || beneficial)
A little digging came up with a complete description of the problem from sun:
w start.html
http://www.sun.com/sun-on-net/performance/tcp.slo
I would watch out - now YOU are starting rumors
:-)
1)Um, are you under the misapprehension that Linux et al are secure OSs on the basis that there haven't been any viruses targeted at it to speak of?
I believe linux...and pretty much any Unix i've dealt with (Solaris,OSF, Ultrix...) are much more secure OS's, becuase it's much harder to write an exploit for a unix box than for a windows box. Writing a buffer flow exploit to compromise a server process is order of magnitudes more work than sitting down and writing and emailing a Word document that takes advantage of the VBscripting to erase you harddrive.
There are "talented" crackers out there that do target unix machines. You can do a lot of real damage if you can compromise a large corporate Unix system....but you have to expend real effort to discover a new exploit on a unix system. With windows on the other hand....the same "feature" is being exploiting repeatedly to cause damage....how many differently named viruses have to circulate before MS removes this exploitable "feature."
Point out a "feature" of linux, or unix that gets repeated used for malicious activity...but people refuse to fix. Bind and sendmail, mainstays of unixland have had a history of exploits but the software makers make it a point to fix the problems asap. Software will be buggy, and bugs can turn into exploits, and then they get fixed. But a FEATURE like VBscripting is not a bug. VBscripting is a very powerful and woefully insecure FEATURE, but MS refuses to strip out the VBscripting features or add a layer of security to their use. MS viruses...don't use bugs in the code...they use perfectly acceptable scripting commands...to do bad things, and MS refuses to do anything about this FEATURE!
2) On the general subject of quality, Linux still hasn't got anything to compare with the Office suite.
No i think there are some candidates for comparision. Take Staroffice...is as slow as MSOffice, and for me staroffice does crash on occasion just like MSOffice...the big difference I've seen is that staroffice doesn't take down the entire OS with a BSOD when it desides to stop working.
You need to upgrade your gnome. I'm living in Ximian gnome on my PC and I haven't had the GNOME Desktop crash yet. But I'll be damned to figure out why my windows PC won't get past the logon box without causing a GPF.
3) I used to buy into this idea that OSS necessarily produced better quality software, but it just isn't true. Large products are flawed for many reasons: release deadlines, unforseen design errors, resource constraints, but mostly because people in general just aren't smart enough
I still believe OSS development makes far better products, but my reasons have nothing to do with being able to make product deadlines or whatever. I do not believe that OSS makes products more quickly. I don't care about release deadlines...the OSS products will get done when they get done....as long as products are making steady progress, that's what matters. How long did it take MS to make a stable OS worth actually paying for? From MS-DOS upto win200...how many manyears or should i say mancenturies of development time went into that development cycle. If want to believe in the pay for every yearly broken release, and call it a full product fine...I'm sick of it. Just don't bring your timeline baggade to the OSS community. Products get done when they get done. I believe that OSS development makes better products, for the simple fact that the source code is available. I believe OSS makes better products becuase in the long run those OSS products are far more adaptible and allow for more innovation. -jef
It is generally believed that the user is the weakest link in computer security. Specifically, the uneducated user. The reason these viruses or worms are so high spread is because the means to spread them (generally) comes from the user (either a user downloading a file, or a user not patching their server, etc.). Microsoft holds the greatest market share. This is why microsoft viruses spread so fast. As the number of users of a product increase, so does the probability that one of these users will spread the virus. That's the facts, plain and simple. The only reason that more linux worms don't spread is because A) The users tend to be more educated in prevention of these worms spreading, and B) There aren't as many users. Linux software may be safer, but i assure you it's open to it's own breed of linux specific ways to spread worms. I garuntee that if (when) linux captures the market share from microsoft, there will be TONS more worms written for and spread to linux computers all around.
__________________________________________
Take comfort in your ignorance.
Grandmaster Plague
-- ;-)
Kuro5hin.org: where the good times never end.
The Internet, napster, gnutella, Groove, realaudio, ftp, smtp, http, SMB and all your favorite tools would not work without "raw" sockets. The solution is not to guard the pipe, but to make more secure systems that are impervious to attack. Demand that your OS vendor keep up to date in patching security holes.
Yes - I know that promiscuous mode and raw sockets are fairly unrelated. However, APIs that permit raw socket access frequently also permit the application to invoke promiscuous mode. This is certainly the case using when using Windows NDIS drivers under 98 (eg. winpcap). I have written network analysis/routing tools under Windows and Linux, and as a general rule of thumb, if you can do one, you can do the other.
I'm not blaming raw sockets for anything! I fully agree that Gibson and Cringely are in the wrong. Network security doesn't arise from crossing your fingers and hoping that every box on your network is going to play fair.
Strags
The same concept is in play in politics.
All the people who voted for Dubya (even though he got less votes overall) have an emotional investment in having his presidency turn out alright. So they apologize for every boneheaded move he makes by saying "at least he's not getting blow jobs from the hired help!"
Embrace and extend. The guys working on a version of .NET for Linux/Unix are wasting their time. Microsoft will not allow it to happen. They'll modify core protocols like in the case of TCP/MS, tie certain components to windows dlls, and require MS Back Office software like SQL Server and Exchange to fully enable certain functions. What good will an open source C# compiler or CLR do when MS keeps changing the underlying protocols to make it Windows-only?
To see where MS is going, have a look at the newly release Sharepoint Server. The goal is to replace HTML/DHTML/CSS/Javascript/Applets with a proprietary binary format for content delivery. Basically, MS Office over the web. And for it to work you need to be running Windows and Office XP on the client. So much for the cross platform web.
It's this kind of thinking that gave us the CodeRed worm in the first place you fool! Sorry to flame you on this one, but it really doesn't make any sense. That's like telling a new home buyer that they their doors allow easy entry and exit from their home, but the homeowner will need to install their own security devices (locks) in order to protect themselves. Guess how many new homeowners would laugh in the face of the builder if they heard that?! The locks are obviously not fool-proof mechanisms for security, but the simple fact that they're there dissuade most civilized people from trying to 'break and enter.'
... an article i read many years back on HTML and why it was so darned complex (!) the author relived the glory days of some proprietary document formatting language that had been used internally by a past employer and his conclusion was that people should start using that instead. The author might've been Cringely, for all I know.
Look, raw sockets in windows are not the end of the world: they're available already, open source (http://netgroup-serv.polito.it/winpcap/), and you can run them as a non-privaleged user. In as much as MS have a concept of privaleged users.
Even if they weren't, there are SO MANY possible security exploits you can run using a small army of 0wn3d windows boxes. Including (but not limited to) just packeting the crap out of Steve "Bloody" Gibson's webserver. For instance, has anyone considered using something to script the IE network libraries (COM objects, I would imagine) in the background and launch a 'many millions of perfectly valid requests, complete with cookies and everything' attack?
How would you defend against that?
This whole raw socket thing has been blown out of all proportion. Can we please stop fretting and find a way of PREVENTING these big attacks from being spread. Or possible. Or something.
Dave >:(
I write a blog now, you should be afraid.
I'll drink to that.
A little sloppily though...
IIRC, Steve Gibson is not the author of ZoneAlarm, and doesn't work for Zone Labs.
Information wants to be beer.
Right! And now all we need is a campaign to get the collective net admin attention.
How about making a humorous, yet very pointful campaign (like "if you don't check your packet sources, you may be ROUTING COMMUNISM") and advertise/discuss about it in high-profile geek sites (I hope I don't need to list examples) and on magazines read by the net admins.
=)
Those are four DAMN good ideas.
nuclear presidential echelon assassination encryption virulent strain
Whizzmo
The sun never sets on the Microsoft Empire!
Am I the only one who noticed an insane amount of sarcasm dripping from this article...?
Someone needs to write some viruses that do the following things:
1) educates -- infects your computer and gives you
a multimedia presentation on flaws within "Hi! I'm Victor Virus!
I'm an Outlook Virus. How did I get in your machine?"
2) secures -- "Would you like me to install a Zone Management
package?"
3) explains alternatives -- "Did you know there are other alternatives
to Microsoft?"
4) Highlights Microsoft abuses...
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
...but you actually usually have the option. Example: you can run c:\apps\program.exe OR you can run c:/apps/program.exe. This definitely works in NT 4 and Windows 2000; I can't comment about Windows 9x because I can't remember the last time I used it. You can start up Word using winword.exe /nd (to suppress the blank document) OR using winword.exe -nd (except I think they took that parameter out in Word XP; but it works in Word 97 and 2000).
Yes, there are most certainly incompatibilities, subtle and blatant. But let's also remember that one of the great things about standards on the PC is that there are so many of them to choose from. If you wanted to share information 10 years ago with someone who used a different word processor from you and you didn't use a Mac, well, the very best of British luck to you. One thing Microsoft did do was to start introducing some measure of interoperability in the PC software world. By all means, let's hold them (and other vendors) accountable for their less-than-stellar concepts, but let's at least get the facts straight.
And here I am apologizing for telling the truth and defending Microsoft. Oh dear, oh dear, oh dear.
There seems to be a lot of confusion about this.
Raw Sockets allow someone to send forged IP packets (spoofing) that appear to come from any IP address the sender chooses.
This makes filtering a DoS attack harder, because you can no longer filter the traffic by IP or domain.
So, right now the limited defense in the DDoS zombie attacks from Windoze is the fact that the IP packets have valid source addresses. These can be filtered at backbone or ISP provider routers.
If these attacks used spoofed IP packets, there would be no easy defense.
Because the majority of people are computer illiterate and do not distinguish the difference between "computer" and "Microsoft Windows".
Beware, Nugget is watching... See?
Moron... All other affected clients use the same MUA DLL as Outlook. A Microsoft DLL
Once a virus is detected, software can be written to clean it and possibly prevent its further transmission. These days, the delay between first detection and anti-virus software is usually a few days.
The more time a virus spends lying dormant or slowly spreading, the more time there is for someone to find it and spread the word. There are a small number of highly secure systems run by highly paranoid sysadmins who do things like compare all files to known good copies on a regular basis and log all network traffic. Even a quiet virus will be detected if it attempts to spread to one of these systems. If the virus attempts to infect something like a Honeypot, it will be detected. And then, the game is up.
These virii are only effective against the uninformed. The slower it moves, the more time it gives information to spread.
Everybody gets free BORSCHT!
All life is a blur of Republicans and meat.
I just accepted provolone into my life.
I believe in wash fulfillment.
We aren't talking about NT or 2K here. This is related to XP, which has all the security benefits of Win9x. Everyone is root. The power switch is the security button. Pull your nose out of your Cosco special MSCE bundle books grab some fresh air. The simple point of the fact is that most consumers don't understand security. Period. That would make Windows too difficult.
How many times have you heard your neighbors say:
- "Oh I don't need security. Nothing on my computer is that importatnt."
- "Why do I have to click through so many warnings just so I can view this attachment?"
- "Why can't they just stop writing these viruses"
- "Can I have my lawnmower back?"
Schooling as you refer to it is the ROOT of the problem here. Just because you are MS certified, it does not mean you know shot about networks. The technology is only 49% of the equation. 51% of what you do is based upon the policies you implement. The fact that you posted as an A/C further weakens your stance.one better than mcleodeight
And they are powerful advocates and if MS ever fixed everything they'd be gone.
See this way everyone is happy and employed.
And the user takes it up the Khyber Pass
'There is a Light that never goes out.'
never is a very long time.
What are you talking about ? Have you ever been schooled on NT permissions before? Not only does NT stop ordinary user accounts from doing things like you describe, it has an ACL subsystem decades ahead of anything Linux is offering at the moment.
So quit spouting anti MS FUD. Sure Win9x doesn't have "security" in the access/token kind of way, but NT sure does. And why does it matter that UNIX stops normal accounts from accessing raw sockets. Most exploits out there are to gain root access, so you can do anything anyways. And how many interactive NT multi-user installs are out there? An exploit is just as dangerous in either environment.
Yes, you've been schooled. Better learn some stuff before you show your face here again.
My father used to work for a news wire service, back in the era of Baudot (5-level) teletypes. He could read and edit a news story directly from the punched paper tape.
Mea navis aericumbens anguillis abundat
This somewhat misses the point of traceable TCP. It doesn't matter whether we catch the bad guy, what matters is that we can stop the flow of traffic to our overloaded site. Untraceable traffic cannot be effectively firewalled against.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
Read grc.com he'll tell ya all about it.
Yeah, but that doesn't make you more ready of a victim, it just means that if someone sent you a virus to zombie your machine for a DDoS then they could spoof your IP too, IE, who cares?
Raw sockets allow the programmer to shape the packet to be sent out himself. You can do things like set the source ip, dest ip, and other interesting things. TCP and UDP are what is considered the alternative, and in 90% of cases there is little reason that you shouldn't be using one of these protocols.
/are/ a part of the internet and Windows has an incomplete TCP/IP stack until it gets added. People used to complain that it doesnt, and when they add it they complain that it does have it. sheesh.
I think the biggest reason people are screaming about it is raw sockets shouldn't be allowed because theres not much need, but they
Anyway, If more routers would implent filtering I would imagine a lot of DDoS attacks would be prevented more or less the way speeding is - you can do it, but eventually your going to get caught. But until more administrators become informed that filtering is the solution, not much will happen.
As for the cases that it is useful? They can either find a way around it (like you can already use raw sockets in windows 95, but its just not easy), or they can redesign the protocol to be more friendly.
If you're trusting the network without doing any proper checks, that's your problem. Somebody could plug in his own PC and start spoofing IP packets _today_. The release of WinXP doesn't change that.
What about the 'only root can use ports 1024' feature of Unixes, which Windows doesn't implement? Does that mean that Windows is a security threat? No. If you're being so stupid as to trust the originating port number, you deserve everything you get.
Egress and, er, ingress filtering around the edge of your network may be good enough most of the time; it doesn't protect you against PCs inside the network starting to spoof things, but you may feel you can trust your own employees (and don't let them run Outlook).
-- Ed Avis ed@membled.com
Speaking as someone who used CP/M back in the day (okay, dammit, it was 20 years ago), CP/M (at the time the IBM-PC came out) didn't have subdirectories, didn't use / for options, and used Control-D for an EOF marker. I'm not 100% sure about text file end of line control codes (this is a *long* time ago), but I don't think I had to do anything fancy between Apple ][ and C64 formats and CP/M, and certainly nothing fancy for big boxen formats (of course, at the time, transfer protocols like Kermit and Modem7 handled such things).
