Slashdot Mirror
TCP/MS, We'll Cure What Ails You
Cringely can string some words together from time to time, and this week's installment is a pretty good one. He's been reading a little too much Gibson (raw sockets have nothing to do with the spread of MSTD [?] 's), but overall, he's probably right. When the time is ripe, I think we'll see a move exactly like this.
Slow down your shoveling boy... you might hurt yourself.
So exactly how can Microsoft's IPv6 stack be proprietary, when they don't own the routers, switches, et al? You see, if they change the format of the packets, then the router needs to accept the new format. Since CISCO should be setting up their IPv6 stuff to the agreed standard, that leaves Microsoft little choice.
Microsoft's network protocol implementations have always been fairly standard and able to interact with the world at large. I don't see that changing in the future.
As for IPv6, I don't see that really rolling out until XP covers much of the marketplace. XP (and the Server 2002 editions) should have native IPv6 support.
Stop spewing FUD. It isn't any more endearing than when Microsoft does it.
Natural != (nontoxic || beneficial)
...but you actually usually have the option. Example: you can run c:\apps\program.exe OR you can run c:/apps/program.exe. This definitely works in NT 4 and Windows 2000; I can't comment about Windows 9x because I can't remember the last time I used it. You can start up Word using winword.exe /nd (to suppress the blank document) OR using winword.exe -nd (except I think they took that parameter out in Word XP; but it works in Word 97 and 2000).
Yes, there are most certainly incompatibilities, subtle and blatant. But let's also remember that one of the great things about standards on the PC is that there are so many of them to choose from. If you wanted to share information 10 years ago with someone who used a different word processor from you and you didn't use a Mac, well, the very best of British luck to you. One thing Microsoft did do was to start introducing some measure of interoperability in the PC software world. By all means, let's hold them (and other vendors) accountable for their less-than-stellar concepts, but let's at least get the facts straight.
And here I am apologizing for telling the truth and defending Microsoft. Oh dear, oh dear, oh dear.
Also (to my knowledge), *nix OSes restrict raw socket use to root. Guess what - XP Home edition has no such concept. Everyone is effectively root.
Netscape 4 requesting from IIS is markedly slower than you'd expect by looking at relative performance on Apache with NN and IE.
I'm not so sure about this. While experimenting with Squid's user agent logging facility to see who was running what browser on my network, I noticed that MS Internet Explorer actually claims to be "Mozilla 4.0" - go figure.
I can say for certain that Microsoft's support web site does not tolerate unknown browsers graciously at all - when confronted with Netscape 6.0 beta or a Squid anonymised user agent string, it got stuck on one page redirecting back to itself...
You can already do this. You can trace email. You can block email from those you don't know. And this system won't work to block email worms because usually they come from people who you know.
Caller ID, like rdns mapping of incomming ip addresses (cumbersome) etc. You can do this sort of strategy on so many levels... Of course someone who says that Linux is safer than Windows on one hand and that raw sockets are dangerous evidently is simply paroting what he has read and not actually studied the matter. Has he heard of any sort of authentication service or tactic? That is what these are about and of course many people do block people without the proper credentials from access to their networks ;)
Raw sockets exist in Windows 2000, and I assume that it has a bit to do with the FreeBSD code in the TCP/IP stack... This code has helped to make Win 2k far more stable on a network than its predicessor, IMO. If they are such of a problem, why not acuse Linux or FreeBSD of the same problem...
He also states:
And what's with those file attachments, anyway? Replace mail clients and APIs with secure models. The new model will not run attachments as they do today. E-mail attachments should not have access to the e-mail client, APIs, etc. Attachments should not have access to the operating system by default. The user should approve the use of some APIs, like having to give permission before device drivers are updated.
This guy is out to lunch. It is simply sufficient to limit user privilages and require them to export the attatchments before they can be run.
The only e-mail activity on my PC should be initiated by me, personally. Nothing else should access my address book or send out messages without my express permission. Microsoft will of course reject the idea, mostly because it will fail the "increase market share litmus test." My answer is, "Microsoft, if you do not take responsibility for locking down your APIs, it will become obvious to the public and become a detriment to your market share."
Which Office XP does quite nicely. Of course SirCam bypasses these controls and sets up its own smtp server... YOu cannot get around it totally. I am no more a Microsoft fan than the next guy, but this buy is a bit over the top...
LedgerSMB: Open source Accounting/ERP
???!
So says gibson. Why does that make things easier? Have you ever set up a screening router? You can filter out whatever you want...
LedgerSMB: Open source Accounting/ERP
That's right - I remember a common problem of that era were nulls and/or random binary junk padding out the end of files to an "even" size.
--
Evan
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
SOCK_RAW access permits applications to spoof source IP addresses, thus disguising the source of a DoS attack.
For the average luser, email == Outlook.
--News Flash Y2K was a hoax.
--News Flash The internet is not going to be "shut down" by any stupid virus.
--Any half decent FW comes with its own proprietary TCP/IP stack... Yeah MS might think about changing over to something else.
