Slashdot Mirror
TCP/MS, We'll Cure What Ails You
Cringely can string some words together from time to time, and this week's installment is a pretty good one. He's been reading a little too much Gibson (raw sockets have nothing to do with the spread of MSTD [?] 's), but overall, he's probably right. When the time is ripe, I think we'll see a move exactly like this.
Look, raw sockets in windows are not the end of the world: they're available already, open source (http://netgroup-serv.polito.it/winpcap/), and you can run them as a non-privaleged user. In as much as MS have a concept of privaleged users.
Even if they weren't, there are SO MANY possible security exploits you can run using a small army of 0wn3d windows boxes. Including (but not limited to) just packeting the crap out of Steve "Bloody" Gibson's webserver. For instance, has anyone considered using something to script the IE network libraries (COM objects, I would imagine) in the background and launch a 'many millions of perfectly valid requests, complete with cookies and everything' attack?
How would you defend against that?
This whole raw socket thing has been blown out of all proportion. Can we please stop fretting and find a way of PREVENTING these big attacks from being spread. Or possible. Or something.
Dave >:(
I write a blog now, you should be afraid.
You know, I thought the same thing as she did in the past. I'd worked for large companies and I knew how incompatibilities cropped up and it was just from engineers being distanced from their customers.
..someone took it out) CR/LF instead of NL. ^Z as EOF. blah, blah. I wonder how many of these are deliberate?
Well, I was chatting with an ex-microsoft employee who had moved over to the white-side and he put things in perspective. Microsoft has strategic meetings where they sit around a table and say "how can we own this?"
That put a different light on all those subtle incompatibilities I had always had to deal with.
Backslash instead of slash in paths... / for options instead of - (remember switchchar?
Hasn't microsoft already brok^H^H^H^H embraced-and-extended TCP/IP lots of times before?
There was a time when Sun servers responded "slowly" to windows HTTP requests because microsoft changed the behavior of TCP slowstart, etc...
I'm sure there are other examples.
I used to respect this person but now I have to wonder what kind of technical background he has and if that background is backed up by ay sound reasoning ability. I remember watching conspiracy theory in the theaters (You know with Mel Gipson). That had some pretty crazy ideas but this is just nuts. At one point in this article he suggests that everyone loose his or her anonymity. Then at another point in the article he criticizes Microsoft for their supposed protocol, which will remove anonymity. This article seems more like a rant by a frustrated Windows user than an actual intelligent discussion on the security problems of Windows.
The two main points of this article are based on flawed assumptions.
1. Raw sockets in windoze is not the end of the world. *nix systems have them, even vxworks. A number of ISP's filter forged packets. If this type of spoofing is such a harm, it is trivial for ISPs to implement this. Cripling stack interfaces in OS'es is rediculous.
2. Passport will not authenticate every connection made on the net. Sorry, this is a pipe dream M$ sold you on somehow. And second, priority net traffic based on M$ passport is even more impossible.
Ok you had me untill this part mate, and that's going way too far. Sorry to tell you, but the hassle of deleting and not opening annakournikova_jpg.vbs doesn't quite compare to some woman getting beaten by her husband. Not to mention the fact that it's nobody's fault that you get a virus except the prick who wrote the virus. Not microsoft's, and not even your less pooter-savvy mate who thought he was gonna see anna's tits. If enough people used a standard linux desktop for it to be worthwhile, more people would write virii for linux. As linux's popularity grows, so will virii begin to appear, or I'll eat my hat.
He didn't compare the severity of Microsoft viruses to the severity of wife-beating; he compared the emotional dependence of the victims of both upon the perpetrator of both. In other words, he is trying to answer the question "what keeps them coming back for more?"
Windows XP Home Edition runs everything as root. How can you apologize for that? They have said that user accounts and permissions are too complex for the consumer, yet both Mac OS 9 and Mac OS X have user accounts and permissions. Mac OS 9's are of the training-wheels variety, but Mac OS X is full-bore, hardcore Unix. iMac users are getting by, so surely Windows users can adjust? The reality is that bad network security is good for Microsoft, because they never get blamed, only "Internet hackers" get blamed, and they want us all to use MSN anyway, not the Internet.
As for your argument that popularity is the only reason Microsoft operating systems are virus-riddled, that is bunk. There are 25 million or more Macs out there, and there are lots of people who would love to stick it to Apple because they think Apple is on some kind of high horse. Why are there only a handful of Mac viruses? The system is completely scriptable, so there are tools there. But the worst Mac viruses all run in Microsoft software on the Mac. If you don't have Microsoft software, then you are susceptible to less than half of the viruses that run on the Mac.