Now, this is the dim memory of someone posting at 2:30am (and too damn lazy to do a google search), but I accessed plenty of Unix boxes (and VMS) at the time, and didn't have file format problems, so I'm guessing that it was the same.
Anybody else remember Magic Window for the Apple ][? Or the original WordStar. Wow. I'm seeing amber all caps when I close my eyes...
--
Evan
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
He didn't say that raw sockets have anything to do with the spread of MSTDs. They're two distinct but related issues. His point is that MS OS's are generally easier for script kiddies to get into, and that raw sockets will make compromised MS systems much more dangerous.
Netscape 4 requesting from IIS is markedly slower than you'd expect by looking at relative performance on Apache with NN and IE. But it's not illegal, just ethically grey
Hmm, I wonder if that was because of a decision made by Netscape, a decision made by Microsoft, or just bad luck.
The shareholder is always right.
Not that much more dangerous. Yes, smurf becomes a possibility (allowing DDOSing more than one site at once) but you filter it out the same way that you filter out any other attack-- at the upstream routers and secondarily at your firewall... Raw socket access is no big deal really.
LedgerSMB: Open source Accounting/ERP
Wake up. As a (UNIX) programmer I can assure you that none of the delusions in the article will occur. Several others have pointed that out. SOCK_RAW isn't exactly going to aid virus writers all that much, and the very thought of MS replacing TCP/IP is a paranoid delusion. Don't get me started about how all that nonsense about loss of privacy was just tacked on.
By default with the Internet Connection Firewall in XP enabled (which it is in tons of common install scenarios) it will block outgoing connections with a spoofed source addr.
Hey guys, this is somewhat unrelated to the stuff in this conversation, but it's about M$ vulnerabilities, so I'll ask anyway.
If we all set up out webservers to send a ping of death or some other blue-screen/reboot DoS attack automatically to anything that shows the signature request of the IIS worm, wouldn't that help to at least slow the spread of this thing?
The shell script to tail the log file and run a script would be pretty easy, but does anyone have anything tried and true for Linux/UNIX that will force a reboot of an affected Win NT/2000 server?
At this point, I see this as an eye for an eye, I'm kinda tired of all don't patch their systems despite big media attention. Besides, it'll definitely give me a sense of satisfaction to confirm a kill when the server doesn't respond to an automated regular ping a few seconds later.
Fire and Meat. Yummy.
You'll also need to find a judge that has enough balls to declare a portion of the EULA null and void due to the extremely extenuating circumstances of the problems caused by negligence in software design... or lobby your state legislature to enact a law stating that any software licenses sold in your state cannot have such a hold-harmless clause in it and the maker can indeed be held liable if found negligent in something that causes widespread public harm. Look at what they did to big tobacco and are also trying to do to firearms manufacturers.
Not the sharpest tack in the small box in the drawer, just doesn't have the same ring...
Jaysyn
There is a war going on for your mind.
In particular, to make program not do something that it shouldn't one doesn't need to rely on the protocol that is security-neutral anyway (the other end can be malicious even if you aren't) but should place restrictions on the processes on the host.
Capabilities system, that now can be used to manipulate processes' abilitites to use raw sockets without making them run as root at the same time, is one of the examples how it's done in the kernel. While I am sure, neither RXC, nor Microsoft engineers looked a it, Linux already implements it and even had a sendmail security bug related to improper implementation of that.
Contrary to the popular belief, there indeed is no God.
(a) The content industry will get right behind it, if it makes file transfers traceable and allows file sharers to be brought to "justice". That's AOL Time Warner and Sony on the bandwagon.
(b) It is likely that if a universal authentication solution appears, it would be eventually made a government-sanctioned standard, much as they're attempting to do with secure media formats, the government being beholden to the content industry and all that.
At least as far as the GP knows (or most PHBs for that matter) Cringely has the highest profile of any single person wrinting about the Net today.
I agree that this sounds like an acid-induced rant. *Except*: He cites good sources in MS. He, of all people, has access to Deep Throat(tm) if he/she/they exist.
So, what is the strength of the sources?
And what does the Samba team think of the idea? Packet mangling and reverse-engineering MS stacks is their home turf, I think.
pah-LEEZ, ip4 and ip6 can coexist on the same wire, with gateways, dual sites, 99% of the people using the internet would never even know there was a switch from ip4 to ip6.
The current Slashdot moderation system is made by gay communists!
You can create a limited user on the Home Edition. But like every linux distro I have used it creates an Administrator (aka. root) account first so you can actually create those limited user accounts. Please actually use the product before you spout out a statement as a fact when in fact it isn't a fact.
Silly Rabbit...Sig's are for kids.
I think you are the one who needs to be "schooled".
The problem is that most network admins are lazy/stupid/too busy. Spoofing is almost trivial to stop (just block the egress of packets not from your addr range), and all routers I know of can currently perform spoofing protection.
Despite this, most networks allow spoofing. Why? Because its another step that people don't have the time to do. Its the same reason that people run windows, its just easier to do it.
Perhaps when everyone is tech savy, or when laws get passed requiring a duty of care things will get better, but until then expect the path of least resistance to be followed (the one that doesn't include turning on "spoof protection").
This is not true. If users run the built in Internet Connection Firewall that comes with XP (which is enabled by default in tons of situations) then it will block outgoing connection attempts that try to spoof the source IP.
Netscape 4 requesting from IIS is markedly slower than you'd expect by looking at relative performance on Apache with NN and IE.
I'm not so sure about this. While experimenting with Squid's user agent logging facility to see who was running what browser on my network, I noticed that MS Internet Explorer actually claims to be "Mozilla 4.0" - go figure.
I can say for certain that Microsoft's support web site does not tolerate unknown browsers graciously at all - when confronted with Netscape 6.0 beta or a Squid anonymised user agent string, it got stuck on one page redirecting back to itself...
How about you convince Cisco to come up with some technology that doesn't make the router keel over when you apply these filters at > OC3 speeds?
-BAlmost right. CP/M ran on the Z-80 and 8086 (The version was called CP/M-86). MS-DOS was meant to run on the IBM PC which were 8088 machines. The 8088 was a scaled down version of the 8086.
The Economics of Website Security
oooooh you're l33t d00d!
We're running IPV6 already with other universities over i2 and I don't see this happening on a large scale for at least another 10 years (and personally, I doubt it will ever happen without some intervening step like a IPV4b or MS/IP...)
The wheel is turning, but the hamster is dead.
I'm surprised no one brought this up yet (or maybe they did, and I didn't read closely enough, and deserve to be beat with a stick), but what's this bollocks about needing raw sockets in XP to be backwards compatible with 95,98,ME? I thought the big stink about XP (besides the possibility of millions of untraceable no-see-ums hammering your server) is that it will be the first mainstream OS to give built-in full raw socket access to any joe user and the programs he runs. How are they necessary for compatibility with Win9x programs, which never had access to them to beging with?
Caveat Emptor is not a business model.
If you're not using Linux now, you should be.
But I've used it before, and I think it sucks. Really sucks. Sorry, use it yourself.
Like the abused wife that toddles on back to her jerk of a husband, so the users return to Outlook, because "this time it will be better" and "I don't know how I could possibly function if my calendar and e-mail client were two separate programs."
Ok you had me untill this part mate, and that's going way too far. Sorry to tell you, but the hassle of deleting and not opening annakournikova_jpg.vbs doesn't quite compare to some woman getting beaten by her husband. Not to mention the fact that it's nobody's fault that you get a virus except the prick who wrote the virus. Not microsoft's, and not even your less pooter-savvy mate who thought he was gonna see anna's tits. If enough people used a standard linux desktop for it to be worthwhile, more people would write virii for linux. As linux's popularity grows, so will virii begin to appear, or I'll eat my hat.
Send lawyers, guns, and money!
You know, I thought the same thing as she did in the past. I'd worked for large companies and I knew how incompatibilities cropped up and it was just from engineers being distanced from their customers.
..someone took it out) CR/LF instead of NL. ^Z as EOF. blah, blah. I wonder how many of these are deliberate?
Well, I was chatting with an ex-microsoft employee who had moved over to the white-side and he put things in perspective. Microsoft has strategic meetings where they sit around a table and say "how can we own this?"
That put a different light on all those subtle incompatibilities I had always had to deal with.
Backslash instead of slash in paths... / for options instead of - (remember switchchar?
yeah, i think you're missing the point entirely. try the term 'altruism' at dictionary.com...
A: None. The Universe spins the bulb, and the Zen master merely stays out of the way.
Of course, Cringely takes this already dubious theory and mangles it even further into something that makes very little sense whatsoever.
The difference is that real operating systems (i.e., *nix), prevent ordinary user accounts from getting to the really low level / powerful things, like SUID programs or raw sockets. Windoze takes the "What me worry?" approach to segmenting user privileges, and that is where the problem lies.
Yeah, right.
"Cringely" and Dvorak keep saying, "No, seriously, shutdown the Internet and replace it with something secure."
They're missing the first law of complex systems. I can't remember the exact quote, but it goes something like:
All complex systems that work began as simple systems that worked.
You can't replace today's Internet, the result of decades of evolution, with something purpose-built from scratch to do as much. The attempt will suffer from the second-system effect, and just plain won't work.
It's easy for a columnist to ask for something drastic. Too easy. But it sells papers (or click-thrus, or whatever we're selling today).
Stupid job ads, weird spam, occasional insight at
Do you really think IPv6 is going to make that much of a difference? If someone's XP box is hacked and used as a DDoS drone, the packets the machine sends will be still be routed back to the Internet since they will still have valid source addresses. The router won't know that they are evil packets. It's true that their destination might be easier to trace, but what does it help when the source turns out to be some little old lady's droned windows machine?
On a different note, IP spoofing could be stopped all together if most network admins took the proper safe gaurds. If a packet is recived by a router that came in over an internal interface, it should not be forwarded out to the Internet by the router unless it's source IP matches one of the local networks internal addresses. The problem is that many network admin's don't block this traffic since there will be no real gain for their network. Neither the speed nor the integrity of their network will gain by droping these packets so many admins don't see any benefit.
Droping packets that don't have valid source addresses is very easy with Cisco IOS software and/or IP Tables, people just don't configure routers properly. IPv6 isn't going to help any if their are still administrator who don't know which traffic should be forwarded over each interface of the router.
So what if the attacking boxes spoof their IP? If some poor site is getting DDOS'd from 500 sources, do you really think the admin is going to build a filter based on 500 individual IPs? And do you really think the kiddie who is launching the attack cares if the 500 trojaned boxes are identified?
The real reason why you should be afraid of a complete sockets implementation in Win XP is because it opens the door for TCP SYN and ACK flood attacks.
If he did write it, it would be about 300k, and it would do absolutely nothing. Didn't you read about the latest DDoS odyssey he is involved in?
Anyone who cries for mercy to the internet script-kiddie community at large, obviously isn't the guy you want to build your internet security product.
If you want a great firewall, use emBSD (http://www.embsd.org/). Nobody would consider saying it's not the most secure firewall/router you can have.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Sorry, I had a typo in there - it should say "Linux is *not* going to go away".
That should be clear from the surrounding context but let me stress it before you jump on that.
While I'm at it let me reiterate the main point:
TCP/MS = IPv6
Maybe Cringely's contacts have never heard of IPv6 and think MS invented it because some of its main architects like Christian Huitema work there.
Then again, after this Pulpit, using the word "think" in the same paragraph as "Cringely" should probably be a misdemeanour.
Windows XP come with a firewall.
The only way I can explain it is that most people use Microsoft software, and what we use must be the best, right?
I don't want to get modded into the gutter, but doesn't this describe *nix users just as well as it does MS users? Look at the BSD vs Linux wars. It's human nature to believe that you made the right choice. Maybe that's why we are so hateful toward Microsoft. Because they're not what we choose to run. I'm not saying we should all run and and buy from Bill, but it might help us be more tolerant of MS users.
THIS SPACE FOR RENT
I don't know about you guys (and gals), but last time I was at this tiny web site for a tiny computer manufacturer, I had the choice of Win98 SE, WinME, Win2K or Win2K with an upgrade to WinXP. That doesn't sound like manufacturers are limiting my choice of viable Microsoft operating systems to me.
People wouldn't be forced to participate, but if they remain anonymous, I might choose to block them. I certainly wouldn't accept file attachments from them. I know you hate this idea, but I think the Internet needs a fingerprint.
Hmm... And who would control this "fingerprint"? Our beloved government, who is trustworthy? A large computer corporation like, say, Microsoft? And how would something like this work internationally? Who is forcing you to accept attachments now? I run Win98, WinME, Win2K and WinXP all on different machines. Over the last week, I've been sent about 10 emails with both SirCam and Badtrans, and none of my machines are infected. Why? First off, I didn't open the attachments right away. Second, I tested the attachments by saving them and then scanning them first. This is not a difficult concept! If someone puts a big package in your mailbox at home, and it's ticking, do you just open it up if the return address says it's from someone you trust?
You can choose not to have a fingerprint, but then your ability to communicate with others may be limited -- a price many people may choose to pay.
This is endorsed by the same crowd that bitches about MS Passports?
If kids want to install an Internet game, the game's IP port would be registered and permitted to operate, hopefully by the parent.
Why can I not see this happening in the general population? The average users I know bitch about having to confirm Internet activity when Zone Alarm or other personal firewalls pop up and ask.
Programmers who ought to be familiar with Microsoft's plans have suggested that the real motive for raw socket support is for Microsoft to use Windows XP to exploit a bad situation, to deliberately make things worse.
Jesus, what a conspiracy theory. This guy gets paid for this?
Move along, Cringley. Common sense tells us that you're just spreading FUD. Meanwhile, I'll get modded down for criticizing you, I'm sure.
--SC
You read fiction? I write it! Lemme know what you th
I think most everyone here is missing the point. Yeah, he's way off on the technical bits, but that wasn't what I got out of the article. I pretty much ignored that and was surprised to see everyone basing this discussion on that. What struck me was the idea that MS might deliberately make things worse, as a sort of mass DoS attack, in order to then introduce proprietary extensions to make things better, but ONLY between Windows boxes. It's a little crazy, but possible. It's also classic MS embrace and extend, just on something we're not used to thinking of as a possible target.
I think he's right about one thing: MS software will (continue to) make things worse on the internet. But I don't think it's out of malice, just greed (takes more time to make things secure, gotta ship now now now!) and a little incompetence. Even so, don't let the technobabble get in the way, it's an interesting theory.
You can already do this. You can trace email. You can block email from those you don't know. And this system won't work to block email worms because usually they come from people who you know.