--It is time for "technologists" to cut it out and stop trying to scare the Hell out of everyone with this MS is evil and the internet is falling shit.
--Bottom line if MS was as bad as WE all think it is it WOULD disappear. Truth is it isn't that horrible. For 90 minutes at a time it's a great gaming platform.
This
The deal is that w/out raw sockets, in order to send large ammounts of data, you have to send UDP packets with the data. When creating a datagram socket (i.e. for sending UDP packets), you don't have to get a succesful return from connect() prior to sending data. Thus you can just start sending huge packets.
But with stream socket (i.e. for sending TCP packets), you have to get a successful return from connect() before you can start sending data. Which means that before you can send any data to a server, you have to send a SYN packet, get a SYN-ACK packet back, and then send an ACK packet. Only then will connect() return with a success, and then you can start bombing away at the server with huge packets. But even then if you don't send them in a form that is recognizable by the application, the server will just issue a RST and close down the connection. For example, if your stream doesn't include HELO foobar, when you connect to an email server, the server will just disconnect.
Non-raw sockets make it easier to filter out attacks at the upstream provider because they are usually UDP packets which your web application does *not* need. So you just filter them and then you're done with it.
With raw sockets, it becomes *much* harder to filter upstream. WIth a raw socket, you can create a SYN packet from a random IP address to a web server on PORT 80. That SYN packet can be 9k long if you want it to be. And it will be to a port that you can't easily filter out . Basically, it makes the DDoS attack much easier and harder to prevent. The attack could come from any IP address , and it will be destined for your web server, which (presumably) you want to keep running. How do you filter out a packet destined to port 80 from possibly anywhere without also filtering out the legitimate connections?
Of course, even without raw sockets, you can still initiate a DDoS attack against a TCP port. If there were fewer script kiddies and more programers, it would not be that difficult to write a simple program that uses a stream socket, and DDoS's with a well formed HTTP POST that posts 18MB of data. If the DDoS kiddies were able to program, then that's what they'd do, and they wouldn't need raw sockets to accomplish it.
So while I agree that the addition of raw sockets really isn't that big of a deal, it seems to me that it's a little bit more complex than what I've seen so far.
$.02
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
I'm pretty sure that was an accident -- it was an old BSD bug that they inherited, and their million-monkey QA process would never find a minor performance regression, would it?
Btw, it wasn't just HTTP requests that were slow, it was any TCP connection establishment.
Outlook XP as well as a patch available for Outlook 2000 attempts to solve this problem.
It blocks many different attachments based on their extension. It also notifies the user when they try to send such an attachment that it might be a bad idea.
It's described in MSKB article Q290497.
If Linux were ubiquitous, it would be more targeted. And, there is nothing about Linux that is fundamentally more secure than MS software. It's amazing to me how a group of technologists can have such a distorted view. Aren't we supposed to be Computer SCIENTISTS?
This is true, I have NO IDEA what Cringley is saying when he says that raw sockets allow for more viruses and such to be introduced to your system.
For the uninitiated...
Generally, when programming, you define a great many things when defining a socket, the layer of abstraction to tcp/ip defining a single connection.
SOCK_RAW is a bit less abstract, you define more of the data that is being used by hand rather than allowing for the socket code to do it for you. Generally the you use SOCK_STREAM of SOCK_DGRAM, which define TCP and UDP sockets, respectively. SOCK_RAW writes directly to IP, so you must encode many of the headers manually rather than automatically, as the other 2 would do, and then write them to this socket.
In other words, it has NOTHING to do with getting viruses! SOCK_RAW is just another socket, but you are writing to the IP protocol, rather than TCP or UDP (which sit on top of IP). It also has nothing to do with being DoS attacked. I have NO CLUE where he got that from.
IMHO, the reason is that Microsoft is trying to capture some more of the groupware market share for themselves. Traditionally, products like Lotus Notes have been able to use scripting in the (mail, but also general-purpose) client for workflow and other groupware applications.
The difference is that scripts in that environment have to carry the signature of script author, and the code can only be executed if that signature RSA ID is allowed within the Execution Control List of the users' client/mail programs. Each signature can also be granted up to 11 priveleges (such as ability to send mail, ability to access other databases - like the personal address book), refining the security model.
Someone else's idea, carelessly implemented.
They have no concept of a sandbox.
Information wants to be beer.
IPv6 does not have any more support for QoS than IPv4 (except for the flow label, only useful with RSVP, which is very rarely deployed). I work for a software company that enables people to deliver QoS today on IPv4, and quite a few are happily doing so.
IPv6 does not have 'traceability' - there is an IETF RFC detailing how to have slowly changing IEEE identifiers (MAC addresses) so that your IPv6 address will not include a static ethernet card MAC address. No more traceable than IPv4, and better in some ways.
IPv6 has no more guaranteed delivery than IPv4 - both of them can use TCP to ensure delivery of packets, but IPv6 has no special features in this area.
IPv6 is all about larger address space, easier router/host configuration and auto-configuration, easier re-addressing, better mobile IP, reduced routing table sizes, simplified options processing, and simplified headers. Please read up on IPv6 at http://www.ipv6forum.com before making these misleading statements.