Blaming virus writers is easy, but think of it this way: the guy who wrote "Melissa" simply sat down at his computer, wrote a document in Microsoft Word, and emailed it as an attachment to another user. He didn't cut through a chain-link fence, he didn't pick a lock, he didn't hack somebody's password; he just wrote a Microsoft Word document. One of the features of Microsoft Word documents is that they can include tables; another is that they can include scripts that send emails. Who is to say that using one feature is not a crime and using the other one is? Ignorant politicians and cops who believe Microsoft and their apologists. There were no Windows programs until Microsoft created the Windows API that provides the environment for them, and there were no Outlook viruses until Microsoft created an environment that demands them. If there is no security in that environment, then you can't expect things to be secure. If you leave your flashy sports car running and unattended with the doors unlocked, you have to share some of the blame when someone takes it for a joyride. Microsoft is practically begging people to write these viruses, which is the point of the article. They can't be this stupid ... they are doing it on purpose to give Unix itself a bad name. To make the world so scary that their users will cling to Microsoft's skirt like frightened children.
The only way I can explain it is that most people use Microsoft software, and what we use must be the best, right? I mean, how often does someone buy a new car and then complain about all the problems that it undoubtedly has? Hardly ever. It must be the same with computers; the Windows users have an emotional investment in the product and they want everything to be just fine, so they apologize for shoddy software; "Oh Windows crashed, I bet the next version is better, this one is getting quite old", "Oh I got a virus, I wish those evil hackers would be put to death". See my point? They never think to blame Microsoft because they are Microsoft to a certain extent; they belong to a huge fanclub of a massive group of people. That's gotta feel good.
And it makes it tough for us non-Microsoft users to get along with. Like the abused wife that toddles on back to her jerk of a husband, so the users return to Outlook, because "this time it will be better" and "I don't know how I could possibly function if my calendar and e-mail client were two separate programs."
The wheel is turning, but the hamster is dead.
But Cringely's real point is that Microsoft is a very powerful company with a long history of turning its own technical shortcomings into market strengths. Microsoft's PR machine is incredibly effective - witness the FUD that kicks into high gear any time MS announces anything.
It's also instructional to remember a few Microsoft projects that didn't go off as planned. Ever wonder why journalists never bring up those failed efforts, or points to the millions of wasted dollars MS has spent over the years on vaporware?
Remember how Microsoft Bob was going to "personalize" the computing experience? Well, it failed not once, but twice!. Remember how Chrome was going to "revolutionize the industry," according to the drooling press?
Because Microsoft is the 800-lb. gorilla of the software world, even when they fail, they get the benefit of the doubt. It comes with the territory. Also, because the Microsoft culture is fantatical about continuous improvement, they have a long history of sucking hard at v1, sucking at v2, becoming fairly usable at v3, and taking over the market by v4 and beyond.
Microsoft has been doing this long enough to realize an opportunity when they see one. Cringely is reminding us that unlike all of you Slashdot readers out there, Microsoft is driven not by desire to build cool, useful technology, but by the desire to control marketshare. That's the be-all, end-all of their existence.
So whether Cringely is correct about raw sockets or the demise of TCP/IP doesn't really matter. Almost every company that has gone toe-to-toe against Microsoft in a market segment has failed because they continually underestimate and miscalculate Microsoft's strengths (IBM, Novell, Apple, WordPerfect, Lotus).
Microsoft has an overarching vision of the computer marketplace that is far more evolved than any of their competitors, with the possible exception of Sun.
Microsoft remains unconcerned with business ethics, is unafraid of censure by the government, and wouldn't hesitate to use the ubiquitous of their own flawed products as an excuse to move the foundation of the Internet to a proprietary framework.
Microsoft doesn't give a shit about the history of the Internet and the spirit in which it was created. They don't give a shit about letting everyone in.
If Microsoft believes they can make the Internet a proprietary environment that they can control, they will work relentlessly toward that end.
Read the EFF's Fair Use FAQ
The bee in Gibson's bonnet (and therefore Cringely's, cuz we know where he gets his material) is IP source address spoofing. He thinks that Windows XP will somehow make this much easier.
He's right.
But it doesn't matter.
There are already several easy technical fixes to prevent source spoofing, and if Gibson and Cringely's phantasy comes true, they will all be deployed in various Internet routers in a matter of weeks. Some of them already are implemented in Cisco routers, but are not enabled by default. Long before things can come to sufficient head to justify Microsoft's appearance as an off-white knight to ostensibly save the day.
See also this article from Network Magazine.
When *I* was a youngin, IBM could do no wrong with many decision makers. I swore I'd never have my head in my ass when I got into decision making positions.
Now I'm 42 and one step away from making the decisions. I can INFLUENCE them now, and due to that, we run Apache for our web servers, I've stopped any thought of IIS from being implemented, and run Linux where possible and NT reluctuntly in some applications....
So don't forget this stuff. Microsoft may gain that market share, but one day hopefully pointy-haired bosses will be a bit better educated and make better decisions and not get sucked in by marketing hype.
Oh, I can dream, I can dream...