Caller ID, like rdns mapping of incomming ip addresses (cumbersome) etc. You can do this sort of strategy on so many levels... Of course someone who says that Linux is safer than Windows on one hand and that raw sockets are dangerous evidently is simply paroting what he has read and not actually studied the matter. Has he heard of any sort of authentication service or tactic? That is what these are about and of course many people do block people without the proper credentials from access to their networks ;)
Raw sockets exist in Windows 2000, and I assume that it has a bit to do with the FreeBSD code in the TCP/IP stack... This code has helped to make Win 2k far more stable on a network than its predicessor, IMO. If they are such of a problem, why not acuse Linux or FreeBSD of the same problem...
He also states:
And what's with those file attachments, anyway? Replace mail clients and APIs with secure models. The new model will not run attachments as they do today. E-mail attachments should not have access to the e-mail client, APIs, etc. Attachments should not have access to the operating system by default. The user should approve the use of some APIs, like having to give permission before device drivers are updated.
This guy is out to lunch. It is simply sufficient to limit user privilages and require them to export the attatchments before they can be run.
The only e-mail activity on my PC should be initiated by me, personally. Nothing else should access my address book or send out messages without my express permission. Microsoft will of course reject the idea, mostly because it will fail the "increase market share litmus test." My answer is, "Microsoft, if you do not take responsibility for locking down your APIs, it will become obvious to the public and become a detriment to your market share."
Which Office XP does quite nicely. Of course SirCam bypasses these controls and sets up its own smtp server... YOu cannot get around it totally. I am no more a Microsoft fan than the next guy, but this buy is a bit over the top...
LedgerSMB: Open source Accounting/ERP
...maybe
If MS took off with their own protocol, there are bright enough minds in this slashdot, Linux, nonMS community to reverse engineer enough of the protocol to get around on it if we wanted. The new underinternet with less traffic might be nice.
...I don't have enough faith to believe in the "big bang"...
This scares the CRAP out of me. Not because I do something illegal, it's just that I may do something that some corperation doesnt like and soon I'll have the FBI knocking on my door a la Dmitry. I just hope to god that enough people will figure this out before microshit passes it off on the public so we can protest the HELL out of it.
I'm really starting to get sick of microsoft taking open protocols and adding 1 little thing to break functionality, completely shattering the whole reason for them; interoperability. Maybe they'll be declared a monopoly before that. If they try charging to use the "tcp/ms" stack under linux you're sure as hell going to see lawsuits pop up left and right.
Here, here!
???!
So says gibson. Why does that make things easier? Have you ever set up a screening router? You can filter out whatever you want...
LedgerSMB: Open source Accounting/ERP
I consider myself lucky that I first received Sircam from a total stranger (through an address in their /. browser cache) instead of from someone I actually knew.
If you aren't familliar with SirCam, it sends an infected file from your computer and incorporates the name of the file into the email with a vaugely appropriate message body.
If my boss sent me an email saying "Hi, How are you, I need your advice on this, Thanks" and it was titled "Business Accruals.xls.pif" and I didn't know what a .PIF was?? I can understand why it has caused as many infections has it has.
Backing out of anecdote into the real world, it took me 5 minutes to explain to my boss how to recognize an email virus. It is very frustrating to end-users who have to be very careful opening up email from people that they know, opening files that look like it should be for them.
Actually, it's almost certainly the case that these things get started by a very small number of anonymous messages. So an option to refuse to open attachments from folks not in your address book, coupled with the default for that option being to have it turned on, might actually do a significant bit of good.
>But I saw plenty of businessmen and secretarial
>types using MS-DOS, Lotus 123, WordPerfect and
>TurboTax (remember them?) to get their jobs done
>just fine, char-mode and all. True, they knew
>just those commands that they used every day:
They memorized those three commands because they *had to* to do their work.
Now they don't.
You think they're gonna go BACK?
Now who's spinning?
-l
Gibson constantly plugs Zone Alarm, so it's not suprising that people who don't read carefully would think that Zone Alarm is a GRC product, not a Zone Labs product.
If Gibson wrote Zone Alarm, it'd look as ugly as hell, have lots of BIG and alternating fonts, but be less than 300k in size, written in ASM, and fast as hell.
Why does she have a computer? She is obviously not willing to learn how to use it.
Geekizoid: The Small Shiny Things Network ©
Gobble a dick!
I love the irony of your .sig, its great.
And people who hack other machines to do spoofing usually get to root if they get any normal user account.
.scr .bat .doc .vbs or any of the other alphabet soup of scripting engines on Windows will have full rights to do anything! Couple this with the known history concerning the security of products such as Outlook and IE, and you're putting together the formula for a disaster.
Ahh, now that is a good point. On a Unix box you must hack into the root account before gaining access to the raw sockets. On Windows, there's no need to do anything of the sort. Heck, today it'd take you about 15 minutes to work up a hack in MS Word that can write any darn thing it likes into your system registry, no restrictions.
What is scary here is not access to raw sockets. The issue here is unrestricted, no protections, any
Heck, Microsoft has already commented on this very issue. They are already blaming those nasty virus authors for the coming up screw ups. (my apologies for not having a link, read this one a couple of months back.) Even they know it's going to be bad, but yet they are still moving forward with this.
Lastly, keep in mind that we're not talking about NT or 2000 here. Both of those OS's have the ability to run as either an admin or a regular user with limited abilities. We're talking about a version of 2000 that has had it's securities stripped so as to be compatible with ME (aka, Win 95 Version 5).
The line must be drawn here. This far. No further.
I like "not the sharpest tack on the floor."
Actually, I've heard that IPv6 is not popular because none of the current backbone equipment will switch it and no one wants to be responsible for conversion from v6 to legacy IP...
If MS's implementation is buggy/not compatible, then it probably won't work through any switches or routers, and they will have to change it. IPv6 does have some provisions for vendor specific fields, ala Kerberos, but that'll go over about as well as MS's TNF email format (read 'not at all'), esp. in such a wide open environment as the 'net.
After all, it's not called the INTERnet for nothing. However, I don't doubt that they will be able to push their proprietary extensions into corporate environments, but they really already have done that (SMB & MAPI).
The reality is that TCP/IP is really too low level for MS to worry about. There is no added value to controlling packets, only the payload, which is why they are pushing
Chris.
-- I don't have a cool sig.
Remember the phrase "Netscape Enhanced" ? (Slashcode won't let me write it the way it's meant to be written, with embedded <font> tags)
Even back in 1996 or so websites already had set up CGI scripts to do things like kick out Mosaic users and only let in the Netscape users, because they wanted to use all of Netscape's non-standard HTML. I seem to recall that even the U.S. government did this!
Microsoft wanted IE users to be able to view all of these "Netscape Enhanced" websites. Their only choice was to mimic the User-Agent header of Netscape Navigator, which has always been "Mozilla X.X".
where there's fish, there's cats
And my point still stands. Gibson claims the problem is going to be hackers breaking in and using the raw sockets to spoof packets. Either that or end users will install XP and be able to spoof packets.
First, a hacker breaking in. So a hacker breaks into a "home" machine without security permissions on the raw sockets. Now he/she can forge source addresses. (This ignores the question of why they would want to since more often than not forged addresses are used to hide the true source of an attack, and this wouldn't be their machine). Ok, point granted.
But now is the crux of the situation. A user breaks in to a "secure" environment, such as NT. Of all NT exploits, how many yield System level (ie root) access? *VIRTUALLY ALL!* So the problem remains the same. Hacker can still use raw sockets if they choose.
Let's look at UNIX, with similiar access controls as NT. Sure, there are non-root exploits out there, guess how popular they are? When breakouts happen, its with the newest root exploit. Guess what. Hacker can spoof addresses.
Now, think about a user such as myself installing XP at home. I will certainly have system level/admin privelages, so of course I'll be able to spoof an address, and if I was malicious, I would actually have reason to, since it is my own machine I'm sending traffic from.
The point is, whether or not the OS in question has security tokens on raw sockets is moot, because once someone breaks into your machine, they will have system level access anyway.
Booyah!
Cringely makes a very astute observation: How did MS manage to avoid having all those VBS viruses tagged as MS Windows viruses or MS Outlook viruses instead of "email" viruses?
Laws affecting technology will always be bad until enough techies become lawyers.
You're probably a gamer.
It does suck for games.
All I can say is that it's gotten better - way better over the past year. Grab the latest RedHat or Mandrake or Debiam and screw around with it.
A *lot* of people got a bad taste using crappy early versions. Bad first impressions are hard to shake...
My own Windows install died (again) a couple of months ago and I really don't care at this point.
Be sure to grab the latest Mozilla - It seriously does work as well as IE. If you're using the Netscape 4.7 that comes with all the distros, the web will be painfully ugly.
Pretty much if you have your heart set on using Windows, go with it - I can't change your mind.
-- My Weblog.
All right, consarnit, I've had just about enough. I've been listening to you geeks fight with each other about this Intranet for a while now, and I'm just about fed up. Some of my boys have been telling me to just let you guys fight it out, but I really don't see any progress. It's inferurating! I didn't stand for this kind of crap at my former job, and I'm sure not gonna stand for it now.
So here's what we're gonna do. We're gonna split the Intranet right down the middle. That's right, the whole dang Intranet, from Wahoo to The Amazon's, right straight down the middle. And don't you be like some of my guys around here, telling me that it's "impractical" or "impossible", or that "I have no clue how the Intranet works", cause I don't really want to hear it. I've had enough, and it's time to take action.
So like I said, straight down the middle. One half goes to that Billy Gates guy up there in Seattle, the other goes to you Linucks guys. Now, I understand that there's not one guy in charge of Linucks, so I'd suggest you form a committee to handle it. If you need some help with that, well, drop me a line, and come on up for some help: if there's one thing I know about, it's committee's.
So anyway, one half to Billy, one half to Linucks. Both parties will be able to run the Intranet however they want, and we'll let the American People decide. The American People deserve the best, most great Intranet they deserve, and it's high time we let The American People decide the future of the Intranet. It's simple economics people, like you learned in college, the Law of Diminishing Returns! Adam Schiff himself would be proud!
Signed, George W. Bush
AOL/TW own vast content holdings, which are at risk from file sharing. Now it's MP3s, but as broadband spreads, DivX files of movies will become a massive problem. It would be in AOLTW's interest if the anarchic design of the Internet was replaced by one which enforces accountability and traceability. And if the content industry push it hard enough, we may see laws mandating traceability in TCP/IP, preceded by a campaign in the AOLTW/Murdoch/Vivendi/Bertelsmann media about how child pornographers are using the Net with impunity and nobody can stop them.
By default if the Internet Connection Firewall (part of the OS and enabled on almost all scenarios by default) is enabled it will block outbound connections with a spoofed source. Problem solved. No end of the world.
MS owns a huge segment of the media. What they don't own, they have unimaginable finacial control over. And as for the rest, backroom deals takes care of. Remember that what MS is doing helps the major media maintain there exclusive control of information. Have you not noticed the continued refrence to 'anti-competitive practices' as 'illegel comingeling`? Have you ever wondered why even anti-MS articals in the major media is more appolojetic then negative. You can bet that nothing gets published without being cleared by MS. I have talked about this in other posts.
Think video phones, dude.
did you read the whole article? passport sounds like a step towards what he's warning about.
then they wouldn't need to do this would they?
Summation 2
That made my asshole pucker! Talk about a nightmare situation. Does anyone remember DecNET? There was a failed protocol.
--- Think of it as evolution in action ---
Hasn't microsoft already brok^H^H^H^H embraced-and-extended TCP/IP lots of times before?
There was a time when Sun servers responded "slowly" to windows HTTP requests because microsoft changed the behavior of TCP slowstart, etc...
I'm sure there are other examples.
I wonder if dude here has ever heard of PGP? It seems to work for me, things that are signed by people that I trust, I open. If not then I want to know some good reason why I must open it.
If we look at the fact that _at_least_ 65% of all servers out there are non-MS products the TCP/MS protocol (being hypothetical) point would be moot.
We should all know by now that Outlook is a scourge on the face of the internet, and that XP will open the world of for dDoS attacks like we've never seen but hey, a good firewall works wonders (granted, a worm that works on server connections and actually downloading content would be twice as crippling).
J
Hire me...
This one will too someday. I hope to live long enough to see it but if not, I'm sure that the parties responsible for all of the lies, greed and hubris will pay for it in the end. As John Lennon put it, "Instant Karma's gonna get youuuuu."
"Klaatu, verada, necktie!" -Ash
Lets face it, even MS has learned that the space they want(the internet) runs on TCP/IP(standard). Their proprietary protocals have been nothing but a hinderance to them. NetBeui, NetBios, WINS are all being phased out in favor of internet standards like DNS, LDAP, NFS.
/dev/null
They might try their usual embrace and extend crap but, it will be to their detrement. Contrary to Cringley's thoughts, major organizaetions are not willing to upgrade the IOS on hundreds of routers just to satisfy MS.
TCP/IP has changed, look at SSL, IPSec. The security is already there. You just have to use it properly. Furthermore, in a few more years IPv6 *will* be implemented on a wide scale. This will provide the necessary control, while still providing the relative anonimity that we hold so dear.
Of course, none of these messures will make Windows anymore secure. The fact is that if you *still* can't learn how to make software that will properly handle a buffer overflow, YOU WILL BE OWNED!
Cringley >
There's more cost to using M$ software than just the thousands of nickels many pay them. You warez it because it's "needed." Why, when there are open alternatives (to a great degree)? It's probably what's called "network effects" -- you need what everyone else is using to be able to share stuff with them (and also to maintain easily transferrable skills). But your use of M$ stuff propagates this dependency.
I don't say this accusingly at all. I'm not free myself, due to the contacts/environment I have. It's just something to be aware of so that you consider it when an opportunity comes to break free. And one can keep trying to influence the decisions of those around them -- to lay out the entirety of their options, and the full consequences of their choices, of which they probably aren't aware.
What you say is true. However, it can be a lot harder to implement egress filtering if you are a transit provider. Even worse if you provide connectivity to other transit providers.
Of course, the answer is to implement anti-spoofing filters from the leaf nodes of the internet toward the root. Unfortunately, the outskirts of the net are not home to the most competent/informed administrators.
Cheers,
Si
More to the point, in an article bashing microsoft, he's described passport pretty much exactly.
*Cough* And what's the default install for the Consumer edition of XP, the default that the average user will not even know to change? Why, no acounts, of course.
1. Microsoft wants to shove a new protocol down everybody's throats (called "TCP/MS" here for convenience sake)
/Passport servers and everybody will always know who you are because you ain't gettin' in without a credit card. From which we will be performing a cashectomy each month. Along with all your personal details. Trust us. Heck, it's what our ads tell you, isn't it!