Filling in the gaps Cringely left, I'll postulate that each packet would be digitally signed with the private key of the individual authorizing that packet. Handling of the packet at the receiving host would be dependent on that host's trust level of the signer. When an infected IIS server S1 makes a TCP connection to a clean IIS server S2, the connection would be at a minimal (public) privilege level. This would cause the resulting thread|process to run at the untrusted/public level. Then, when the buffer overflow hands control to the attacking worm, the worm has only gained 'public' level of access, rather than root. (Yes I know they don't call it root.) In other words, this is a redesign of the OS kernel, not just the protocol. Otherwise it's meaningless.
I may be mistaken, but this sounds pretty much equivalent to just making sure that your httpd (for instance) daemon (and any chilren it spawns) don't run as root. I don't think you need a whole new packet-level protocol for this.
I believe that authentication and crypto are best left to higher-level protocols. IP is for shunting packets around - nothing more, nothing less. If we really want to avoid spoofing, a much better way would be to make routers stricter with regard to packets arriving on an unexpected network interface.
Strags
> they don't really have a clue exactly
> what it is they're doing, anyway. They
> just do it, and most of the time, it
> works well enough for them.
Good point. This goes along my theory/view that technology is created with knowledge, but generally used in ignorance.
Let's review how we get technology:
1. Scientist acquires knowledge by pure research.
2. Engineer applies scientist's shared knowledge to solve problems. This often includes designing technology.
3. Technologist uses devices and methods (technology) made by engineer, with the special point that the user can be ignorant on how the thing works.
Of course there is lots of interconnection, as scientists and engineers use technology, but whenever you use something that you don't know how it works or how to make it yourself, you are a "technologist". 99% of computer users are technologists, to a certain degree myself. Heck, there is a whole industry based on ignorance of how computers work called "Information Technology" where people just "troubleshoot" and never really know what the problems are. (I worked in that for a short while as an intern.) Software programmers fall somewhat under the "engineer" category if they have been trained correctly.
Anyway, society will always have "technologists" (perhaps "lamers") because:
1. People are generally not technically capable of learning how technology really works or how it is made.
2. There isn't enough time for everyone to learn everything. See mortality.
Sorry for the rant, but its important that people understand this situation.
Welcome to the future!
Actually ZoneAlarm is an ok piece of software however Tiny Software's Tiny Personal Firewall is a much much better piece of software. The firewall in addition to allowing applications access to the net allow you to setup specific permit and deny rules based on localport, remote port, local address, remote address, application, protocol, and much more. I look at it as a much improved version consisting of a hypothetical merge of ZoneAlarm with Conseal PC firewall and like products. In addition Tiny Software's product is in use by the US Airforce on 500,000 desktop machines. Oh ya it's also free for personal use.
FEATURES AT A GLANCE
Multi-layer security protection (NDIS & TDI) Since the DSE resides on each computer in the network, it communicates directly with the operating system and negotiates what applications are even allowed to transmit and/or receive data.
MD5 Signature Support As the DSE mandates what applications can bind for communication, it can also check for an MD5 digital signature for permitted applications. This ensures that Trojan horse applications cannot gain access by using the name of a permitted application.
Stateful filtering based on SRC/DST IP address, port & application The DSE maintains a record of all sent packets and can therefore compare incoming packets to the record table to determine if they were requested. Additionally, the DSE can restrict applications to certain ports or destination IP addresses.
Remote access to logs and statistics The DSE contains a separate statistic view that displays all active sessions and includes the status, port, remote IP, application or service and the time associated with each session. Logs may be viewed from the statistics view or sent directly to a syslog server for analysis and reporting.
Suspicious activity monitoring and Intrusion detection The Tiny DSE contains a highly configurable reporting mechanism that can report specific intrusion attempts, or any other type of communication deemed suspicious, to a syslog server or to the CMDS server through an SSL connection.
"GET / HTTP/1.0" 200 51230 "-" "Mozilla/4.0 (compatible; Setec Astronomy)"
Here's my guess: too much Windows software out there assumes you have "Administrator" privileges.
I recently installed Windows 2000 and, not being a complete idiot, I set up accounts for myself and my wife. I did not give myself Administrator privileges; instead, to make system changes, I log in as Admin and make changes. You know, just like on Real OS's.
Imagine my complete lack of suprise when all the apps that don't work properly. They all assume you have unfettered write access to any directory in the world. I've had to go down manually, guess which files each app wants to write, and then change the permission on those directories so that it can happen.
To MS's credit, Office did work properly. It's just that most Windows apps are not multi-user aware! Windows vendors, test your damn apps on NT without admin permissions!
I can explanate how to administrate your network. You must configurate and segmentate it, so it can computate.
It's a pseudonym for a team of (quite knowledgeable, quite talented) writers. The guy who presents the TV show is just an actor. The story about Apple is completely false. (Jobs doesn't mind, of course --- it adds to the mythology.)
There was a front-page story in the WSJ a few years ago, about how InfoWorld, PBS and various freelance writers were locked in legal battles over who had rights to the name.