2. easiest way to push the new is to eventually break the old. easiest way to break the old is the ship new versions of windows with the stacks' legs wide open so the hackers see nothing but forests of available holes. Wham bam thank you mam times powers of ten = happy DoS script kiddie and the eventual signal/noise death of the Internet
3. At which point American Businesses wail for their lost bandwidth, AOL cries for more paid connections and the FBI sternly insists that terrorists and child pornographers will be shopping at Safeway tonight if John Law can't look at every packet crawlin' down the wire and know its exact origin complete with social security number and DNA sample.
4. Captain Microsoft to the rescue! With TCP/MS, we can offer higher grades of service for deeper pocketbooks with our prioritized packet handling, authenticated connections with our Hailstorm
Meanwhile...
anybody for the resurrection of Fidonet?
I used to respect this person but now I have to wonder what kind of technical background he has and if that background is backed up by ay sound reasoning ability. I remember watching conspiracy theory in the theaters (You know with Mel Gipson). That had some pretty crazy ideas but this is just nuts. At one point in this article he suggests that everyone loose his or her anonymity. Then at another point in the article he criticizes Microsoft for their supposed protocol, which will remove anonymity. This article seems more like a rant by a frustrated Windows user than an actual intelligent discussion on the security problems of Windows.
If someone suggested this on Unix, people would just laugh - 'lose the ability to script my whole system using my favourite glue language; no way'. Why it seems any more appealing on Windows, I have no idea.
Simple: The common Windows-users doen't know what a script is. The malicious code he's living with does. It's like an amputating the legs: it stops the gangrence. And you won't notice the difference if you never tried to walk.
There's a special-case ICMP interface under 98/95, yes, but it doesn't actually let you write your own raw IP headers.
If you want to do real raw IP under 98, you need to go down to the NDIS layer, typically by installing a driver, such as the one that comes with winpcap.
It is true, however, that this can be done without a reboot - EtherPeek certainly manages it - and thus the slightly more determined virus writer can achieve raw packet spoofing under any of the existing Windows OS's.
Strags
Would these same people support crippling Linux if it became a truly mainstream operating system??? Hardly.
Regardless of the underlying software infrastructure one uses, these kinds of software vulnerabilities scale with the system. The solution is NOT to revise low-level software, but rather to add higher-level software filters based on commonly accepted software protocols and methods. The problem with the American market is that - unless dominated by one company (say Microsoft) - no firm has the clout to IMPOSE these kinds of higher-level standards on the mass market (look how long it has taken for PKI to become ineffectual in private-sector email...).
Is this a case of competition undermining the "best interests" of the American software industry? Or are a couple of email viruses a decent price to pay for competition in higher-level software provision???
You decide... I'll stick with Linux. /. !
What is the point of having access levels when any ordinary user process can usurp ring-0 with code MS has known about since pre-SP1 and still functions today with minor modification?
Having security that doesn't work is no security at all.
.sig: Now legally binding!
Oh, gee. I don't know. Cisco is deepdeepdeep in the red. Microsoft has $30 billion in cash.
Gee. I wonder....hmmm......
Didn't MS give Apple $150 million to keep Apple afloat as token competition? I'm sure a $1 billion "investment" in Cisco would help things along.
Welcome to IPv7.
The two main points of this article are based on flawed assumptions.
1. Raw sockets in windoze is not the end of the world. *nix systems have them, even vxworks. A number of ISP's filter forged packets. If this type of spoofing is such a harm, it is trivial for ISPs to implement this. Cripling stack interfaces in OS'es is rediculous.
2. Passport will not authenticate every connection made on the net. Sorry, this is a pipe dream M$ sold you on somehow. And second, priority net traffic based on M$ passport is even more impossible.
Although most end-users are running a MS-based operating system, there is simply too much non-MS underlying internet infrastructure for such a radical change in protocol. TCP/IP is going to be around for a very long time.
Furthermore, how is it exactly that TCP/MS would prevent things like Code Red from happening? An application is vulnerable to stack overflow exploits because of the application code itself, not because of the protocol through which it receives data. Registering the ports that an application listens on won't help if the app contains a vulnerability.
Cringely goes on to suggest that all connections be traceable - well, that's fine, except that it doesn't solve the problem of people launching viruses from public terminals, or obtaining free trial dialup accounts using fictitious information. Digitally signing specific applicaitons with an Active-X control style GUID, and only granting access to validly signed applications might help, but I can't see developers embracing that idea. Even if they did, it only takes one compromised certificate to release any number of malicious programs.
And did Gibson actually write Zone Alarm? Cringely seems to think so, but it's marketed by Zone Labs, not GRC.COM. Anyone know for sure?
Strags
That firewall test is old. Tiny Personal Firewall is currently a much better free firewall than Zone Alarm. The only thing Gibson had bad to say about TPF was it didn't have MD5 checksumming turned on by default. It does now in newer versions. It's also a lot more powerful than ZA and from all accounts is more stable.
Raw sockets exist in Windows 2000, and I assume that it has a bit to do with the FreeBSD code in the TCP/IP stack... This code has helped to make Win 2k far more stable on a network than its predicessor, IMO. If they are such of a problem, why not acuse Linux or FreeBSD of the same problem...
Sigh. As a million people have pointed out in a million other forums, it's not the raw sockets that are the problem, it's the lack of security that's the problem. In Win2K the raw sockets are there, protected by security safeguards, as they are in BSD and Linux, and work well as a result. The problem with XP Consumer is that MS have deliberately (by their own admission) removed those security safeguards, supposedly to meet user requirements. Cringley is suggesting that they have actually an ulterior motive in doing so.
Every time some l33t d00d decides to make another iteration on the same web worm concept, companies like Linux-Mandrake can herald it as a victory:
ILOVEYOU virus doesn't work in Mandrake
Of course, no mention of any of the other linux's, Solaris, FreeBSD also not being affected by the virus.
TCP/MS is a scare tactic. Microsoft may be able to leverage the protocol into 100 million houses, but will they be able to pull the plug on more than half of the world's web sites?
And would Cisco play an active part in helping them? I doubt it. Some companies suckle milk from their consumers. Others take pride in ripping their bellies open and moving onto the next carcass.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
I want some of whatever Cringely is smoking. He seems to having some really wild hallucinations.
This article has rendered me speechless. It seems as if microsoft is going to take ove the world, damnit. I'd rather be ruled by a penguin. oh well
The problem is on Microsofts hands. They've unleashed a huge mess upon the world, let them clean up after themselves. To work around them is to place the cost of resolving their problems on society. Typical captitalization of gains and socialisation of losses.
SOCK_RAW access permits applications to spoof source IP addresses, thus disguising the source of a DoS attack.
thank you. like he said, people attack windows because windows is always the same, they all have the same setup (more or less), they all run the EXACT same programs, i.e. it's much easyer to get your buffer overflow to work with winnt/iis then it is with linux/apache because the binary or IIS and NT are going to be the same.
in linux and apache the kernal and apache executables are configured differently before they are compiled, so it's much more diffecult to have a overflow work against all instances.. of course for a standard distro like redhat and apache binary rpms this isn't true.
Windows is also more common, so your expliot will be more used.
Windows is also owned my Microsoft, a "evil" company, all the better to attack then.
-Jon
this is my sig.
I don't think you need raw sockets to set the destination IP :)
Seeing as how Zone Alarm is the only darn free/software firewall that appears to work, then why run anything else? I'd like to see Microsoft's crack team of security "experts" come up with something comparable.
Oh wait, they did.
Hahahahah
Yeah, right.
At this point the uninitiated would generally be given a pointer to goatse.cx, followed by a witty comment describing Steve Ballmer's "raw socket" in relation to either Tux the penguin or Linus.
This would generally be followed by several comments about how the Beastie could rip a new raw socket into Tux.
Is it just me or does none of the stuff he suggests need to be invented? He talks about an "Internet ID", a voluntary system where people can identify who sent the message. Um, it's called PGP - sign your messages.
He wants a way for ports to be "registered" and only opened for certaing things. Why not use a firewall, or just get Zone Alarm?
Also, what's the big deal about raw sockets? They obviously aren't needed to spread viruses as SirCam, ILoveYou, etc. have shown us.
It makes things easier on the target machine. Filters themselves require a fair amount of bandwidth and CPU to process incoming packets.
If you are running web services on a limited bandwidth connection (T1/etc) a filter at your ISP (i.e. before your gateway router and you) prevents all the bogus traffic from reaching your machine and wasting bandwidth (and CPU).
What a load of crap. Never heard of the Macintosh I take it? I sat my mum down in front of a brand new iMac and the newest offering from HP with Microsoft Windows on it not too long ago and guess which one she liked better?
That's right; the Mac. The HP box crashed right in front of her eyes, and even barring that, she said that she felt the Mac looked better (both the computer itself and the OS) but it didn't ask her to make so many confusing choices and just stayed out of her way while she browsed her favorite websites and checked her Hotmail.
She even thought the version of Microsoft Office that was on the Mac was nicer, easier to use, and looked better than it's Windows counterpart -- something that, upon a bit of searching, many other people happen to believe as well.
There ARE other and arguably better choices for the computer illiterate. Choices that actually have a history of trying to do what is most helpful to their users instead of most helpful in gaining marketshare and creating a monopoly.
After all, Apple was founded with the idea of making a computer for the masses. Microsoft was founded on the idea that you could sell software.
Mod me down please. Apple sucks, Microsoft is almost tolerable, and Linux rocks. How dare I say there are other choices and that the other choice isn't necessarily Linux? Right bloody bastard I am!
A "TCP/MS" protocol, with extra stuff in the header, won't route without explicit cooperation from MS-hating net admins. So there.
I, for one, welcome our new Antichrist overlord.
But it would appear to be a fact
'There is a Light that never goes out.'
He offered a new slant on a possible plot regarding raw sockets tho. Gibson never seemed to mention this theory.
That, and we normal folk already knew them anyway.... well, for odd values of "normal", anyway.
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
We could implement a secure user identity system precisely like telephone Caller ID. It would be essentially an Internet ID. All Internet transactions could be based on it. Anyone who sends me e-mail can be identified. Anything I send can be traced to me. People wouldn't be forced to participate, but if they remain anonymous, I might choose to block them. I certainly wouldn't accept file attachments from them.
You can already do this. You can trace email. You can block email from those you don't know. And this system won't work to block email worms because usually they come from people who you know.
Get with it, man!
Dancin Santa
If this actually came to be, hacker would crack the new protocol and spoof people. Since everyone would be reliant on all of this tracking instead of using common sense, there will be more scams happening than ever before.
If we all work together, and harness the infinite power of Open Source, we can clone it!
Spoofing and sniffing is one of the most common hack tools used.
If kids want to install an Internet game, the game's IP port would be registered and permitted to operate, hopefully by the parent. If kids wanted to install an Internet chat program, too bad -- it wouldn't work if Dad didn't want it to work. I understand that most kids are usually farout smarter than Dad. Suppose they download hack software at their freinds place or their primary school onto floppy, then dad's got another problem.
severely limit the use of TCP/IP by applications on your PC. And what happens when you do so? Everything works just fine. So rather than ripping the protocol stack wide open, let's do the exact opposite. Restrict access to it.
Perhaps a physical seperation of socket services in the operation system, making a distinction between (machine) local and (machine) foreign use would be a good compromise between security and userfriendlyness. Problem is that all internal and external traffic is merely seperated between a IP-number system most people don't understand.
The only e-mail activity on my PC should be initiated by me, personally.
How does the machine know it is 'me'? Anything can be spoofed - keyboard buffer, event buffer etc. Or are we going to enter a password for every click we do?
Microsoft wants to replace TCP/IP with a proprietary protocol -- a protocol owned by Microsoft
I've been scared for this as well, fortunately I heard a story which made me quite confident this can not happen: The main reason why Ipv6 hasn't become mainstream is that the millions of old Cisco Routers in the field are IPv4 compliant, not IPv6 compliant. If Microsoft is to come with a propriaty protocol, their communication won't come very far. They need to buy Cisco in the first place... protocol X over TCP/IP has been done millions of times, so that's not a big deal, the underlieing TCP/IP is as secure or insecure as ever - the propriaty protocol won't change that, it can be sabotaged. The author mentions a smooth and easy upgrade of all routers, sorry, this is the whole point the new protocol won't work as long this hasn't happened, and it wont't happen if there's no need for because its fukkin expensive.
Microsoft can promise open support, but make it financially impractical
Antitrust cases are about this. Unfortunately for Microsoft, the world is bigger than the USA only. Europe is doing two antitrust cases against MS, MS has problems propagating in Korea etc. I think political resistance and the Open Source alternatice will effect that Microsoft will change from operating in a global market changing into operating in a local (US) market.
Bizar technology?
ack, bad comment. raw sockets should be in it, but some kind of permissions need to be added to it (root/users...)
--News Flash Y2K was a hoax.
--News Flash The internet is not going to be "shut down" by any stupid virus.
--Any half decent FW comes with its own proprietary TCP/IP stack... Yeah MS might think about changing over to something else.
--It is time for "technologists" to cut it out and stop trying to scare the Hell out of everyone with this MS is evil and the internet is falling shit.
--Bottom line if MS was as bad as WE all think it is it WOULD disappear. Truth is it isn't that horrible. For 90 minutes at a time it's a great gaming platform.
This
I think cringely needs to quit posting while stoned.
After reading his rant, which admittedly does bring up a couple of interesting points (although the idea of M$ trying an Embrace and Extinguish on TCP/IP strikes me as one which, if attempted, would be laughable in its arrogance and stupidity), I think overall Cringely contradicts himself. First he talks like setting a GUID for everyone on the internet is a Good Idea, and then later on in the article, he attributes the same idea to the Evil Software branch of Microsoft. So, which is it?
On one point I totally agree, however. The current rash of email worms are entirely due to a business decision on the part of Microsoft, and they are culpable. The best, simplest, and most obvious way to fix a good part of this would indeed be to prevent email software promiscuous access to attachments embedded in email messages. No amount of restating the obvious, it seems, is able to either convince institutions to quit sending these (which are often, most unneccessarily and foolishly, in Word format), or to convince mom and pop users to not open them, or at least scan them for viruses before opening. And I'm sorry, but if you open a file sent from someone you've never heard of promising to display a naked celebrity, you get what's coming.
political_news.c: warning: comparison is always true due to limited range of data type
I think this scenario will play out right about the same time NASA starts poisoning every body of water on the planet so as to encourage more money spent on the exploration and colonization of space.....
Are you new to programming?
The deal is that w/out raw sockets, in order to send large ammounts of data, you have to send UDP packets with the data. When creating a datagram socket (i.e. for sending UDP packets), you don't have to get a succesful return from connect() prior to sending data. Thus you can just start sending huge packets.
But with stream socket (i.e. for sending TCP packets), you have to get a successful return from connect() before you can start sending data. Which means that before you can send any data to a server, you have to send a SYN packet, get a SYN-ACK packet back, and then send an ACK packet. Only then will connect() return with a success, and then you can start bombing away at the server with huge packets. But even then if you don't send them in a form that is recognizable by the application, the server will just issue a RST and close down the connection. For example, if your stream doesn't include HELO foobar, when you connect to an email server, the server will just disconnect.
Non-raw sockets make it easier to filter out attacks at the upstream provider because they are usually UDP packets which your web application does *not* need. So you just filter them and then you're done with it.
With raw sockets, it becomes *much* harder to filter upstream. WIth a raw socket, you can create a SYN packet from a random IP address to a web server on PORT 80. That SYN packet can be 9k long if you want it to be. And it will be to a port that you can't easily filter out . Basically, it makes the DDoS attack much easier and harder to prevent. The attack could come from any IP address , and it will be destined for your web server, which (presumably) you want to keep running. How do you filter out a packet destined to port 80 from possibly anywhere without also filtering out the legitimate connections?
Of course, even without raw sockets, you can still initiate a DDoS attack against a TCP port. If there were fewer script kiddies and more programers, it would not be that difficult to write a simple program that uses a stream socket, and DDoS's with a well formed HTTP POST that posts 18MB of data. If the DDoS kiddies were able to program, then that's what they'd do, and they wouldn't need raw sockets to accomplish it.
So while I agree that the addition of raw sockets really isn't that big of a deal, it seems to me that it's a little bit more complex than what I've seen so far.
$.02
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
I have Win NT/2K servers to worry about. I'd love it if M$oft started to use TCP/IP here first - half of the tools I need to use still work with odd bits of legacy NetBIOS. If you thought IP networking had holes in it, just imagine trying to work with public-visible servers and a protocol that doesn't route and doesn't do any sort of security.
These things are just Broken 8-(
The local news programs that dispense opinions to the average folks have a tendency to simplify technological reports WAY past the point of inaccuracy. These news shows are aimed at the kind of user who doesn't know that there IS anything beyond what they do, and they don't really have a clue exactly what it is they're doing, anyway. They just do it, and most of the time, it works well enough for them.
Back to my point, the majority of reports are not going to point out that these email virii only work through MS Outlook - because the news perceives that web-based mail and Outlook make up the totality of their target audience's concept of 'email'. And why should they take the time to be accurate? They might piss off Microsoft, they might alienate some viewers from their "friendly" news service, and it's close enough anyway.
Reality is indistinguishable from any sufficiently advanced fantasy.
Is Slashdot going to publish any article like this? Expect articles about how MS could replace mp3, wav (with wma), html (with ms-html), smtp, pop3 (with mapi), doc (with doc 6.0), etc etc.
Mircosoft is a monopoly. They can change any standard. Nothing can stop them. (Yet).
my other sig is a 500 page novel
Uh, as a network programmer and the author of several popular open source tools, I can safely say this guy is out to lunch. Windows users already have raw network access. They just have to use a different API set. (NDIS) Secondly, raw sockets are necessary for any heavywieght network app. Tell me the socket call to send out an ICMP router discovery packet? How do I specify the use of specific TCP options without raw socket calls? Why do we publish this sludge on slashdot?
Business decisions are not simply based on 'Will it increase market share?'. The increase in market share is weighed against how much the solution will cost to implement. When you've got a Tier 1 backbone to support, it's expensive even to upgrade all of your equipment. IOS upgrades require router reboots which cause downtime to your customers. Even considering redundancy, it's impossible to avoid all downtime. Downtime aside, you have man hours to consider. Routers don't upgrade themselves, and even with the help of automation, there's a lot of work to be done in order to make sure that things go smoothly. It's not likely that a simple upgrade will solve all your problems either. The solutions proposed have overhead... processor and memory. Today's routers are already being pushed to their limits supporting a single protocol.. IP. Traffic volume requires larger and larger circuits and bigger/faster routers to support them. The addition of another protocol can't be done without upgrading hardware. So, overhead and cost of implementation considered, the increase of market share doesn't look quite as good as it did before.
From the commentary here, it seems like noboby has actually checked out exactly why Gibson thinks raw sockets in windows xp are a blunder. Simply put, he says that this will put ip spoofing capability into the hands of all of the people out there who are essentially script kiddies but have read a c tutorial online. These are the same people who have read about ip spoofing, but whose little preteen heads have started to ache when they think about remotely installing a driver without the user's knowledge. (What? I have to bundle the file in with the executable? I can't just hit the 'build' button on my pirated copy of msvc4?) Considering how attractive a virus that could initiate untraceable attacks would be to the millions of (very) amateur crackers out there, it's clearly a dangerous idea to include raw sockets.
That's his oppinion.
I, personally, think that it's going to be great. Once enough people out there convert to windows xp, wpa and all, and make this new method of virus writing easy, it's only a matter of time until some lucky worm sucks up some major bandwidth anonymously long enough for people to start wondering why they "can't get internetted". Once people take notice I see two possible outcomes: 1. Microsoft finally fixes outlook (Yeah right. They can't take _that_ code from anyone else.) 2. We see one of the _best_ tech support letters of all time (reproduced below). Dear pac-ma...err...respected open source FreeBSD developer, I recently used some freebsd code for a project that I'm working on and I'd like to pare it down to get rid of some blowt(sp?). How can I remove raw socket capabilities from your tcp/ip stack? . . .
I can only imagine that if the strategy he describes was implemented, there would be a hacker uprising that would basically bring MS down, but then again, some people think I'm an idealist.
... pathogenic multi-national monopoly.. will the real virus please be busted up?
A strange game. The only winning move is not to play. How about a nice game of chess? - Joshua (Wargames)
But would it use raw sockets?
Got friends?
funny. although i don't think there is much value in controlling the underlying packet layer--it would be like Micro-Channel Architecture all over again. i think microsoft would be more concerned with content and .net.
Got friends?
This kind of fear and hype is almost as bad as all the Y2K nonsense. C'mon people, think! Microsoft doesn't own the Internet. They don't even have close to a majority of servers running their insecure software. If they had, CodeRed would have actually had an impact. If M$ ever tries to push some proprietary replacement for TCP/IP, it'll fall on its face faster than the Intel chip ID. Who in the right mind would limit their marketshare by using a non-standard technology. Imagine if a commerce site like Amazon started using this proposed "TCP/MS." All of a sudden, millions of viewers try the site and think it's down so they shop on elsewhere. And I don't just mean Linux/BSD users. I don't think much consideration has been made to just how many home users are still running Windows95 on an old Pentium.
The whole "Linux will never succeed" pessimism thing is also getting obnoxious. Don't believe the FUD. We're probably only a year away from a complete software solution for almost every user. I'm talking about an OOB experience far far superior to anything the commercial software world has ever produced. Furthermore, anyone who thinks Linux still carries a strong elitism attitude has had their head stuck in the sand for the last 2 years. If that describes you, find a local Linux Users Group and see just how many people are switching to Linux and absolutely loving it.
What exactly are "raw sockets" -- what's the alternative? Would Linux's TCP stack be considered a "raw socket" model?
--
Mod up a post Rob doesn't like and you'll never mod again
Even if MS trys to implement this "TCP/MS" concept, what makes them think that routers will honor packets from this protocol?
Mike, apologies for the title of the post. What I meant to convey was that all of the posts I'd seen indicated that people were missing the forest for the trees. You're right, though - it was an inflammatory subject line.
Read the EFF's Fair Use FAQ
Who cares about spoofing. Think remote control DDOS. If some kiddie gets control over 100 XP boxes spread all over the place through a trojan and remotely launches distributed attacks, do you really think he cares about spoofing? At least Win 9X limits how he can manipulate packets so that an attack is easy to filter out.
Yes, but that wasn't the point. Running an OS that provides access to raw sockets doesn't make your machine any more vulnerable, agreed. However, if your machine is compromised, it can be made to send a whole load of spoofed packets to a target, thus making it much harder for the target to ascertain where they're coming from. This, says Cringely, is a bad thing.
Furthermore, (I'm not sure about this - can someone who knows more about XP comment?), the ability to generate raw IP packets often goes hand-in-hand with the ability to put the ethernet card in 'promiscuous' mode, and sniff all packets on the local ethernet. Imagine a virus that, once installed, sniffs for passwords in local LAN traffic. Not good.
Of course, this is all beside the point anyway - machines can be made to spoof packets already!. We need to be making routers more fussy about which interfaces packets need to arrive on, rather than crossing our fingers and hoping that every host on the internet is well-behaved.
I won't trust any future software from them, at least for another five years.
Of course it's a no-win situation. They're the stupid hooker who's spreading AIDs and now no one trusts them... cry me a fucking river. There are plenty of other fish in the sea and Microsoft have thoroughly proved their stupidity.
I'll shop elsewhere, keh?
ROTFL.
And it would probably have an option to send letters to attackers begging them to stop...
Chers.
--fred
As events of the last several weeks have shown, the auto industry, automobiles and the US road system create the perfect breeding ground for hit-and-run drivers. They don't even have to exploit automobile flaws to be effective. Any driver with a good understanding of how automobiles work can run somebody over. All that is needed is an automobile, and someone crossing the street, to get run over. It is too darned easy to run people over that can do billions in damage (and even kill people!). The only sure way to fix the problem is to re-stripe the playing field, to change the game to one with all new rules. Some might argue that such a rule change calls for the elimination of the auto industry, but that simply isn't likely to happen. It's true that motorcycles and sidecars are generally safer than automobiles and trucks, but auto industry products aren't going to go away. I promised you an answer to how to secure the US road system, and I mean to come through. First, we'll start with the way I would do it, then follow with a rumor I have heard about one way the auto industry might want to do it.
..but if someone doesn't have 300,000 machines at their disposal, raw sockets make all the difference.
I/O Error G-17: Aborting Installation
It appears to me that most viruses nowadays revolve around microsoft and it's incessant need to script everything, and make everything they make 'better' than everything anyone else comes up with. Microsoft could indeed be charged with Aiding and Abetting this crime, since they are the ones that provided the means of infiltration. If you don't want your house broken into, you don't leave the front door open.
;) and the fact that it's resorting to changing the protocol really says something about the way Microsoft works -- if the walls keep falling down, make the ground rubbery so they bounce up again. The UNIX way is to have teams of people building decent walls in the first place.
One (much debated) problem is that Microsoft are leaving the door open by closing all the doors to their source code. It wouldnt be surprising if they had a genuine reason for not letting ANYONE other than Microsoft see their sources -- there are many many free pieces of software out there written for unices that have free, uncompiled source available...
Anyway this strays from the point. I am pretty much in favour of viruses like Code Red if they get rid of this rediculous Microsoft server craze that's going around. Microsoft has not naturally evolved into a server user/group based architecture and this is its main downfall. Unix is, of course, free. Free to host websites etc and many people who wish to set up servers obviously feel that if it's free it must have something wrong with it...
The point Gibson is making about XP (I think) is that it comes without the crappy sockets implementation that was in 95 and 98, meaning that it is now possible for anyone using XP to spoof their IP as easily as they can in UNIX. Previously it was quite easy to detect Windows based l33t h4x0rs because they used little cracking applications that did the work for them and could not spoof the IP. In the bright new world of XP, even the hackers win out, because they can now make hack-attempts by software much more untreaceable than before.
And I think I speak for most of us when I predict that what Cringely calles TCP/MS would be a terrible implementation and, naturally, hugely popular (as with all Microsoft products). Microsoft currently has an utterly terrible server record, being the most hacked and attacked system I've heard of (possibly with the exception of RedHat Linux
Microsoft currently has a great desktop system, and it should stick to it. Microsoft is a CLIENT, it should never have been a server.
One of the most interesting problems nowadays is that, after following MacOS for so long, Windows has finally found itself in the driving seat, only problem is it's never taken a lesson in it's life and keeps crashing. The recent panic by microsoft that has resulted in it spewing out about 4,000 new OS's in the past year is evidence of this.
Weevil
ghaa.
IMHO, the fact that Explorer defaults to hiding extensions is a big problem in itself... it is so hard telling my cow-orkers over and over again "don't double click on anything with at
In a "ignorant user" story, someone in management recently recieved a SirCam email... thankfully, the clueless bloke just forwarded it on to one of his (more technically aware) underlings with instructions to "find out what this guy wants input on".
Hi.
I didn't read the article but I would just like to say:
I think this is bad.
...and later...
I believe the lack of security in Microsoft software was a deliberate business decision.
Now, you don't have to try to look like neutral in order to successfully bash Microsoft...
Donate free food to the hungry at The Hunger site.
This seems like a nice idea, but I'm not for it, and I'm not sure if it even feasible. An IP address is already like caller ID.
Lets say you were assigned this new unique ID. Who's responsible for ensuring the identity of the payload remains unaltered? The software maker? That sounds familiar! Today, when you send mail, your message might sit at several relays. Is it up to the mail server to implement tracking of this ID? Could you not simply make a mail server that ignored this precedent and spoofed whatever it wanted? This seems the same as someone getting a shell on a box and running some kind of custom relay meant for delivering spam mail anonymously.
I also can't imagine a business deciding to ignore mail based on the lack of this identification. If you have to favor security over a new customer, you have other problems.
The funny thing about this article is that a PC implementing his ideas for security could easily exist now, but the fact is Microsoft isnt going to do that. If they can't follow measures to implement good security now, why would they under this new system?
Personally, I hope the answer to all this DOS'ing does not involve me losing what anonymity I do have (which doesnt seem like much at this point anyway).
Who cares about spoofing. Think remote control DDOS. If some kiddie controlsoxes
Imagine that! No longer will cookies be used to track user activity. These won't be necessary, since the Internet ID would be much more effective at tracking user activity.
There are better ways to promote security than to adopt such measures. I prefer his less intrusive suggestions, such as improving the way the OS handles potentially insecure software.
"In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
If Linux were ubiquitous, it would be more targeted. And, there is nothing about Linux that is fundamentally more secure than MS software. It's amazing to me how a group of technologists can have such a distorted view. Aren't we supposed to be Computer SCIENTISTS?
Yeah, but that's not a "victim" distinction. People would send out DDoS viruses anyways, and it doesn't open the host machine to any new attacks.
IP spoofing, packet malformation that can cause OS crashes.
Without raw sockets most script kiddies can't compile and run many nice exploits.
Microsoft will not be able to get in bed with AOL/TW. This is crucial to MS control on TCP/IP.
Microsoft's main business is not on controlling internet, but selling it's software/service of Office/OS/etc. They are forced to be competitive on internet front, just not to lost it's monopoly status. On the other hand, AOL/TW is heavily on the content and connection provision. I see that there will be definitely a conflict if the control of protocols fall onto the hand of MS, and AOL/TW won't endorse it. Indeed, if AOL/TW is in a position to gain control, it would. Given the history, they both know about the intention of one another and their split is not going to reverse in forseeable future. Without AOL/TW endorsement, MS can't do much.
A sig is redundant.
I do!
This is true, I have NO IDEA what Cringley is saying when he says that raw sockets allow for more viruses and such to be introduced to your system.
For the uninitiated...
Generally, when programming, you define a great many things when defining a socket, the layer of abstraction to tcp/ip defining a single connection.
SOCK_RAW is a bit less abstract, you define more of the data that is being used by hand rather than allowing for the socket code to do it for you. Generally the you use SOCK_STREAM of SOCK_DGRAM, which define TCP and UDP sockets, respectively. SOCK_RAW writes directly to IP, so you must encode many of the headers manually rather than automatically, as the other 2 would do, and then write them to this socket.
In other words, it has NOTHING to do with getting viruses! SOCK_RAW is just another socket, but you are writing to the IP protocol, rather than TCP or UDP (which sit on top of IP). It also has nothing to do with being DoS attacked. I have NO CLUE where he got that from.
Hi! This is the Sig, blatantly attached to the end of this comment.
Make sure that they don't get a single nickle of your money.
I warez all my stuff, they don't see a nickle anyway. Stuff is too much to pay for, and too needed to live without, so when that happens, poor people steal. It's been going on for thousands of years.
It's not the name he was born with, but it's a real dude, and there's just one of him. In the beginning, the guy who wrote this (ridiculously misinformed) article wrote a column for InfoWorld. He quit that gig, but wanted to keep using the name Robert X. Cringely. InfoWorld said, "No way, hodad, that whole Robert X. Cringely bit has become a staple for InfoWorld, and since it's not your real name anyway, we're claiming the name as our own." And so they did, and other people (I don't know how many) have continued the column in InfoWorld under the name Robert X. Cringely.
I know that the two sides tussled over the name, but have no idea in whose favor it turned out, since InfoWorld still runs a column under the Cringely name using their own writer(s), and the PBS guy is obviously still using the Cringely name. These are two entirely separate entities, though.
Oh well, they both suck anyway. ;) Cringely (PBS version) got busted in the past few years when it turned out that he completely made up his academic credentials, claiming that he got some degree from Stanford, which he didn't (I think it was Stanford, anyway). And InfoWorld is trying to turn their pseudo-journalistic hackery into a consulting business (and presumably praying that potential customers never notice that they're barely able to operate a functional website -- and that for a very long time, they couldn't even do that!), but that doesn't seem to be going so well for them.
It starts OK, enumerating how Microsoft make crap decisions by market influence, and then puts raw sockets as "the most evil thing on Earth", and now we are doomed to get 2,1415^*10^1000 virus a day. I thing he must read again a TCP/IP book.
if Microsoft stays away from TCP/IP, then we'd be free of all those NETBIOS traffics(aka network background noise).
I welcome the decision of Micosoft on segmentating the Internet. Vines IP is surely a successful story that Microsoft should follow.
Micro$oft (NASDAQ: M$FT) today realized that their new TCP/MS protocol will not function over the Internet's (mostly-non-M$) infrastructure. The TCP/MS protocol is designed to address some of the security issues involved with the industry-standard TCP/IP protocol. It allows for authentication and tracing, to allow large corporations to know who does what, when, where, and how.
Micro$oft is not held back by this issue, however. They are currently working on developing a solution called "MS-over-IP" which will allow TCP/MS packets to travel over non-M$-compliant IP networks. This will be available as a patch to the upcoming Windows XP, for approximately $300. Micro$oft also notes that if your ISP refuses to conform to the new TCP/MS standard, and you do not wish to spend $300, you may switch to their M$N Internet $ervice, which will support native TCP/MS connections.
Micro$oft did not return any calls to our reporters on this issue, and simply sent us an E-Mail saying: "All your packets are belong to us."
Then the folks at Readmond step forward and say, "When you're right, you're right. As you have no doubt heard, we are offering services like Passport as part of our Hailstorm initiative. These services are pretty much exactly what you have described. See, we truly are the leaders of innovation!" And (hopefully) everyone is sold on Hailstorm ;)
LedgerSMB: Open source Accounting/ERP
Anyway, I have to go log on to AOL so I can view _Inside the Making Of Survivor Pop Stars on Temptation Island_ hosted by The Rock.
It's 10 PM. Do you know if you're un-American?
"There are already several easy technical fixes to prevent source spoofing, and if Gibson and Cringely's phantasy comes true, they will all be deployed in various Internet routers in a matter of weeks. Some of them already are implemented in Cisco routers, but are not enabled by default. Long before things can come to sufficient head to justify Microsoft's appearance as an off-white knight to ostensibly save the day. "
True enough, but the magic words are "not enabled by default". Too many people put devices in and never configure past default levels. Or apply patches, for that matter. Consider that the patch to correct the condition that Code Red exploits had been out for over a month.
The point I think that Gibson and others like him are trying to make is that opening holes like this in an interconnected world can cause havoc that will impact even those who are protected, because there are so many more who are unprotected.
---Any philosophy that can be put "in a nutshell" belongs there.---
One of the reasons that IPv6 is not very popular is because the MS version is proprietary as hell. MS is waiting for the big switch to IPv6 so incompatabilities between Unix and NT/winME could show up. At the time when the first MS-IPv6 stack was written, ms arrogantly assumed NT would own %80 of the server market by the time IPv6 became standard.
With almost everything running on NT, MS could then easily convince IT managers to only run NT on all servers for full network compatibility. The good news is that Microsoft's server dream never came quite true. Unix is still king on the Internet and is surprising gaining marketshare. At only %35 of the server market, I believe the MS IPv6 will not be very standard even if the whole Internet switches to the standard IPv6. But due to the MS-IPv6 problem, IPv4 will never quite go away.
http://saveie6.com/
the best e-mail worm would look like a canned "message undeliverable" reply and say "original message attached"
i dunno what's with all this "i love you" crap.. i mean, really.
You realize the only solution to this mess is to nuke Redmond off the map once and for all.......
I know you hate this idea, but I think the Internet needs a fingerprint.
Please notify me the moment this genius has his next idea.
Waitaminnit! If it's soooo easy as described by the first, 6 year old ref and the second 1 year old ref you give, then why are we even discussing spoofing - it should be a dead issue by now.
Methinks mebbe cuz it ain't that easy - takes time and $$$ to do, both of which require appropriate blessing by a org's Ribbons and Seals Committee - who don't bless unless they see a "bang" for their buck. Back-room, under the covers security work doesn't bang.
IOW, "technically" it is an easy fix (except for the legions of oddball, old routers out there), it's a difficult business decision to reach. For those with oddball/old it's both a hard-tech and hard-biz decision. Which translates to: let's not. Until we really, really have to. Which usually occurs because you got nailed.
Although I think that Cringely is more than just a little bit off on this 'un, I still believe that rawsocks availability, on machines that Mom & Pop are gonna get for Jr at BestBuy is a damn fool idea. Not that Jr is going to dive right in and code the next-gen DDos tool, Jr can't hack that. But Jr can damn sure use the tool if it's handed to him on a silver platter from his fav warez / SK-toolkit site.
Think about it: over a year's time that's how many PC's shipped with this? Ans: Big Number. If only a few percent of those machines become script kiddie playpens we are talking thousands with the capacity to control oodles more zombie winboxen - which in a year or two will be upgraded to XP/rawsocks if they don't have it already. This has got Stupid Idea written all over it.
This solution has been advertised for years; Windows might help to actually make ISPs implement those filtering systems.
We could implement a secure user identity system precisely like telephone Caller ID. It would be essentially an Internet ID. All Internet transactions could be based on it. Anyone who sends me e-mail can be identified. Anything I send can be traced to me. People wouldn't be forced to participate, but if they remain anonymous, I might choose to block them. I certainly wouldn't accept file attachments from them.
'er huh? Perhaps you've been living under a rock Cringely? So you don't run any anonymous attachments, great. Perhaps you forgot to consider the situation where someone you know actually does "click" (never did like that term) on an attachment from an anonymous e-mail? You'll receive the "worm" and happily "click" on it since it came from a trusted source.
*Condense fact from the vapor of nuance*
So any microsoft programmer MUST know how to stop them... or use the obious solutions:
Disable the VBS suport
Filter messages with VBS attachments
Just use another mail handler
switch to Linux
But M$ policy is allways to make users edxpend more and more money on they products...
DON'T PANIC.
I see this article got not very warm welcome from technical slashdot crowd. And yet according to Michael "this week's installment is a pretty good one". Care for explanation? First two paragraphs of Cringely are fairly reasonable and MS bashing... /. editors read an
article before publishing...
As a side effect of this explanation we discover how much
user identity system precisely like telephone Caller ID. It would be essentially an
Internet ID.
What, you mean a PGP key? Why Cringley, if
you've got it all figured out, tell us why
PKI hasn't taken off?
... not to be confused with 'Micronet', the pioneering UK videotext system of the mid 80's, the popular 'internet' of its day ?!
IPv6 will take a long time to happen, and complete stacks are hard to implement - however, most system and router vendors are quite a way down this track, and not all devices/hosts need support all features. The biggest issue is router support, and Cisco is finally committed to an IPv6 roadmap ending in late 2002.
Something like a billion mobile phones will require IP addresses quite soon, and NAT will be enough of a pain that the European 3G standards have mandated IPv6 in UMTS release 5. In other words, without IPv6 you won't be getting IP multimedia on your mobile phone any time soon - this is what will push IPv6 adoption, first in mobile operators, then wireless application hosting networks (W-ASPs), then enterprises, then finally in core networks.
We already have a replacement for IP that does many of these things. It's already supported under Linux, and probably a couple of other OSs I don't know about.
It's called IPv6, and it has QOS, guarenteed delivery, traceablity, and a whole host of other goodies. C'mon, do you really thing Cisco would let MS take away their bread and butter? IPv6 has been in the works for years and was designed specifically to solve all of the issues he mentions. I guess he thinks that only MS is smart enough to develop a new protocol...
This whole article is a red herring, and Cringley's about a technically literate as a door knob.
-- I don't have a cool sig.
But Cringely's real point is that Microsoft is a very powerful company with a long history of turning its own technical shortcomings into market strengths. Microsoft's PR machine is incredibly effective - witness the FUD that kicks into high gear any time MS announces anything.
It's also instructional to remember a few Microsoft projects that didn't go off as planned. Ever wonder why journalists never bring up those failed efforts, or points to the millions of wasted dollars MS has spent over the years on vaporware?
Remember how Microsoft Bob was going to "personalize" the computing experience? Well, it failed not once, but twice!. Remember how Chrome was going to "revolutionize the industry," according to the drooling press?
Because Microsoft is the 800-lb. gorilla of the software world, even when they fail, they get the benefit of the doubt. It comes with the territory. Also, because the Microsoft culture is fantatical about continuous improvement, they have a long history of sucking hard at v1, sucking at v2, becoming fairly usable at v3, and taking over the market by v4 and beyond.
Microsoft has been doing this long enough to realize an opportunity when they see one. Cringely is reminding us that unlike all of you Slashdot readers out there, Microsoft is driven not by desire to build cool, useful technology, but by the desire to control marketshare. That's the be-all, end-all of their existence.
So whether Cringely is correct about raw sockets or the demise of TCP/IP doesn't really matter. Almost every company that has gone toe-to-toe against Microsoft in a market segment has failed because they continually underestimate and miscalculate Microsoft's strengths (IBM, Novell, Apple, WordPerfect, Lotus).
Microsoft has an overarching vision of the computer marketplace that is far more evolved than any of their competitors, with the possible exception of Sun.
Microsoft remains unconcerned with business ethics, is unafraid of censure by the government, and wouldn't hesitate to use the ubiquitous of their own flawed products as an excuse to move the foundation of the Internet to a proprietary framework.
Microsoft doesn't give a shit about the history of the Internet and the spirit in which it was created. They don't give a shit about letting everyone in.
If Microsoft believes they can make the Internet a proprietary environment that they can control, they will work relentlessly toward that end.
Read the EFF's Fair Use FAQ
first his solution sounded a lot like PGP signing. also the whole tcp/ms thing sounds like he reads to many spook stories. i honestly doubt that bill gates has some giant map of the world with pointers and arrows show how he will dominate (today the internet, tommarrow the world!). although the concept of microsoft coming up with a proprietary protocol to replace a standard is not a far fetched one, i think that at somepoint someone really just needs to go up, bitch-slap MS and say, "prove it" at somepoint someone needs to sue MS for misreprisentation in advertizing and force them to scientifically back-up there claims of security (and especially of stability). enough with the scaed act, i'm getting to old for scary bed time stories like this. if anybody is really scared about this then they should perhaps activly produce code that distroyes, not cripples MS. i do not personally think that this kind of shit is even morally right, but hell, if MS wants war against script kiddies and virus writers, give it them.
Actually Windows XP does allow you to create non-administrator accounts.
You just need to create a second account and as the Administrator (Original Account, this can be named whatever you want) and take away Administrator access.
By default all acounts created in Home Edition have Administrator access.
So yes, it is possible, and no, it's not fscking likely to happen.
I can see the part about TCP/MS as being a remote possibility, but the real problem with the theory is the part about Microsoft introducing something like raw sockets specifically to encourage abuses that they hope will subsequently be blamed only on hackers, UNIX, and TCP/IP itself.
This would seem to be an extremely risky strategy due to the high potential that it could backfire from a public perception point of view. My experience is that despite the fact that some people are apologetic toward Microsoft as Cringley points out, there is a steadily growing public perception of the weakness of Microsoft products.
Many Windows users that I know use it because they feel they have to, either for the applications they need, because their workplace demands it, or because they feel they are too non-technical to use an alternative like Linux (and believe me, many of them are). They are well aware of the instabilities and the susceptability to virii, and in fact many of the Windows users I know joke about it all the time even though they use Windows for various practical reasons.
I think at this point in time, if Windows XP doesn't live up to the MS hype about it being a more stable and robust platform, and ends up in fact being less robust, they run a significant risk of damaging their public perception; probably not fatally, but noticably none the less. Given the fact that a wholesale migration to TCP/MS, while possible, is far from a sure thing, this would seem to be a rather risky strategy.
It's quite simple, really. If you talk to marketing folks they will always talk about branding. This involves nothing more than associating an image with products and services. Technical people are phenomenally bad at this because they tend to focus on the technical aspects of any discussion (how quaint :-).
To keep this from happening in the future would require that the technical folks remember to clearly brand the problem as an MS problem when security advisories are issued, and discussions occur. Use a little logical judo on them, as it were.
So remember, from now on it's not an "internet" worm (unless it really is), it's an MS IIS worm. It's not an email virus, it's an "MS Outlook" virus. However, be sure of your facts as you may get a visit from an MS lawyer.
You're probably talking about egress filtering of packets that don't belong to our network and ingress filtering of packets that do. The latter can be done (I believe our routers already do this), but most ISP's (including my employer) have complications about doing the former. The main problem is multi-homed hosts. Not only do these things increase the size of our routers' BGP tables, they also complicate egress filtering of forged packets (some supposedly "forged" packets could have come from a multi-homed host). We are currently in the process of identifying these multi-homed hosts to see which ones are valid, and see what we can do about them.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
now this is all hypothetical (much like the article), but if everyone HAD to be tracked somehow, wouldnt that be a huge invasion of privacy? i realize this is a conspiricy theory thing, but im going to accept all this for arguement's sake. so i log on and start surfin' the net. im the average end user, so i do everything from download porno without my wife knowing about it to looking into a new canyonaro to haul the kids around in. i also have a cable modem so i have a static ip. when i or any of my family "log on" we have our unique fingerprint for our ip. tcp/ms is tracking our every move. all this wonderful marketing resrarch cant go to waste. microsoft will no doubt have a way of storing this info (or atleast have an app that can...that they can sell) and selling it to the highest bidder (aol/tw maybe?). not to mention the govt will be wanting this info for their own dirty reasons. there are implications beyond the infrastructure of the internet to worry about. but being nothing more than a lowly luser, what do i know?
"Alot of people don't know what they are doing...and most are pretty good at it." -George Carlin
No he's not saying viruses spread over raw sockets. He's saying that many viruses/worms like Code Red have the end effect of creating a denial of service attack; denial of service attacks are very difficult to block when the addresses of the packets are spoofed. He's saying that in the future, when 90%+ of the world is running Windows XP (and Windows 95/98/ME/2000 has been discontinued by Microsoft- ever try to get Windows 3.1 anymore?), and 90% of those people haven't used third party tools to secure their computers, there will be a continuous series of distributed denial of service attacks, and viruses like Code Red which will effectivly bring the Internet to a halt. (Most servers aren't running Microsoft OSes, but most of the clients are- the fact that Apache is the most used server is completly unimportant in this matter. Code Red isn't as bad as predicted because most people don't run Windows 2000, but XP unifies the server and consumer OSes so it'll be running on a very large number of computers, making these future problems several orders of magnitute worse.) The end result (as predicted by Cringly) is that Microsoft will extend and embrace TCP to get the Internet (which will be rendered useless by script kiddies and/or attacking foreign governments) working again.
Once implemented, if your web server doesn't speak MS/TCP then no one with Windows will be able to see your site. (And the only servers that will have bug free implementations of MS/TCP will be running a Microsoft OS.) Think that little ploy is hardly enough to overturn the Internet? Then why am I using IE right now? Their ploys have undone greater marketshares.
Someone said that Cisco is working on a way to prevent spoofed IPs at the router, if this is true, then this speculation is for naught. However, the fact that this is plausible should be a wake up call. Microsoft owns all of us. This is the straw that broke the camel's back, I'll resign before I install Windows XP. Microsoft's abuse of their monopoly is an affront to freedom. Live free, or die.
Most PC users don't get a choice. SPARC users don't get a choice. Don't know about IBM systems, nor HP. But anyone who installs BSD or Linux has made a choice, and can make another one if it doesn't work out.
Infuriate left and right
They don't even have to exploit Windows flaws to be effective. Any Visual BASIC programmer with a good understanding of how Windows works can write a virus. All that is needed is a cleverly titled file attachment payload, and almost anyone can be induced to open it, spreading the contagion.
;)
Oh no! We've been bashing VB Programmers since who know when... It's the Revenge of the VB Programmer!
the first and preffered Cringely's solution for a so-called secure Internet is a dream for several reasons :
I mean, how such a technical solution will be develop in other OSes under any possible TCP stack and mail servers (to insert the ID),
IPv6 does not have any more support for QoS than IPv4
Maybe it has something to do with the Kame project having QoS built-in. Someday I will have time to experiment with AltQ
Unfortunately, that day seems far away.
When I read articles like these, it occurs to me that one of the marketing reasons for closed source, 'accountability of the software company for its products' is just fake. MS has never taken its responsibility, not for blue screens or for worms/viruses. :)
It's better for other companies to have that in a service contract and voila, there is no difference in making money as a open or closed source software company. (err... there is one. open source has lower initial costs. So everyone Linux!
I agree. Microsoft can't kill tcp/ip. I don't think Bill Gates is that arrogant(he's certainly not that stupid) as to try to implement a plan like that. I think HailStorm is going to be thier attempt at a coup, and hailstorm could do just fine over IP6.
As for those losers who say "linux will never succeed", they are blind to the fact that it has succeeded. Brilliantly. This, in spite of all their naysaying, it's bigger than ever and growing faster than ever. Let them keep talking, they're only demonstrating their inability to see things as they are.
But you know, we all could just delete Linux tomorrow and install Windows, or perhaps every Linux user in the world will simultaneously be hit by bowling ball sized meteors while outdoors, that could happen too.
Show me an effect without cause and then I'll believe in chaos.
While most of what you said I tend to agree with, I do take issue with one thing(other than what appears to be a mistype "Linux is going to go away..." which I assume you meant "isn't", because it isn't). Here's the offending line:
"It just happens to be IPv6. Let's face it, it's about time, and unless M$ makes that push, it isn't going to happen."
You obviously have been smoking some of that hydro dank yourself if you think that the world needs Microsoft to push innovation. The internet happened in spite of Microsoft, not because of it and it will advance, in spite of it, not because of it.
Show me an effect without cause and then I'll believe in chaos.
Quoted from Cringely:
If it were not for Microsoft's carefully worded user license agreement, which holds the company blameless for absolutely anything, they would probably have been awash in class action lawsuits by now.But can't sysadmins sue Microsloth for the gross negligence that consumes our bandwidth?
I know the license agreement that I made when I opened my Windows 2000 CD only affected my Windows 2000 desktop. It has *nothing* to do with the bandwidth - which I pay for - that this stupid [expletive deleted - Ed.] worm has consumed.
I'm not normally litigious, but Microsoft needs to clean up their act.
Anyone know a good class-action lawyer?
Fire and Meat. Yummy.
I'm using Outlook XP at home on a Win2k box.
If I try to send an email to someone from the Outlook Express news agent, there is a message box that pops up and states "This program is trying to use Outlook to send email, do you wish to allow this?"
This isn't quite as complicated as his proposal to authenticate and tie applications down to the socket, but it is very effective. Further this type of tie down is a fundamental design change for the TCP/IP network stack and would probably end up breaking an awful lot of current applications. Of course then when only Outlook Express worked, everybody would accuse Microsoft of purposefully breaking apps to promote their stuff.
So it's basically a no-win situation for Microsoft(or any other vendor), and they just have to do their best to solve a problem and not get in the way of the consumer.
Honestly, I don't know what else people expect Microsoft to do. This functionality to lock down Outlook was introduced as a patch to Outlook 2000 last year. It's built into Outlook XP by default.
Sadly most people don't use the patch.
Unique identifiers have been available for years in the form of PGP signatures on email messages. It is a simple matter to sort unsigned messages and messages signed by unknown entities into a separate folder and deal with them safely.
Because of the existence of Microsoft Outlook and other insecure email clients, simply identifying the sender is insufficient security. It is also necessary, as the article points out, to limit the access of attachments. This is possible with executable attachments written in Java. It is also possible with textual attachments in formats such as LaTeX and with picture attachments in common formats. In fact, only Microsoft format attachments pose a real threat because of the ubiquity of VB script in Microsoft products.
The features mentioned in the article are available now, in a number of open source applications. There's no need for new software to meet these goals. Too few people are aware of these options.
Open source doesn't need leaders, it needs marketers.
Patrick May> The average user HATES the kind of inconvenience/confusion a product like Zone Alarm presents, and, like my Dad, will eventually get rid of it.
Do you give the user what they want, or do you give them what you want and feel they need? Convenience uber alles or some security to boot?
I'd call it a rhetorical question, but let's just say that Microsoft's figured out the answer.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
So let's say they have 100 machines. Do you really think that you're going to be able to cull through all the traffic in the middle of the attack, build a list of the 100 IPs, and then set up a huge ass filter to block them? I've never heard of any competent admin taking such a brute force approach to a DDoS attack.
If someone suggested this on Unix, people would just laugh - 'lose the ability to script my whole system using my favourite glue language; no way'. Why it seems any more appealing on Windows, I have no idea.
I didn't know Steve Gibson wrote Zone Alarm. When did this happen? What happened to Zone Labs?!
Yeah, right.
The bee in Gibson's bonnet (and therefore Cringely's, cuz we know where he gets his material) is IP source address spoofing. He thinks that Windows XP will somehow make this much easier.
He's right.
But it doesn't matter.
There are already several easy technical fixes to prevent source spoofing, and if Gibson and Cringely's phantasy comes true, they will all be deployed in various Internet routers in a matter of weeks. Some of them already are implemented in Cisco routers, but are not enabled by default. Long before things can come to sufficient head to justify Microsoft's appearance as an off-white knight to ostensibly save the day.
See also this article from Network Magazine.
The wonder of all these Internet security problems is that they are continually labeled as "e-mail viruses" or "Internet worms," rather than the more correct designation of "Windows viruses" or "Microsoft Outlook viruses."
Well... let's hope someone read this. Why use a stupid name like "Code Red", "Love letter" etc. when you could call it something else...
Not that I'm "someone". It's just an idea.
Except for if every damn net admin would WAKE UP and SMELL THE COFFEE and
I sense frustration in you...
(I'm good at reading people.)
Raw sockets are a just a slightly easier way to spoof IP addresses. But if someone has 300,000 machines at their command why would they need to spoof the IP addresses at all? Knowing the IPs will not really be of much help against a distributed attack of this scale.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
IPv6 does not have any more support for QoS than IPv4 (except for the flow label, only useful with RSVP, which is very rarely deployed). I work for a software company that enables people to deliver QoS today on IPv4, and quite a few are happily doing so.
IPv6 does not have 'traceability' - there is an IETF RFC detailing how to have slowly changing IEEE identifiers (MAC addresses) so that your IPv6 address will not include a static ethernet card MAC address. No more traceable than IPv4, and better in some ways.
IPv6 has no more guaranteed delivery than IPv4 - both of them can use TCP to ensure delivery of packets, but IPv6 has no special features in this area.
IPv6 is all about larger address space, easier router/host configuration and auto-configuration, easier re-addressing, better mobile IP, reduced routing table sizes, simplified options processing, and simplified headers. Please read up on IPv6 at http://www.ipv6forum.com before making these misleading statements.
embrace... old protocol. extend it...( optmized, secured by MS tecnology ) kill... ops I mean own...
If these attacks used spoofed IP packets, there would be no easy defense.
Except for if every damn net admin would WAKE UP and SMELL THE COFFEE and IMPLEMENT EGRESS FILTERING or SOURCE ROUTE VERIFICATION or whatever your router calls it.
If you have a router built within the last 5 years, I can pretty much guarantee you it supports it. So turn it on already!
If every border router on the internet used it, we could stamp out IP address spoofing overnight. No magic about it. All the border router has to do is check that the source address of the packet is within the range of addresses that it 'owns'. If it isn't, drop it, and log the MAC address so that it can be traced.
Easy huh? Any router worth its salt can do it, so...
Please!?!? What does it take to convince you?
Cringely must have been smoking some of that hydroponic shit - or maybe just his socks. First, let me state upfront: I work for M$, in the networking division (but I have made living for many years as a UNIX systems programmer - as have many other people working at M$. M$ hires people for their brains, not for their OS religious beliefs). I used to think Cringely understood tech, but the past two weeks have shown him to be clueless. Gibson's complaint about XP raw sockets is that they allow IP spoofing, something Cringely doesn't seem to understand. Even Gibson is blowing it all out of proportion; turn on the fucking ingres filters on the routers and deal. As for TCP/MS - sheesh! The truth is, M$ *do* have a strategy to push a more secure protocol in the market. It just happens to be IPv6. Let's face it, it's about time, and unless M$ makes that push, it isn't going to happen. The world will be a better place when it does. Anyway, Penguinheads, you shouldn't feel so threatened by M$. Linux is going to go away; you can have all the OSes you want. They're all getting better, so no-one's losing (XP rocks, BTW!). MS might be the only choice for your mother's PC, but that's not because its the only choice, but because its the only OS that has targeted that market and invested heavily in making PCs usable by the computer illiterate. For the computer literate, you have choice. If you want to worry about monopolies, look at AOL Time Warner Netscape (Real Amazon .. the monster keeps growing). They might end up controlling your mind...
When *I* was a youngin, IBM could do no wrong with many decision makers. I swore I'd never have my head in my ass when I got into decision making positions.
Now I'm 42 and one step away from making the decisions. I can INFLUENCE them now, and due to that, we run Apache for our web servers, I've stopped any thought of IIS from being implemented, and run Linux where possible and NT reluctuntly in some applications....
So don't forget this stuff. Microsoft may gain that market share, but one day hopefully pointy-haired bosses will be a bit better educated and make better decisions and not get sucked in by marketing hype.
Oh, I can dream, I can dream...
I remember when MS patched some stack vulnerability by only looking for the signature of the attack, (I believe it was to counter winnuke.) and then someone changed the signature of the attack.....
Sorry man, I don't buy the argument that linux and windows are equally secure. I think you're pulling strings out of your ear.
some karma... and kinda lukewarm about it.
If you're not using Linux now, you should be.
Don't like what MS does? Make sure that they don't get a single nickle of your money.
Linux is getting to the point where it is just about as easy to use *on the desktop* and once you know the desktop, you are halfway to knowing the server.
You *do* have a choice, you know...
Get Linux, install it, learn it. Burn a copy for a friend. Help them install it and learn it.
Lather, rinse, repeat.
Cheers,
Jim in Tokyo
-- My Weblog.
I dreamed once, likely from having a fever, that I went back in time and told the developers of IPv4, "Add two more octets to the address space. Yes, I know it seems like overkill right now, but it will solve so many problems in the future!"
Bob-
The Ludwig von Mises Institute. The reasoning individuals economics
This should only happen if you've got the "Outlook 2000 SR-1 Update: E-mail Security" patch installed or if you've installed Office 2000 SP2. Perhaps the version you installed already had one of these applied?
"Say goodbye to TCP/IP and to anonymous connections of any kind. Hello to Hailstorm, tracking everything down to the last mile, and a more business-friendly Internet with prioritized packet-handling."
Now, this does sound a bit too paranoid, doesn't it? 'Tracking everything down', 'Say goodbye to TCP/IP and anonymous connections...'. Kind of seems like prophetizing.
On to the real question. "Prioritized packet-handling". Who would have priority? I really don't know much about the workings of the protocols and how could priority handling be implemented, but the real question is: Who should deserve priority, and who should decide it? Should routers be set-up in any way people want, and backbones be controlled? Maybe there could be an independent committee to grant priorities according to some previous criteria.
My concern is that, as he puts himself, prioritizing packets would degenerate the net (my view) into being "more business-friendly". Degenerate because invariably companies have more money than universities, ergo companies have priority.
I just think that prioritized packets is something very prone to commercial abuse. Just my random thoughts, btw.
Carlos
...they can use this wonderfull "Micronet", with all those pay-per-use video-on-demand, content protection, secure audio path, flashy pages and can give the good old "broken" tcp/ip internet, without all that wonderfull stuff back to those who don't mind using text terminals, and "legacy" stuff. Perhaps then we will be able to use IRC, USENET, even telnet, back again.
Give them (tcp/ip) 10% of the bandwidth. It will be more then enough.
What are Cringely/GRC talking about?! What prevents you from using SOCK_RAW sockets under current non-NT/2000 windows!? I wrote, and been using, my own ping-like application under 98 for quite a while now. Never had any problems.
;-)
I wish I knew what they've been smokin'! Must be quality stuff!
This is not to say that I do not agree with you -- I do actually. The thought just struck that, at /. -- the amateur journalist website that pretends its a professional journalist website while still insisting that it's an amateur journalist website so they can make gratuitously bad mistakes but never ever print retractions thus feeding large amounts of misinformation into what is still a largely ignorant crowd and use it as a soapbox resource to further their own political or ideological or purely selfish views (unless you're Sengan in which case you get chastised for it and told you're a naughty, naughty boy who needs a spanking) -- moderation is less about actually having good content in your posts and more about how good you can make the moderator feel or how much guilt you can dump on them.
People are fickle and stupid.
And now to get back on topic...
> they don't really have a clue exactly
> what it is they're doing, anyway. They
> just do it, and most of the time, it
> works well enough for them.
Good point. This goes along my theory/view that technology is created with knowledge, but generally used in ignorance.
Let's review how we get technology:
1. Scientist acquires knowledge by pure research.
2. Engineer applies scientist's shared knowledge to solve problems. This often includes designing technology.
3. Technologist uses devices and methods (technology) made by engineer, with the special point that the user can be ignorant on how the thing works.
Of course there is lots of interconnection, as scientists and engineers use technology, but whenever you use something that you don't know how it works or how to make it yourself, you are a "technologist". 99% of computer users are technologists, to a certain degree myself. Heck, there is a whole industry based on ignorance of how computers work called "Information Technology" where people just "troubleshoot" and never really know what the problems are. (I worked in that for a short while as an intern.) Software programmers fall somewhat under the "engineer" category if they have been trained correctly.
Anyway, society will always have "technologists" (perhaps "lamers") because:
1. People are generally not technically capable of learning how technology really works or how it is made.
2. There isn't enough time for everyone to learn everything. See mortality.
Sorry for the rant, but its important that people understand this situation.
Welcome to the future!
A while back, Red Hat discovered a security hole, and mysteriously a virus appeared that patched the hole.
A 'better' solution would be to exploit MS machines, and download and build the appropriate secure Linux distro for that hardware type.
No windows machine should be permitted on the internet: the immediate penalty should be replacement of the OS.
Before going into my opinion on why people see M$ in this way, I should explain a few things first.
so, all that aside. People love Microsoft because their products are incredibly useful.
As programmers, we know that Microsoft products are buggy, poorly written, and often just plain stupid.
However, you try writing a book with a pen and paper. Now open, even, Word 6 running on Win 3.1 and compare. It's not hard: the M$ product wins out every time.
Or try doing some serious accounting work on a paper ledger, then open M$ Money. Damn, but, you know...
The problem, fundamentally, is that computers are too good. Computers in general are such fantastically useful tools that people love them, even when they're seriously non-optimal.
As far as I can tell, the only really strong link in the whole M$ apps network is Word. Word has so many features, I find it quite incredible. (It does have security failings and other failings, of course. But given the size of its codebase, it's actually pretty reliable, I think. Unlike, for example, IIS, which is just a little program.)
Which is why people shell out all that cash for Office, because Word is amazing, and the features it has are stuff they understand. People understand writing. They don't understand email. They like email, they just don't know how it's supposed to happen. So most of them use Outlook because it comes with their Word, and they assume that because Word is amazing, Outlook is too.
So anyway: that's my point. Computers have radically changed people's lives and made possible things that they found hard to imagine before. Even when they're running M$ operating systems, they're still fantastically useful, so nobody thinks to ask if there's something better around.
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
I guess responding to Slashdot is now part of the Microsoft bonus structure for their employees - i.e. 1 share for every reply that confuses and distracts from the actual article. 30,000 more FUD spreaders; and the scariest part is they actually firmly truly believe the MS FUD. There must be something in that Green Apple Diet Ice after all.
Howard, as in "Howard be thy name".
Naaaah...
TCP/IP over 802.11 - community freenets!
I was looking at the Seattle Wireless/Freenet site yesterday - marveling over a directional antenna members had built for 802.11 communications that got 3db of gain - and was essentially constructed out of PVC pipe, threaded steel rod, and washers, with a reflector made from a candy tin!
They had an omni that was constructed in a similar "use-whatever-parts-you-can-buy-cheaply" manner.
I think we would see these things springing up rapidly, and to hell with the FCC. That, or wireless lasercomm solutions. Perhaps individual community nets would be tunneled across the new MSnet - at least until long distance interconnects could be built and put in place. Or perhaps connected in a FIDOnet type fashion over multiple long distance modem-to-modem connects.
Never thought I would see the day I would go back to BBSing...
Reason is the Path to God - Anon
...He's a Mac user.
Actually, Cringely is like, Head Pundit or something. You don't necessarily have to know a lot about something to be a pundit for it, you just have to get there early and say you know what you're talking about, that's what Cringely did with Nerds, Nerds2.0, etc, and the Internet.
I like music
Unlike other nations which can trace their heritage back many hundreds or thousands of years, America is an "invented" country, whose identity resides pretty much in the day to day consciousness of the people (ask somebody what being "American" means).
What you say is true today - but America does have a culture, and a history - one of the most colorful ones in the history of the world, as well as one of the most bloody.
But it isn't taught - and when and where it is taught, rarely is it in a way to excite people.
I remember my senses and thoughts almost dulled to the point of exhaustion by American History. But today, as an adult - I have begun to see that how we were taught had a lot to do with my boredom of the subject. One thing I mean to do, and soon, is to study up on the history and people of the "Old West" - what I have learned so far, living in Arizona and visting surrounding "Old West" towns (as well as about Phoenix itself) has taught me about the hard and dangerous life that the expansion of the west was really about. Similarly, I am interested in the colonial and revolutionary periods. Even the Civil War era holds my interest. I have always been excited about the days I consider between the Civil War and oh, say Kitty Hawk (1903) - and the technical advances in steam transportation, electricity (and the whole Tesla vs. Edison debate), computing (Hollerith), and flight (Langly vs the Wrights) - all of which happened here in America (and yes, I know that much of steam and electricty were invented and developed in Europe, but many great advances in uses of electricity and distribution, as well as locomotive transportation, happened here). It is so colorful, so amazing - the things that have happened and transpired here in our country. As much as I would like to someday tour Europe and see the history and ideas of that continent firsthand, I dare say that it is more important to me as a citizen of this country, the United States of America, that I learn about it first.
Unfortunately, I wish other people of this country would realize this as well. I only touched upon the color that makes up this country - there is so much more - and what makes it amazing, is that the majority of it has happened in only the last 200 odd years...
Reason is the Path to God - Anon
OK - so they aren't perfect - but Apple has yet to make it so that every layer on this machine can and does talk to every other layer, across apps, to the point where an email attachment can tell your finance software to dredge your disk and blab your data to the world... where the scripting language in the browser and the email tool is the same language that can run file operations and launch apps... this was probably once a very cool thing at a demo, and a very bad thing when everyone who feels like it can send you any payload they want... Just becausse something *can* be done doesn't mean it *should* be done. *sigh* of course when the only identifier needed to decide app or data is a three letter extension, what were you expecting? isn't there anyone who can dope-slap otherwise intelligent people like Myhrvold and get a responsible OS going? The more I learn about WIN the more it is simply a black-hat's dream.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
The bug was Sun's. This was clear to everyone at the time. But now we see yet another Microsoft conspiracy rumor starting on the net... Watch carefully folks, people will be quoting this as gospel in a couple months.
Xavier
Do I make sense? Please report if not.
Remember his "PhD"!?
When i worked at a Air Force base - and we had perfectly good Sun Sparc20's running as our servers (mail, dns, SQL, etc)...
.NET.. why should we think that they will stop there?
my boss told me that because we were upgrading to Windows 95.. that it was time to ditch all those servers and get Windows servers with Exchange, et al...
i asked him why should we get rid of our perfectly running servers which had given us no trouble at all just to move to Microsoft? "Because, we're getting in contractors now, and they only know Windows Nt 4.0."
Later on, it was then decided that instead of bases having their own servers and their own email systems, that now that we'd all moved to Exchange, that we'd all put our GALs together (Global Address List - the list that Outlook/Exchange VBScripts use as their distro lists to replicate themselves), then we'd really kick ass.. no more joe.blow@otherairforcebase.af.mil...
my reply was - um... LDAP servers? open Source? Hello? Anyone?
well, skip ahead to today - the US Air Force (and soon all of DoD) is going to be moving from its now Air Force-wide GAL (why we just pull the plug now during virus scares and why we were down for weeks during Melisa) to Active Directory.
back when i shut down all my Sun boxes.. i told my boss that this was just stupid.. why should we give up on what works just to buy what Microsoft is giving us? Their goal was not to give us good products, but to get us to buy their products... and things like Exchange, with its GAL, are just the first protocols that they are trying to hijack and take back on the internet... eventually, all the open ones would be overthrown by the new default MS proprietary ones that would ship someday with newer versions of Windows.
I thought it might end with email.. but i see that i'm wrong.. i agree with Cringley... its going to go all the way.. and we have no way to stop it..
MS will take over the internet.. they are already took over filesharing with SMB, they are taking over email with Exchange, they have taken over HTM L with Explorer, they are trying to take over java with
sigh.. oh well..
guns kill people like spoons make Rosie O'Donnell fat.
It's a pseudonym for a team of (quite knowledgeable, quite talented) writers. The guy who presents the TV show is just an actor. The story about Apple is completely false. (Jobs doesn't mind, of course --- it adds to the mythology.)
There was a front-page story in the WSJ a few years ago, about how InfoWorld, PBS and various freelance writers were locked in legal battles over who had rights to the name.
IIRC, MS did the original port of AT&T UNIX to the 8088, and called it XENIX.
Shortly thereafter, MS came out with MSDOS 2.11. It had amazing new features. And an amazing new slew of command-line characters to do wonderful new things.
Like subdirectories.
Like '|' for piping output.
Like '>' for redirecting output.
Like the other character for redirecting input.
Like 'COM' and 'LPT' and the whole concept of devices as filenames.
And the list goes on. Microsoft would have withered and died without these 'new' features. All stolen directly from UNIX. Which they implemented using the UNIX source code. (Bastards didn't even have the smarts to write their own 'clean' code.) Which they never would have had access to if they hadn't done the XENIX port.
Why Microsoft never got the shiite sued out of them for blatant feature stealing, I'll never understand.
It wasn't THAT backwards. IT was written as an expression:
A> pip b:=a:*.*
That copied all the files on drive A to drive B.
Just like good old BASIC's LET A=B set variable A to be equal to B. FWIW, it is true that many of the lamest things in MS OSes date back to CP/M. Drive letters instead of mount points, ^Z for EOF, CR/LF instead of newline, and so on. Even the infamous DOS PSP (program segment prefix) is practically a byte-for-byte clone of the CP/M base page (did you know you could make DOS calls from a small-model DOS program by doing a CALL 0x0005 instead of an INT 0x21? That's how you called CP/M.) For all I know, the old "FCB-style" file system calls still work in NT's command-line window! (The FCB stands for File Control Block. CP/M didn't use file handles. Instead the OS filled in a structure in the application's memory with all the data neede to access an open file. The real downside of FCBs was they were never made able to work with heirarchical directories).
All of these "klunky" designs of CP/M make a lot of sense when you realize that CP/M had to be able to run on a machine with only 16k of memory and still had to leave room for an application program that could do something useful.
MS-DOS has little excuse (with its ability to address 1M - barring IBM's goofy BIOS placement that limited it to 640k), and Windows 32-bit has no excuse whatsoever.
Actually, the whole thing is a steaming mound.
But what irks me most is that the reason most viruses target Windows is simple: MOST COMPUTERS RUN WINDOWS!
Any platform is susceptible to viruses. Anybody who wants their virus to spread successfully should logically write it for the most common host.
Do Anti-Microsoft Zealots lose part of their brain function when they are recruited into the fold?
I've never hated M$ as much as I've hated the fools that have, for the last 20 years, encouraged them because they just HAVE to have that (once IBM (as in IBM PC) and now M$) software to stay compatible with the software they're currently running. Sure a Mac is better than an IBM XT or AT or whatever, "but there's no software for it". Same, only more so, for the NEXT computer, or early windowed Unix, etc., etc.
MS architecture seems to be an enabler for virus writers.
Perhaps the sum of the of MS-based virus attacks is a left-handed thank-you from Billy's anti-fan club. Now, if we could just re-direct that misguided talent towards beefing up Open Source productivity software...
Ultimately, the market just has to gaff off XP. We don't need the gubmint and the lawyers racing Microsoft to see who can be the bigger waste of money. We just refuse to buy refuse.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear