TCP/MS, We'll Cure What Ails You

Cringely can string some words together from time to time, and this week's installment is a pretty good one. He's been reading a little too much Gibson (raw sockets have nothing to do with the spread of MSTD ^[?] 's), but overall, he's probably right. When the time is ripe, I think we'll see a move exactly like this.

Dunno.

[loraksus]

But it sounds to me like he wants MS to make a secure email product that would never, ever do something without the user's permission.
I kinda found that funny, given MS's history.

Besides, I severly doubt that the DOJ will look favorably upon this move, or even if ms will have the fortitude and the gonads to even propose such a thing.
Yes, it would be cool, but I honestly think the folks in redmond don't have the ability to carry out something like this, on such a large scale and have it work properly from day one.

I'm actually not sure who could design the protocol - perhaps a think tank of the best programmers around the world hired by several governments for actually good money?

And yes, I read the last paragraph, and I still think XP's only redeeming feature is allowing us to write our own IP headers.

Re:Somewhat Flawed...

[dstone]

It doesn't matter that the network is insecure, only your computer needs to be secure and the keyserver.

PGP or GPG is great for e-mail, but not for the socket exploits the article discusses. So when your computer or a keyserver is rendered insecure because of TCP/IP socket insecurities on an XP machine (client or keyserver), then what do you have? Properly written, a virus could enter thru an app that allows insecure raw socket access, and could send nicely authenticated e-mails that begin with "Hello, my friend..." You get the drift.

Re:Wrong Premise

[gorilla]

While they have the ability, unfortunatly it's almost impossible to use them properly, at least using NT and Office 97. In order to run Office 97 on NT, your NT system directory must be world writable. Once you allow this, then any user can replace any DLL, and get any privlage they want.

Re:The Solution Is Clear (well, maybe)

[Jason+Levine]

While I can't help with 2-4, I wrote 2 things that help with #1. My web site offers to ability to Test Your E-mail Defenses by e-mailing you a harmless VBScript file. (It reads your registry, but doesn't change anything or send any info out.)

I also wrote Script Sentry which traps those VBS scripts (as well as DOC, XLS, SHS, SHB, REG, HTA, and more), shows you details as to what it would do if run, and lets you decide whether or not you really want to run it. So if a user opens up that new Love Letter they just got in the mail and sees a "This will change your registry" message, hopefully they will be scared/wise enough to cancel the action.

Old Days

[aoeuid]

What ever happened to the good old days when virii were a thing to be admired, were hand crafted in assembler to use the fewest instructions, and took talent? It seems nowadays everything requires the user to click an attachment in their outlook program. Theres nothing creative about that!

Re:Old Days

[Moonshadow]

No, it just takes a script kiddie with "Worm Toolkit v1.2" to create one.

Re:You're all missing Cringely's main point

[erotus]

Very well written and accurate portrayal of Microsoft and their vision of computing. While Cringly's idea of TCP/MS may seem far-fetched, you are right on the money regarding their desire for such a protocol. If Microsoft could embrace and extend the internet, it would in a heartbeat. If that ever did happen, it would be the end of the free internet as we know it.

Unfortunately, only the free-thinkers would see it that way. The mindless herd of end users that follows Microsoft would know no different. They would continue to surf and enjoy their digital playground and carry with them the same illusion of freedom they have about the rest of America. These same people never knowing about the DMCA, Sklyarov, DeCSS, or fair-use, (because the media practices awareness control over the public) would just assume that's the way it's always been. The movie, "The Matrix," at least metaphorically speaking, is not far from the truth. In the future, I see a day when people are too "attached" to a system to let go. In this future, I see people who can't define their own reality or even define freedom because of the constraints that are placed upon them since birth. In other words, they will have lost the ability to step outside the box and question the facade they call "reality".

Maybe I've read "Brave New World" one too many times, but the parent post and Cringly's article make for a great introduction to a new 1984esque type of novel. Ok, so I got a little carried away there. LOL.. Anyhow, what I meant convey was that the average user would probably not care since they use windows anyway. They would see all the neat new services that passport provides and consider it a "feature." As scary as this may sound to you, the average joe user knows no better. However, with IPv6 right around the corner, I don't see Microsoft embracing TCP/IP. But have no doubt, if Microsoft could change the very protocol of the internet in yet another attempt capture even more marketshare, I have no doubt that they would at least try. That is what scares me about this company - the complete and total disregard for the open standards that allowed them to become so big in the first place.

An Appeal to Bill Gates.

[BigBlockMopar]

As posted to microsoft.public.win2000.general:

Come on, Bill.

I know you've got this great vision for a wonderful Internet and a computer on every desktop and all that stuff. I've met you in person on two occasions, and found you to be friendly, personable, brilliantly intelligent, and I know you believe very strongly that your vision of the computer industry isn't flawed. I even grudginly like you for your passion, courage, vision, strength and business acumen. Most damningly towards wanting to hate you, I also believe you and Melinda are true philanthropists.

But I'll still bet money that I had an e-mail address before you did. And you and I both know that this has to stop. At this point, I tell my consulting customers that running IIS is as irresponsible as drinking and driving. My procmail filter automatically sends all e-mails from Outlook mail clients to /dev/null. Like drinking and driving affects all road users, the many blatant security flaws in Windows and related programs affect all Internet users.

Please make it stop.

Copied and pasted from my (Apache on UNIX) webserver log:

(D'oh! Slashdot Lameness filter sees all the capital Ns of the Code Red worm buffer overflow and won't let me paste, so you'll have to see it here.)

Re:How DID they do that?

[Hard_Code]

Why, in my day, we only had ONE character which had to be multiplexed by switching 104 times per second, and machines were networked with string and dixie cups - and we were GRATEFUL for it!!

Re:raw sockets?

[strags]

Raw sockets are an application programming interface (API) whereby the application is able to control the contents of IP packet headers directly. This means that an application, for instance, can transmit a packet with a forged source IP address - thus disguising its origin. This is often used to conceal the source of a DoS attack.

Linux provides raw sockets, but only the root user is able to utilise them (and rightly so). Cringely's article doesn't make it clear as to whether or not there's any kind of user-based protection under XP, or whether anything and everything can access raw sockets under XP.

Strags

Re:Already been done...

[rabtech]

Slow down your shoveling boy... you might hurt yourself.

So exactly how can Microsoft's IPv6 stack be proprietary, when they don't own the routers, switches, et al? You see, if they change the format of the packets, then the router needs to accept the new format. Since CISCO should be setting up their IPv6 stuff to the agreed standard, that leaves Microsoft little choice.

Microsoft's network protocol implementations have always been fairly standard and able to interact with the world at large. I don't see that changing in the future.

As for IPv6, I don't see that really rolling out until XP covers much of the marketplace. XP (and the Server 2002 editions) should have native IPv6 support.

Stop spewing FUD. It isn't any more endearing than when Microsoft does it.

New OSS flamewar....yeah!

[jspaleta]

I'll bite....

1)Um, are you under the misapprehension that Linux et al are secure OSs on the basis that there haven't been any viruses targeted at it to speak of?

I believe linux...and pretty much any Unix i've dealt with (Solaris,OSF, Ultrix...) are much more secure OS's, becuase it's much harder to write an exploit for a unix box than for a windows box. Writing a buffer flow exploit to compromise a server process is order of magnitudes more work than sitting down and writing and emailing a Word document that takes advantage of the VBscripting to erase you harddrive.

There are "talented" crackers out there that do target unix machines. You can do a lot of real damage if you can compromise a large corporate Unix system....but you have to expend real effort to discover a new exploit on a unix system. With windows on the other hand....the same "feature" is being exploiting repeatedly to cause damage....how many differently named viruses have to circulate before MS removes this exploitable "feature."

Point out a "feature" of linux, or unix that gets repeated used for malicious activity...but people refuse to fix. Bind and sendmail, mainstays of unixland have had a history of exploits but the software makers make it a point to fix the problems asap. Software will be buggy, and bugs can turn into exploits, and then they get fixed. But a FEATURE like VBscripting is not a bug. VBscripting is a very powerful and woefully insecure FEATURE, but MS refuses to strip out the VBscripting features or add a layer of security to their use. MS viruses...don't use bugs in the code...they use perfectly acceptable scripting commands...to do bad things, and MS refuses to do anything about this FEATURE!

2) On the general subject of quality, Linux still hasn't got anything to compare with the Office suite.

No i think there are some candidates for comparision. Take Staroffice...is as slow as MSOffice, and for me staroffice does crash on occasion just like MSOffice...the big difference I've seen is that staroffice doesn't take down the entire OS with a BSOD when it desides to stop working.

You need to upgrade your gnome. I'm living in Ximian gnome on my PC and I haven't had the GNOME Desktop crash yet. But I'll be damned to figure out why my windows PC won't get past the logon box without causing a GPF.

3) I used to buy into this idea that OSS necessarily produced better quality software, but it just isn't true. Large products are flawed for many reasons: release deadlines, unforseen design errors, resource constraints, but mostly because people in general just aren't smart enough

I still believe OSS development makes far better products, but my reasons have nothing to do with being able to make product deadlines or whatever. I do not believe that OSS makes products more quickly. I don't care about release deadlines...the OSS products will get done when they get done....as long as products are making steady progress, that's what matters. How long did it take MS to make a stable OS worth actually paying for? From MS-DOS upto win200...how many manyears or should i say mancenturies of development time went into that development cycle. If want to believe in the pay for every yearly broken release, and call it a full product fine...I'm sick of it. Just don't bring your timeline baggade to the OSS community. Products get done when they get done. I believe that OSS development makes better products, for the simple fact that the source code is available. I believe OSS makes better products becuase in the long run those OSS products are far more adaptible and allow for more innovation. -jef

Re:Already been done...

[sigwinch]

This whole article is a red herring, and Cringley's about a technically literate as a door knob.

I've stayed in hotels that have a computer in each door knob. I think you're overestimating Cringley's skills.

Oh god, not another.

[WasterDave]

Look, raw sockets in windows are not the end of the world: they're available already, open source (http://netgroup-serv.polito.it/winpcap/), and you can run them as a non-privaleged user. In as much as MS have a concept of privaleged users.

Even if they weren't, there are SO MANY possible security exploits you can run using a small army of 0wn3d windows boxes. Including (but not limited to) just packeting the crap out of Steve "Bloody" Gibson's webserver. For instance, has anyone considered using something to script the IE network libraries (COM objects, I would imagine) in the background and launch a 'many millions of perfectly valid requests, complete with cookies and everything' attack?

How would you defend against that?

This whole raw socket thing has been blown out of all proportion. Can we please stop fretting and find a way of PREVENTING these big attacks from being spread. Or possible. Or something.

Dave >:(

Re:Oh god, not another.

[sheldon]

My public website has been hit about 20 times today.

However I monitor snmp logs on my Cisco DSL modem and it's been hit about 50 times today.

In both cases my web server is IIS, but it was never vulnerable to this worm even it was identified or MS released a patch, because I had properly installed the server.

Re:Oh god, not another.

[the+way]

Look, raw sockets in windows are not the end of the world: they're available already, open source (http://netgroup-serv.polito.it/winpcap/), and you can run them as a non-privaleged user. In as much as MS have a concept of privaleged users.

Even if they weren't, there are SO MANY possible security exploits you can run using a small army of 0wn3d windows boxes. Including (but not limited to) just packeting the crap out of Steve "Bloody" Gibson's webserver.

The point is not that raw sockets provides new exploit opportunities. The point is that raw sockets are required to spoof ip headers. With raw sockets Gibson would have not have been able to put in place the filters that he did because the attackers would constantly vary the source IP addresses using packet spoofing.

Yes, winpcap exists. But Gibson's point is that without raw sockets in the core OS, it is hard to spoof packets. An attacker currently has to install a whole new network driver if they want to install a packet-spoofing exploit on a Win 9x/ME machine. Compared to the ease of writing simple trojans in VBS, this is very complex, and not something that we're seeing happening much (if at all) at the moment.

Anyway, the existance of winpcap hardly reduces the power of Cringely's conspiracy theory that MS is intentionally making TCP into a broken protocol. You see, winpcap was developed with the assistance of the kind folks at MS Research...

For instance, has anyone considered using something to script the IE network libraries (COM objects, I would imagine) in the background and launch a 'many millions of perfectly valid requests, complete with cookies and everything' attack.

Sorry? I fail to see how using the InternetExplorer COM object introduces the opportunity for new exploits... It's hardly rocket-science to generate a well-formed HTTP request ('including cookies'--"wow I managed to include the text 'Set cookie:' in my HTTP header without even using MS's COM interface!")

Re:Oh god, not another.

[billh]

Code Red hasn't really been blown out of proportion. Yes, the media gets it wrong, and people keep asking me if they have to worry about it, but it is out there, and it is a pain in the ass.

I've been monitoring my web server (Apache) since this thing started back up. It has 16 public IP addresses, and I've been checked 390 times in the past 20 hours. Add another 200 or so yesterday, and you'll realize that this thing is spreading.

Aside from IIS, it also can lock up some Cisco DSL modems, and HP printers. Unfortunately for me, a lot of my customers have Cisco DSL modems. Unfortunately for them, I'm not the one that installed them.

391 now. It just keeps getting faster.

Re:Oh god, not another.

[billh]

Let's just say that a certain DSL provider ships the Cisco 678s with web enabled, and an old CBOS. They will soon be changing that, obviously.

Re:Oh god, not another.

[WasterDave]

Hey man, shame you've not got your email address up - chances are you won't see this. Oh well, let's try anyway.

I'm just not that convinced that spoofing ip headers is necessary any more for a good DoS attack. Certainly, when hiding one's ip was necessary, you needed to do it. Likewise when vanilla SYN floods worked, spoofing to a non-routable address just made it all the better. But neither of these apply in this day and age - the ready availability of an army of trojan'd windows boxes means the attackers IP is likely to never be discovered, and SYN cookie techniques mean that SYN floods are mostly history.

With regards to the scripting COM objects thing - yeah, making a well formed header is hardly rocket science. However, placing a request, registering as a user and accepting the cookie from the server is a markedly difficult task that would be made easier by scriptable libraries. Remember that the art of a good DoS is to get the server to dedicate as many resources as possible to serving something that is not a real client. Using a scripted real client to do it seems like a great idea to me.

Man, you could start opening https sessions, that'd slow it down REAL fast.

But thanks, well informed comment on /., I was starting to wonder if it was a dying breed.

Dave

The Solution Is Clear (well, maybe)

[namespan]

Someone needs to write some viruses that do the following things:

1) educates -- infects your computer and gives you
a multimedia presentation on flaws within "Hi! I'm Victor Virus!
I'm an Outlook Virus. How did I get in your machine?"

2) secures -- "Would you like me to install a Zone Management
package?"

3) explains alternatives -- "Did you know there are other alternatives
to Microsoft?"

4) Highlights Microsoft abuses...

Raw Sockets == IP packet spoofing

[PureFiction]

There seems to be a lot of confusion about this.

Raw Sockets allow someone to send forged IP packets (spoofing) that appear to come from any IP address the sender chooses.

This makes filtering a DoS attack harder, because you can no longer filter the traffic by IP or domain.

So, right now the limited defense in the DDoS zombie attacks from Windoze is the fact that the IP packets have valid source addresses. These can be filtered at backbone or ISP provider routers.

If these attacks used spoofed IP packets, there would be no easy defense.

Re:Raw Sockets == IP packet spoofing

[DeeKayWon]

Also (to my knowledge), *nix OSes restrict raw socket use to root. Guess what - XP Home edition has no such concept. Everyone is effectively root.

Re:Raw Sockets == IP packet spoofing

[Tack]

That's right, replies to the spoofed packet will not reach you (unless you are spoofing a different IP on the same segment that you're on).

It used to be the case where you could manage to create 'blind' TCP sessions by predicting the ACK number produced by the remote host. This was pretty commonly used on IRC where someone would have a legit, non-spoofed connection and sit in a channel and have a blind, spoofed TCP session along side it. He could then see the channel activity, and even interact with others through the spoofed connection, usually long enough at least to gain ops and take the channel.

These days (almost?) every new TCP/IP stack will generate acceptably random ACK numbers to prevent these ACK prediction spoofs. But for the purposes of a DoS, it doesn't matter if you never get the return packet. In fact, in the case of ICMP, it works to your advantage. If I flood 1400 byte ICMP echo requests using spoofed IPs (random or otherwise), not only will I hit your downstream bandwidth but because of the replies you (by default) generate I'll also be hurting your upstream bandwidth and your replies won't flood me back.

As most others have pointed out, the only real solution is egress filtering. Unfortunately if a box is compromised that is sufficiently close to a backbone, this solution (FWICS) won't work.

Jason.

Re:Raw Sockets == IP packet spoofing

[Mister+Attack]

Only a fool would go about his daily business as root...

There is a very good reason to do the bulk of your computing as a nonprivileged user, and this is it. Unfortunately, being a nonprivileged user is not an option in WinXP...

Re:Raw Sockets == IP packet spoofing

[sheldon]

Outlook XP as well as a patch available for Outlook 2000 attempts to solve this problem.

It blocks many different attachments based on their extension. It also notifies the user when they try to send such an attachment that it might be a bad idea.

It's described in MSKB article Q290497.

Re:Raw Sockets == IP packet spoofing

[mimbleton]

So is 99% of personal Linux installations.
What's your point ?

Stealth viruses

[shimmin]

I have to disagree with Cringeley's comment that virii programmed to spread slowly and lie dormant for months would be more likely to go undetected until "deployment day" than the current generation of balls-out, spread-like-mad worms.

Once a virus is detected, software can be written to clean it and possibly prevent its further transmission. These days, the delay between first detection and anti-virus software is usually a few days.

The more time a virus spends lying dormant or slowly spreading, the more time there is for someone to find it and spread the word. There are a small number of highly secure systems run by highly paranoid sysadmins who do things like compare all files to known good copies on a regular basis and log all network traffic. Even a quiet virus will be detected if it attempts to spread to one of these systems. If the virus attempts to infect something like a Honeypot, it will be detected. And then, the game is up.

These virii are only effective against the uninformed. The slower it moves, the more time it gives information to spread.

Re:Stealth viruses

[cr0sh]

Perhaps - but what if...

What if you made individual parts of the virus, including it as an attachment on the email - and actually had it do something "useful" (or at least "useful" in the eyes of the common computer user). Part of the virus is inside of the new AnnaKorikov (however you spell it) email attachment - that actually shows you "the goods". Part of it is in a new "Comet Cursor". Maybe another part is in free web caching product. And another in a special "hamster dance" screen saver.

All these pieces lie dormant - doing benign things. You don't have the source to them, so there is no easy way to check their functionality - furthermore, you have no reason to supspect anything, because they aren't doing anything. Release each of them over time - say one every six months - stealthily, of course - but put on the email something along the line of "Here I send you this file - great b00bies! - send to your friends!" - and when you see it - WOW! GREAT BOOBS! and you _do_ send it to your friends, who continue the spread. IOW, it uses humans to really do the spreading...

Now, sure, this wouldn't spread to servers - but that doesn't matter, you see. Once all the parts are everywhere - you send a final piece - one that calls functions in the other parts - which, I dunno - turns every desktop into large scale virus spawning factories or something. Which start building, and pumping, and sending them out with emails - perhaps the viruses it creates lie dormant - or make "new" benign things - who knows?

This could happen - it would take a very patient virus writer - but it could oh-so-easily happen. It might be happening now.

And as for the uninformed - in case you missed it, it seems like {pulls figure out from ass} 99.8% of the world population is uninformed - and even with the remaining .2% of the population (read: geeks with any intelligence) screaming at the top of their lungs about everything from these stupid "viruses" (which aren't even well programmed - gawd! Remember the DOS ones? That was code!) to DMCA 1st amendment rights violations to MP3s to WTFKWE... IT DOESN'T SEEM TO MATTER!!! I seriously think China could send a nuke into LA and all Amerika would do is cry that there is no more Hollywood - wah! Then flip the channel! Society (and Amerika in particular) is SEVERELY FUCKED UP!

Ok - huh, huh, huh - rant over. I don't mean this as an attack on you, I hope you accept my appology - I am just fed up...

Anonymous untraceable

[xant]

Cringely goes on to suggest that all connections be traceable - well, that's fine, except that it doesn't solve the problem of people launching viruses from public terminals, or obtaining free trial dialup accounts using fictitious information.

This somewhat misses the point of traceable TCP. It doesn't matter whether we catch the bad guy, what matters is that we can stop the flow of traffic to our overloaded site. Untraceable traffic cannot be effectively firewalled against.

Re:Not necessarily

[Ed+Avis]

If you're trusting the network without doing any proper checks, that's your problem. Somebody could plug in his own PC and start spoofing IP packets _today_. The release of WinXP doesn't change that.

What about the 'only root can use ports 1024' feature of Unixes, which Windows doesn't implement? Does that mean that Windows is a security threat? No. If you're being so stupid as to trust the originating port number, you deserve everything you get.

Egress and, er, ingress filtering around the edge of your network may be good enough most of the time; it doesn't protect you against PCs inside the network starting to spoof things, but you may feel you can trust your own employees (and don't let them run Outlook).

Re:How DID they do that?

[JabberWokky]

Most of those things were inherited from CP/M, a popular operating system for 8080 and Z-80 microprocessors.

Speaking as someone who used CP/M back in the day (okay, dammit, it was 20 years ago), CP/M (at the time the IBM-PC came out) didn't have subdirectories, didn't use / for options, and used Control-D for an EOF marker. I'm not 100% sure about text file end of line control codes (this is a *long* time ago), but I don't think I had to do anything fancy between Apple ][ and C64 formats and CP/M, and certainly nothing fancy for big boxen formats (of course, at the time, transfer protocols like Kermit and Modem7 handled such things).

Now, this is the dim memory of someone posting at 2:30am (and too damn lazy to do a google search), but I accessed plenty of Unix boxes (and VMS) at the time, and didn't have file format problems, so I'm guessing that it was the same.

Anybody else remember Magic Window for the Apple ][? Or the original WordStar. Wow. I'm seeing amber all caps when I close my eyes...

--
Evan

Re:not to worry

[einhverfr]

Not that much more dangerous. Yes, smurf becomes a possibility (allowing DDOSing more than one site at once) but you filter it out the same way that you filter out any other attack-- at the upstream routers and secondarily at your firewall... Raw socket access is no big deal really.

Redressing the balance in the press

[bigjames]

I'm fed up of the press reporting on this. There has been no real blame pointed at microsoft in the UK national press. So to do my part towards redressing the balance I wrote to the good old BBC. If you're pissed off about this, then why not put some pressure on the media to point the finger of blame (which they usually love to do). Here's what I wrote:

There have been many news stories recently about "e-mail viruses" and the threat from the "code red" worm. I am concerned that little or no mention has been made of the fact that most of these threats rely on security holes in Microsoft software.

I am a programmer. I also have an interest in security. Allowing e-mail attachments to execute any code is a ridiculous security threat which was just begging to be exploited (by, for example, the I LOVE YOU virus). The enormous threat of the code red worm has been due to the astonishing lack of security in IIS.

Please make it clear that these threats are due to virus/worm writers, hackers who break the law to disrupt our own computers. But please also make it clear that it is because of secutiry problems in Microsoft software that these people can threaten our computer systems.

I personally use Linux, a far more secure and stable operating system.

Please re-dress the balance of your reporting. Hopefully the bad publicity will encourage MS to sort themselves out and that will promote a safer internet for us all.

Cheers,
j

Automatic Ping of Death for Code Red Requests?

[BigBlockMopar]

Hey guys, this is somewhat unrelated to the stuff in this conversation, but it's about M$ vulnerabilities, so I'll ask anyway.

If we all set up out webservers to send a ping of death or some other blue-screen/reboot DoS attack automatically to anything that shows the signature request of the IIS worm, wouldn't that help to at least slow the spread of this thing?

The shell script to tail the log file and run a script would be pretty easy, but does anyone have anything tried and true for Linux/UNIX that will force a reboot of an affected Win NT/2000 server?

At this point, I see this as an eye for an eye, I'm kinda tired of all don't patch their systems despite big media attention. Besides, it'll definitely give me a sense of satisfaction to confirm a kill when the server doesn't respond to an automated regular ping a few seconds later.

Re:Automatic Ping of Death for Code Red Requests?

[BigBlockMopar]

To reply to an e-mail message I got about this, no, not a worm, no way. I'm not a malicious 14 year old. And while it would be fun, this script would be entirely to give me a warm fuzzy, force a reboot and know that there's one less infected machine every time the *#$%#$%^#$ damn worm tries to hit my box.

I'd ignore it as Microsoft point-and-drool "I've-never-known-anything-better" user idiocy, if it weren't taking up so much of my bandwidth. On the last attack, I was getting a peak of 17 hits a minute by the worm.

Host-based problems have host-based solutions

[Alex+Belits]

In particular, to make program not do something that it shouldn't one doesn't need to rely on the protocol that is security-neutral anyway (the other end can be malicious even if you aren't) but should place restrictions on the processes on the host.

Capabilities system, that now can be used to manipulate processes' abilitites to use raw sockets without making them run as root at the same time, is one of the examples how it's done in the kernel. While I am sure, neither RXC, nor Microsoft engineers looked a it, Linux already implements it and even had a sendmail security bug related to improper implementation of that.

Re:Yeah. So what?

[acb]

(a) The content industry will get right behind it, if it makes file transfers traceable and allows file sharers to be brought to "justice". That's AOL Time Warner and Sony on the bandwagon.

(b) It is likely that if a universal authentication solution appears, it would be eventually made a government-sanctioned standard, much as they're attempting to do with secure media formats, the government being beholden to the content industry and all that.

Re:MS already changed tcp already...

[ozbird]

Netscape 4 requesting from IIS is markedly slower than you'd expect by looking at relative performance on Apache with NN and IE.

I'm not so sure about this. While experimenting with Squid's user agent logging facility to see who was running what browser on my network, I noticed that MS Internet Explorer actually claims to be "Mozilla 4.0" - go figure.

I can say for certain that Microsoft's support web site does not tolerate unknown browsers graciously at all - when confronted with Netscape 6.0 beta or a Squid anonymised user agent string, it got stuck on one page redirecting back to itself...

Re:How DID they do that?

[regen]

Most of those things were inherited from CP/M, a popular operating system for 8080 and Z-80 microprocessors. MS-DOS was originally an 8086 clone of CP/M.

Almost right. CP/M ran on the Z-80 and 8086 (The version was called CP/M-86). MS-DOS was meant to run on the IBM PC which were 8088 machines. The 8088 was a scaled down version of the 8086.

Re:Already been done...

[ink]

IPV6 will never replace IPV4. IPV6 is a designed-by-committee monstrosity that purports to do everything for everyone. Looking at the feature set, implementing a correct stack seems to be neigh on impossible. Look how many years its taken for the first fully-compliant IPV4 stack to be made [thanks to Linux], and then look at how much more compliated IPV6 is. Implementing all the features of IPV6, and having them work across all platforms and routers is going to be a chore in and of itself. Getting all backbone/ISP/OS/DLL providers and manufacturers to support it and all of it's features is going to be a political and technical hell.

We're running IPV6 already with other universities over i2 and I don't see this happening on a large scale for at least another 10 years (and personally, I doubt it will ever happen without some intervening step like a IPV4b or MS/IP...)

Re:How DID they do that?

[Polo]

You know, I thought the same thing as she did in the past. I'd worked for large companies and I knew how incompatibilities cropped up and it was just from engineers being distanced from their customers.

Well, I was chatting with an ex-microsoft employee who had moved over to the white-side and he put things in perspective. Microsoft has strategic meetings where they sit around a table and say "how can we own this?"

That put a different light on all those subtle incompatibilities I had always had to deal with.

Backslash instead of slash in paths... / for options instead of - (remember switchchar? ..someone took it out) CR/LF instead of NL. ^Z as EOF. blah, blah. I wonder how many of these are deliberate?

The critical missed point

[Lumpish+Scholar]

"Cringely" and Dvorak keep saying, "No, seriously, shutdown the Internet and replace it with something secure."

They're missing the first law of complex systems. I can't remember the exact quote, but it goes something like:

All complex systems that work began as simple systems that worked.

You can't replace today's Internet, the result of decades of evolution, with something purpose-built from scratch to do as much. The attempt will suffer from the second-system effect, and just plain won't work.

It's easy for a columnist to ask for something drastic. Too easy. But it sells papers (or click-thrus, or whatever we're selling today).

Half-truths and misdirections

[SpookComix]

But as consumers, guess what -- we won't even get a choice. Microsoft will require the PC makers to install XP in the factory. It will come on your PC, and you won't have the choice or option to pick something different. When Microsoft issues a new OS, it is forced into the market.

I don't know about you guys (and gals), but last time I was at this tiny web site for a tiny computer manufacturer, I had the choice of Win98 SE, WinME, Win2K or Win2K with an upgrade to WinXP. That doesn't sound like manufacturers are limiting my choice of viable Microsoft operating systems to me.

People wouldn't be forced to participate, but if they remain anonymous, I might choose to block them. I certainly wouldn't accept file attachments from them. I know you hate this idea, but I think the Internet needs a fingerprint.

Hmm... And who would control this "fingerprint"? Our beloved government, who is trustworthy? A large computer corporation like, say, Microsoft? And how would something like this work internationally? Who is forcing you to accept attachments now? I run Win98, WinME, Win2K and WinXP all on different machines. Over the last week, I've been sent about 10 emails with both SirCam and Badtrans, and none of my machines are infected. Why? First off, I didn't open the attachments right away. Second, I tested the attachments by saving them and then scanning them first. This is not a difficult concept! If someone puts a big package in your mailbox at home, and it's ticking, do you just open it up if the return address says it's from someone you trust?

You can choose not to have a fingerprint, but then your ability to communicate with others may be limited -- a price many people may choose to pay.

This is endorsed by the same crowd that bitches about MS Passports?

If kids want to install an Internet game, the game's IP port would be registered and permitted to operate, hopefully by the parent.

Why can I not see this happening in the general population? The average users I know bitch about having to confirm Internet activity when Zone Alarm or other personal firewalls pop up and ask.

Programmers who ought to be familiar with Microsoft's plans have suggested that the real motive for raw socket support is for Microsoft to use Windows XP to exploit a bad situation, to deliberately make things worse.

Jesus, what a conspiracy theory. This guy gets paid for this?

Move along, Cringley. Common sense tells us that you're just spreading FUD. Meanwhile, I'll get modded down for criticizing you, I'm sure.

--SC

Re:Hi, I've lived under a rock for a while

[einhverfr]

We could implement a secure user identity system precisely like telephone Caller ID. It would be essentially an Internet ID. All Internet transactions could be based on it. Anyone who sends me e-mail can be identified. Anything I send can be traced to me. People wouldn't be forced to participate, but if they remain anonymous, I might choose to block them. I certainly wouldn't accept file attachments from them.

You can already do this. You can trace email. You can block email from those you don't know. And this system won't work to block email worms because usually they come from people who you know.

Caller ID, like rdns mapping of incomming ip addresses (cumbersome) etc. You can do this sort of strategy on so many levels... Of course someone who says that Linux is safer than Windows on one hand and that raw sockets are dangerous evidently is simply paroting what he has read and not actually studied the matter. Has he heard of any sort of authentication service or tactic? That is what these are about and of course many people do block people without the proper credentials from access to their networks ;)

Raw sockets exist in Windows 2000, and I assume that it has a bit to do with the FreeBSD code in the TCP/IP stack... This code has helped to make Win 2k far more stable on a network than its predicessor, IMO. If they are such of a problem, why not acuse Linux or FreeBSD of the same problem...

He also states:

And what's with those file attachments, anyway? Replace mail clients and APIs with secure models. The new model will not run attachments as they do today. E-mail attachments should not have access to the e-mail client, APIs, etc. Attachments should not have access to the operating system by default. The user should approve the use of some APIs, like having to give permission before device drivers are updated.

This guy is out to lunch. It is simply sufficient to limit user privilages and require them to export the attatchments before they can be run.

The only e-mail activity on my PC should be initiated by me, personally. Nothing else should access my address book or send out messages without my express permission. Microsoft will of course reject the idea, mostly because it will fail the "increase market share litmus test." My answer is, "Microsoft, if you do not take responsibility for locking down your APIs, it will become obvious to the public and become a detriment to your market share."

Which Office XP does quite nicely. Of course SirCam bypasses these controls and sets up its own smtp server... YOu cannot get around it totally. I am no more a Microsoft fan than the next guy, but this buy is a bit over the top...

Re:Raw Sockets == IP packet spoofing-- So?

[einhverfr]

So, right now the limited defense in the DDoS zombie attacks from Windoze is the fact that the IP packets have valid source addresses. These can be filtered at backbone or ISP provider routers.

???!

So says gibson. Why does that make things easier? Have you ever set up a screening router? You can filter out whatever you want...

Re:Gibson wrote zone alarm?

[jeremy+f]

Gibson constantly plugs Zone Alarm, so it's not suprising that people who don't read carefully would think that Zone Alarm is a GRC product, not a Zone Labs product.

If Gibson wrote Zone Alarm, it'd look as ugly as hell, have lots of BIG and alternating fonts, but be less than 300k in size, written in ASM, and fast as hell.

Re:Wrong Premise

[Metrol]

And people who hack other machines to do spoofing usually get to root if they get any normal user account.

Ahh, now that is a good point. On a Unix box you must hack into the root account before gaining access to the raw sockets. On Windows, there's no need to do anything of the sort. Heck, today it'd take you about 15 minutes to work up a hack in MS Word that can write any darn thing it likes into your system registry, no restrictions.

What is scary here is not access to raw sockets. The issue here is unrestricted, no protections, any .scr .bat .doc .vbs or any of the other alphabet soup of scripting engines on Windows will have full rights to do anything! Couple this with the known history concerning the security of products such as Outlook and IE, and you're putting together the formula for a disaster.

Heck, Microsoft has already commented on this very issue. They are already blaming those nasty virus authors for the coming up screw ups. (my apologies for not having a link, read this one a couple of months back.) Even they know it's going to be bad, but yet they are still moving forward with this.

Lastly, keep in mind that we're not talking about NT or 2000 here. Both of those OS's have the ability to run as either an admin or a regular user with limited abilities. We're talking about a version of 2000 that has had it's securities stripped so as to be compatible with ME (aka, Win 95 Version 5).

Re:Already been done...

[ckm]

Actually, I've heard that IPv6 is not popular because none of the current backbone equipment will switch it and no one wants to be responsible for conversion from v6 to legacy IP...

If MS's implementation is buggy/not compatible, then it probably won't work through any switches or routers, and they will have to change it. IPv6 does have some provisions for vendor specific fields, ala Kerberos, but that'll go over about as well as MS's TNF email format (read 'not at all'), esp. in such a wide open environment as the 'net.

After all, it's not called the INTERnet for nothing. However, I don't doubt that they will be able to push their proprietary extensions into corporate environments, but they really already have done that (SMB & MAPI).

The reality is that TCP/IP is really too low level for MS to worry about. There is no added value to controlling packets, only the payload, which is why they are pushing .net...

Chris.

How DID they do that?

[Compulawyer]

Cringely makes a very astute observation: How did MS manage to avoid having all those VBS viruses tagged as MS Windows viruses or MS Outlook viruses instead of "email" viruses?

Re:How DID they do that?

[Spoing]

MS DOS v.1.24 used / instead of \ as a directory designator, and - for command options. (I could be wrong, as I threw out my original disk years ago and never made any backups. Corrections welcome.)

Re:How DID they do that?

[sjames]

Why, pray tell, would a virus writer interested in mass vandalism bother with Linux when it has only a tiny share of the market?

By that logic, why didn't the writer of Code Red write a worm to attack Apache instead of IIS? Apache does have a larger share of the web server market. Could it be because an Apache worm is harder?

Re:How DID they do that?

[Detritus]

I used to use CP/M. I even wrote my own BIOS to install it on my computer, which is what you had to do to install the generic version of CP/M on a computer. Digital Research supplied the BDOS (Basic Disk Operating System), CCP (Console Command Processor) and a sample BIOS.

CP/M didn't have paths (neither did MS-DOS 1.X), just the USER command. Slashes were used for options, some of the command syntax was patterned after some old DEC operating systems, such as RT-11 V2 and RSX-11 (MCR era). Remember PIP?

CTRL-Z was the EOF marker and CR/LF was the line terminator. Files lengths were a multiple of the sector size.

Re:How DID they do that?

[swillden]

Microsoft has strategic meetings where they sit around a table and say "how can we own this?"

So does any and every company that is run by good strategists (i.e. any business that wants to stay in business for the long haul). That's the basic business process: Find a niche, find a way to enter it and then find a way to dominate it. That's just being competitive in the marketplace.

Where it becomes a problem (and illegal, in many countries) is when a company (ab)uses its monopoly in one niche to dominate another niche, rather than trying to gain dominance through making a better product, doing a better job of marketing, setting a lower price, etc.

Re:How DID they do that?

[JabberWokky]

No, the convention was a ^Z, but only if the file didn't end on a block boundary.

That's right - I remember a common problem of that era were nulls and/or random binary junk padding out the end of files to an "even" size.

--
Evan

Re:How DID they do that?

I keep going back to Microsoft because he's kind and gentle and loving. He cuddles after sex and he's always complimenting my figure. He's never attacked me. Ever. Not like that last jerk I dated. Linux was a bastard and he beat me nightly. Me and Microsoft were just good friends at the time and he was dependable. Linux never quite liked Microsoft. He was always saying, 'D00d, dat Micro$oft sux0rs. Free software rules! He ain't nothing but a buggy BSOD-loving freak.' I couldn't stand him and his arrogance. Thankfully, we broke up. Microsoft and I got together and things were good. Occasionally we get together with BeOS for a threesome. She's a real nice number and she's able to do everything for me Microsoft couldn't.

I'm happy now.

Re:How DID they do that?

[drdink]

Yes. Thankfully I don't fall for that propaganda either and I use FreeBSD.

*waits for the moderators to notice the word FreeBSD and start sucking away the karma*

Re:How DID they do that?

[gig]

Ok you had me untill this part mate, and that's going way too far. Sorry to tell you, but the hassle of deleting and not opening annakournikova_jpg.vbs doesn't quite compare to some woman getting beaten by her husband. Not to mention the fact that it's nobody's fault that you get a virus except the prick who wrote the virus. Not microsoft's, and not even your less pooter-savvy mate who thought he was gonna see anna's tits. If enough people used a standard linux desktop for it to be worthwhile, more people would write virii for linux. As linux's popularity grows, so will virii begin to appear, or I'll eat my hat.

He didn't compare the severity of Microsoft viruses to the severity of wife-beating; he compared the emotional dependence of the victims of both upon the perpetrator of both. In other words, he is trying to answer the question "what keeps them coming back for more?"

Windows XP Home Edition runs everything as root. How can you apologize for that? They have said that user accounts and permissions are too complex for the consumer, yet both Mac OS 9 and Mac OS X have user accounts and permissions. Mac OS 9's are of the training-wheels variety, but Mac OS X is full-bore, hardcore Unix. iMac users are getting by, so surely Windows users can adjust? The reality is that bad network security is good for Microsoft, because they never get blamed, only "Internet hackers" get blamed, and they want us all to use MSN anyway, not the Internet.

As for your argument that popularity is the only reason Microsoft operating systems are virus-riddled, that is bunk. There are 25 million or more Macs out there, and there are lots of people who would love to stick it to Apple because they think Apple is on some kind of high horse. Why are there only a handful of Mac viruses? The system is completely scriptable, so there are tools there. But the worst Mac viruses all run in Microsoft software on the Mac. If you don't have Microsoft software, then you are susceptible to less than half of the viruses that run on the Mac.

Blaming virus writers is easy, but think of it this way: the guy who wrote "Melissa" simply sat down at his computer, wrote a document in Microsoft Word, and emailed it as an attachment to another user. He didn't cut through a chain-link fence, he didn't pick a lock, he didn't hack somebody's password; he just wrote a Microsoft Word document. One of the features of Microsoft Word documents is that they can include tables; another is that they can include scripts that send emails. Who is to say that using one feature is not a crime and using the other one is? Ignorant politicians and cops who believe Microsoft and their apologists. There were no Windows programs until Microsoft created the Windows API that provides the environment for them, and there were no Outlook viruses until Microsoft created an environment that demands them. If there is no security in that environment, then you can't expect things to be secure. If you leave your flashy sports car running and unattended with the doors unlocked, you have to share some of the blame when someone takes it for a joyride. Microsoft is practically begging people to write these viruses, which is the point of the article. They can't be this stupid ... they are doing it on purpose to give Unix itself a bad name. To make the world so scary that their users will cling to Microsoft's skirt like frightened children.

Re:How DID they do that?

[gmhowell]

There are probably a few convenient factors that prevent them from being called "Outlook viruses".

First (as others say) is that the slobs in the media don't know of the existence of Mutt, Pine, Eudora, etc. They know Outlook, Notes, and AOL client.

Second, they don't know the subject that they talk about. Here in Washington, there used to be some smart TV reporters. But they weren't photogenic enough, so they were fired, or offered bad jobs/pay cuts. So now, WUSA has a bunch of young, attractive morons on the payroll. What does this have to do about anything? Like many media outlets, they have no experience with anything. It's not just computers. It's local politics, health science, world events... Most (not the modifier) reporters are just dumb. Reminds me of a college roommate. Okay guy, but not the sharpest tack in the drawer.

But, at least some of them interview people with half a clue. Which brings me to point three: the people they ask are either M$ users, MCSE's, or in some way involved heavily with Microsoft. To them, Outlook IS email. So they describe it that way.

The next reason I see is simple: MSNBC. Yeah, yeah, yeah, separate editorial staff, independent reporters, yadda, yadda, yadda.

Now, take all of these (which individually might be minor) but remember how much news comes over an AP wire (or Bloomberg, or whomever). Listen to your local news. Much of it is a rehash of some simple wire-service article. Reporting with an emphasis on the 're'. And these folks don't know tech.

I doubt that any of these alone could cause the problems. But taken as a whole, we have this situation. Basically, the blind leading the blind.

Re:How DID they do that?

[ink]

Some IT consultant was talking on the radio the other day about Code Red, and she was actually apologizing for Microsoft. I couldn't believe it! She said (paraprased), "Microsoft has thousands of employees, and keeping track of everything they do is almost impossible. They have quality assurance tests, but as we all know, these aren't perfect." I was dumbfounded by her slobbering backpeddling, and she wasn't even an employee of Microsoft!

The only way I can explain it is that most people use Microsoft software, and what we use must be the best, right? I mean, how often does someone buy a new car and then complain about all the problems that it undoubtedly has? Hardly ever. It must be the same with computers; the Windows users have an emotional investment in the product and they want everything to be just fine, so they apologize for shoddy software; "Oh Windows crashed, I bet the next version is better, this one is getting quite old", "Oh I got a virus, I wish those evil hackers would be put to death". See my point? They never think to blame Microsoft because they are Microsoft to a certain extent; they belong to a huge fanclub of a massive group of people. That's gotta feel good.

And it makes it tough for us non-Microsoft users to get along with. Like the abused wife that toddles on back to her jerk of a husband, so the users return to Outlook, because "this time it will be better" and "I don't know how I could possibly function if my calendar and e-mail client were two separate programs."

Re:How DID they do that?

[bikepunk]

The whole "monetary investment" concept is hitting the nail on the head.

Scenerio one:
-- Arthritis is, by nature, a waxing and waning problem for people who experience it. This means that half the time it hurts and half the time it doesn't on average. The medications for it aren't always that good, and barely affect the 50/50 chance of improvment.
-- Let's say a filthy-rich golfer buys a copper bracelet for 100 dollars to cure his arthritis, and he experiences a decrease in pain! Note that this decrease in pain is likely to be a naturally-occuring decrease. Nonetheless, he attributes this decrease in pain to the copper bracelet.
-- Now, another filthy-rich golfer also bought a copper braqcelet for 100 dollars to cure her arthritis, and she experiences an increase in pain. In other words, the bracelet appears to have done nothing for her arthritis. She paid 100 dollars for it, so she doesn't really feel like admitting her foolishness for buying the bracelet, of course!
-- In summary, about 50% of the people who buy copper bracelets go on to recommend them to friends, and 50% of them are too embarassed to say anything bad about them.

Now, go next door, and talk to your neighbor about their computer's operating system and computer that they just put down a few month's salary on. Are they going to say anything bad about the super-duper Wintel machine they just drained their wallets for? I doubt it. Also, what are they going to compare it to?

People feel a lot better having to pay for a product and seeing a smooth interface and knowing that their company endorses it. This seems to be a fact of capitalism. I really hope this fact becomes fiction...

Footnote: The copper-bracelet example is from some medical/doctor journal/magazine article. Sorry, but I can't remember the issue number or title. Anybody know the article I'm thinking of? I hate using nifty ideas and not giving due credit :)

Re:How DID they do that?

[The+Cookie+Monster]

The vast majority of so-called e-mail virii are VB virii, that exploit weaknesses in Outlooks security to hide inside attachements and run without the users knowledge.

This seems to be the general opensource response to what I posted (and posts like mine). But how many VB viruses have you actually recieved? VBscript viruses just don't spread, Outlook warns you that you are about to run something potentially very damaging and asks whether you're sure you want to continue (very scarey stuff for not-very-computer-literate people) before running the script, and virus checkers can spot them all a mile off without even needing a footprint. I don't think I've ever been sent a vbs based virus but I've been sent a lot of exe's and screen savers. Sircam for example is executable code.

While scripting in an email client is just plain dumb, it isn't what makes outlook good for viruses [anymore].

You have to detach the attachement, then set it's permissions to executable, then execute it. Only a total fool would do that.

Then total fools make up 90% of email users and we just have to live with that, because that's the exact equivalent of what they do in Windows. If you're claiming that the solution is to make it really irritating to do something as useful and legitimate as using stuff your friends send you, then I suggest you look for better solutions ;)
(and don't read that as me condoning the user interface Outlook uses for that task)

Yes we will see more of them, but at least we try to build systems that will fight them, not welcome them with open arms.

This is true. I feel Microsoft's response to Outlook viruses has been superficial at best, and they do deserve some blame.

Re:How DID they do that?

[Detritus]

Backslash instead of slash in paths... / for options instead of - (remember switchchar? ..someone took it out) CR/LF instead of NL. ^Z as EOF. blah, blah. I wonder how many of these are deliberate?

Most of those things were inherited from CP/M, a popular operating system for 8080 and Z-80 microprocessors. MS-DOS was originally an 8086 clone of CP/M.

Re:How DID they do that?

[tcr]

IMHO, the reason is that Microsoft is trying to capture some more of the groupware market share for themselves. Traditionally, products like Lotus Notes have been able to use scripting in the (mail, but also general-purpose) client for workflow and other groupware applications.

The difference is that scripts in that environment have to carry the signature of script author, and the code can only be executed if that signature RSA ID is allowed within the Execution Control List of the users' client/mail programs. Each signature can also be granted up to 11 priveleges (such as ability to send mail, ability to access other databases - like the personal address book), refining the security model.

Someone else's idea, carelessly implemented.
They have no concept of a sandbox.

Re:How DID they do that?

[orangesquid]

Just be careful, you might be at risk for MSTD's. The best way to stop these is always using a cond--err, firewall...

Re:How DID they do that?

[IronChef]

It's simple. 95% of the computer-using public doesn't know that there is anything besides Microsoft out there. I have had people tell me crazy things like "of course Macs run Windows."

So, naturally they'll call this an "email virus" or "computer virus" instead of "a shoddy security flaw particular to one operating system." The level of analysis in the latter description is far, far over the head of most computer users. And MS doesn't have any competition to make security a big deal in their OS advertisements.

(I love Apple, but we Apple users just don't count. There are not enough of us. Like it or not, we are the lunatic fringe. Long live the fringe though!)

To most folks, Microsoft is a benevolent, Barney- like giant without which there wouldn't be computers at all. "How can you blame such a wonderful company for what some misceant hackers do? It certainly isn't Microsoft's fault that computers have these fundamental flaws, or that there are people that exploit them. Ooh! Someone emailed me a magic elf animation!"

Like ex-Pres Clinton, Microsoft has a teflon coating. Fascinating, and disturbing.

Re:How DID they do that?

[The+Cookie+Monster]

Because they not MS's fault despite what the open source community would have you believe. I used to believe the same thing, but think about it:

• Viruses must be targetted at the most prevalent software - a virus written for mutt isn't going to spread anywhere as it will be mailed to 9 Outlooks, 2 NS messengers, and a pine.
• Security priviledges don't make you any more secure for these. So the attachment you ran isn't running root, so what - it still has access to your address list file, it can still send email, and it can still delete the files you actually care about (as opposed to the ones that come with the distro).
• Unix poeple are normally computer savvy so are a less likely target for social manipulation, but if the answer was to switch to linux then all the people who have to work with computers but don't care for them or know much about them (non IT businesses) would be using linux. If these people got an email from a coworker asking them to run the attachment, they would.
• Social manipulation asside. There have been the odd viruses taking advantage of MS security flaws - ones where you don't even have to open the attachment to get infected, granted. Any software written in C running on windows or linux is vulernable to things like this - NS Messenger for instance (runs on many platforms) had a buffer overrun bug meaning you could run arbitrary code on someones machine just by sending them a message. pine and mutt etc might have many but since they aren't popular it doesn't matter.

Sure, Microsoft haven't doen nearly as much to prevent this stuff as they should have, but I think that if every man and his dog was running your 'safe' email client on your 'safe' OS, you would find it wasn't very safe at all.

Rather than everyone switch from outlook, the solution is probably for everyone to be a little less inbred with which email clients they use.

Re:How DID they do that?

[ToLu+the+Happy+Furby]

This seems to be the general opensource response to what I posted (and posts like mine). But how many VB viruses have you actually recieved? VBscript viruses just don't spread, Outlook warns you that you are about to run something potentially very damaging and asks whether you're sure you want to continue (very scarey stuff for not-very-computer-literate people) before running the script, and virus checkers can spot them all a mile off without even needing a footprint. I don't think I've ever been sent a vbs based virus but I've been sent a lot of exe's and screen savers.

Um...the I Love You worm, the most destructive (in estimated $ costs) computer infection in history, was a .vbs attachment. So were Bubble Boy and Anna Kournekova. (The first required no user intervention as it exploited a serious Outlook security flaw; the second enjoyed a wide spread due to some simple social engineering.)

That's first of all. And second of all, Outlook's idea of attachment security is to pop up the same "this is an attachment are you sure you want to open it?" dialog box for every attachment, whether .txt, .exe or ".jpg.vbs".

A simple list of things MS could do to improve email attachment security:

1) Run any executable attachments opened directly from Outlook in a sandbox; require user confirmation for any changes to existing files, for creating any new files, or for sending out any email.

2) Turn macro protection in Word on by default, and run Word macros in a similar sandbox.

3) Disable any scripting elements in HTML email; no java, javascript, ActiveX or VB script, just plain HTML.

4) Only pop up a warning when opening an attachment which might actually be dangerous, i.e. .vbs, .doc with macros, .exe, .bat, .com, .scr, etc. Popping up a warning every time a user opens any attachment just makes the user learn to click through the warning without thinking.

That's 4 changes which would be neither too difficult to impliment nor too annoying or confusing to users. Yes, buggy permissions and buffer overflows happen in most all software, and requiring MS to audit code ala OpenBSD would be impossible. But they're certainly not doing anywhere near what they should to make viruses more difficult to spread.

Re:How DID they do that?

[Sloppy]

I was dumbfounded by her slobbering backpeddling, and she wasn't even an employee of Microsoft!

Most IT consultants have a strong interest in keeping Microsoft on top. It's job security. Think of the thousands of people that would suddenly be out of work if PCs started working.

Pointing out that there are alternatives to using buggy software, is a surefire way into the unemployment line. Better to keep people cursing at their computers and then being paid to "help" them with their problems.

Re:How DID they do that?

[Sloppy]

^Z as EOF isn't a Microsoftism, it's inherited culture from earlier systems. When I used DEC's RSTS/E on PDP-11s (years before I ever touched anything written by Microsoft), it also used ^Z as EOF, which probably came from RT11 or RSX11 or something earlier. (And CPM came from this family, which is the father of MSDOS.) I bet this stuff is as old as (maybe even older than) Unix itself, so it's not like ^D is any more legitimate.

Same goes for CRLF.

If I were to make a new OS today, I would also use ^Z as EOF. Not only does ^Z have a lot of history to back it up, but it also has an intuitive advantage: Z is at the end of the alphabet, so it makes slightly more sense for ^Z to mark the end of a file. Just try coming up with an intuitive justifaction for ^D. Hey, it's all arbitrary anyway, so might as well try to impose a little meaning. ;-)

As for backslashes as director seperators, it's a little iffier. MSDOS' ancestors didn't use "directory tree" filesystems; so they stole that idea from Unix. OTOH, the ancestors did use slash as the switch character (e.g. "pip foo.bar /de /z" to zero-overwrite and then delete a file). So they had a tough decision to make about slash. They got it wrong, but at least there's a reason for it.

Re:How DID they do that?

[gmhowell]

Nope. Morons is too weak. I had the displeasure of dealing with one of them about a year ago. Actually 'arrogant moron' is a more appropriate term.

Feel free to email for details.

Re:How DID they do that?

[Sax+Maniac]

Windows XP Home Edition runs everything as root. How can you apologize for that?

Here's my guess: too much Windows software out there assumes you have "Administrator" privileges.

I recently installed Windows 2000 and, not being a complete idiot, I set up accounts for myself and my wife. I did not give myself Administrator privileges; instead, to make system changes, I log in as Admin and make changes. You know, just like on Real OS's.

Imagine my complete lack of suprise when all the apps that don't work properly. They all assume you have unfettered write access to any directory in the world. I've had to go down manually, guess which files each app wants to write, and then change the permission on those directories so that it can happen.

To MS's credit, Office did work properly. It's just that most Windows apps are not multi-user aware! Windows vendors, test your damn apps on NT without admin permissions!

Re:Use Linux?

[wirefarm]

You're probably a gamer.
It does suck for games.

All I can say is that it's gotten better - way better over the past year. Grab the latest RedHat or Mandrake or Debiam and screw around with it.
A *lot* of people got a bad taste using crappy early versions. Bad first impressions are hard to shake...
My own Windows install died (again) a couple of months ago and I really don't care at this point.
Be sure to grab the latest Mozilla - It seriously does work as well as IE. If you're using the Netscape 4.7 that comes with all the distros, the web will be painfully ugly.
Pretty much if you have your heart set on using Windows, go with it - I can't change your mind.

Time for action

[jayhawk88]

All right, consarnit, I've had just about enough. I've been listening to you geeks fight with each other about this Intranet for a while now, and I'm just about fed up. Some of my boys have been telling me to just let you guys fight it out, but I really don't see any progress. It's inferurating! I didn't stand for this kind of crap at my former job, and I'm sure not gonna stand for it now.

So here's what we're gonna do. We're gonna split the Intranet right down the middle. That's right, the whole dang Intranet, from Wahoo to The Amazon's, right straight down the middle. And don't you be like some of my guys around here, telling me that it's "impractical" or "impossible", or that "I have no clue how the Intranet works", cause I don't really want to hear it. I've had enough, and it's time to take action.

So like I said, straight down the middle. One half goes to that Billy Gates guy up there in Seattle, the other goes to you Linucks guys. Now, I understand that there's not one guy in charge of Linucks, so I'd suggest you form a committee to handle it. If you need some help with that, well, drop me a line, and come on up for some help: if there's one thing I know about, it's committee's.

So anyway, one half to Billy, one half to Linucks. Both parties will be able to run the Intranet however they want, and we'll let the American People decide. The American People deserve the best, most great Intranet they deserve, and it's high time we let The American People decide the future of the Intranet. It's simple economics people, like you learned in college, the Law of Diminishing Returns! Adam Schiff himself would be proud!

Signed, George W. Bush

Are you so sure?

[acb]

AOL/TW own vast content holdings, which are at risk from file sharing. Now it's MP3s, but as broadband spreads, DivX files of movies will become a massive problem. It would be in AOLTW's interest if the anarchic design of the Internet was replaced by one which enforces accountability and traceability. And if the content industry push it hard enough, we may see laws mandating traceability in TCP/IP, preceded by a campaign in the AOLTW/Murdoch/Vivendi/Bertelsmann media about how child pornographers are using the Net with impunity and nobody can stop them.

MS already changed tcp already...

[Polo]

Hasn't microsoft already brok^H^H^H^H embraced-and-extended TCP/IP lots of times before?

There was a time when Sun servers responded "slowly" to windows HTTP requests because microsoft changed the behavior of TCP slowstart, etc...

I'm sure there are other examples.

Re:MS already changed tcp already...

[dimator]

Can this be verified by using, e.g., konqueror and comparing load times when using the different browser identification strings?

Re:MS already changed tcp already...

[peccary]

I'm pretty sure that was an accident -- it was an old BSD bug that they inherited, and their million-monkey QA process would never find a minor performance regression, would it?
Btw, it wasn't just HTTP requests that were slow, it was any TCP connection establishment.

Re:MS already changed tcp already...

[Malcontent]

If I was to bet I'd guess MS. They have a history of sleazy behaviour.

Is this guy nuts?

[Carbonate]

I used to respect this person but now I have to wonder what kind of technical background he has and if that background is backed up by ay sound reasoning ability. I remember watching conspiracy theory in the theaters (You know with Mel Gipson). That had some pretty crazy ideas but this is just nuts. At one point in this article he suggests that everyone loose his or her anonymity. Then at another point in the article he criticizes Microsoft for their supposed protocol, which will remove anonymity. This article seems more like a rant by a frustrated Windows user than an actual intelligent discussion on the security problems of Windows.

Re:Is this guy nuts?

[wiredog]

I have to wonder what kind of technical background he has

Well, he was a hacker before he went into journalism. Worked for Apple in the garage days. Read about his DSL/802.11 link. He has some technical expertise and he knows who to talk to at MS, Apple, and other places. I think the MS plan he talks about (TCP/MS) is interesting (not neccessarily good, just interesting). He does have good sources.

Wrong Premise

[PureFiction]

The two main points of this article are based on flawed assumptions.

1. Raw sockets in windoze is not the end of the world. *nix systems have them, even vxworks. A number of ISP's filter forged packets. If this type of spoofing is such a harm, it is trivial for ISPs to implement this. Cripling stack interfaces in OS'es is rediculous.

2. Passport will not authenticate every connection made on the net. Sorry, this is a pipe dream M$ sold you on somehow. And second, priority net traffic based on M$ passport is even more impossible.

Somehow I doubt it

[strags]

Although most end-users are running a MS-based operating system, there is simply too much non-MS underlying internet infrastructure for such a radical change in protocol. TCP/IP is going to be around for a very long time.

Furthermore, how is it exactly that TCP/MS would prevent things like Code Red from happening? An application is vulnerable to stack overflow exploits because of the application code itself, not because of the protocol through which it receives data. Registering the ports that an application listens on won't help if the app contains a vulnerability.

Cringely goes on to suggest that all connections be traceable - well, that's fine, except that it doesn't solve the problem of people launching viruses from public terminals, or obtaining free trial dialup accounts using fictitious information. Digitally signing specific applicaitons with an Active-X control style GUID, and only granting access to validly signed applications might help, but I can't see developers embracing that idea. Even if they did, it only takes one compromised certificate to release any number of malicious programs.

And did Gibson actually write Zone Alarm? Cringely seems to think so, but it's marketed by Zone Labs, not GRC.COM. Anyone know for sure?

Strags

Re:Somehow I doubt it

[baptiste]

However, your assumptions are that Microsoft will even BOTHER with these OS redesigns. I'm with Cringley on this one, all they care about is increasing market share - they won't waste their time making things secure - come on, why bother. Virus infections have not reared up to impact Microsoft, hell most people think there's nothing Microsoft can do to stop it (they are that clueless) So I doubt it would ever get this involved. Once Microsoft had TCP/MS in place and was making millions off it, what would they care if it worked as advertised. All their current products have serious security flaws, but it doesn't make economic sense to fix them because they are a monopoly (so folk sdon't get a choice really when they buy a PC) and they aren't being sued like hell for releasing software full of security holes.

SO don't be so sure that something like this would save the world. The infrastructure you describe is daunting to say the least with smart cards, and keys, etc. Just ask anyone who has tried to implement an enterprise sized PKI - its a scary task and its not in Microsofts interest - they'll probably continue to use plain old userids and passwords.

WHich will make for funny TV the next time there is a worldwide virus that wrecks a lot of systems, the FBI will track the virus using Microsofts info and arrest some poor grandma who had her credentials lifted.

Re:Somehow I doubt it

[crucini]

Without actually endorsing Cringely's theory, I'd like to moderate your expression of skepticism.

1. Although most end-users are running a MS-based operating system, there is simply too much non-MS underlying internet infrastructure for such a radical change in protocol.
   According to Cringely, TCP/MS and TCP/IP could coexist for a long time on the same infrastructure. I would guess that TCP/MS would take over in corporate environments first, then in MS-powered e-commerce sites. Government and hobbyist sites would transition last, if ever.
2. Furthermore, how is it exactly that TCP/MS would prevent things like Code Red from happening?
   Filling in the gaps Cringely left, I'll postulate that each packet would be digitally signed with the private key of the individual authorizing that packet. Handling of the packet at the receiving host would be dependent on that host's trust level of the signer. When an infected IIS server S1 makes a TCP connection to a clean IIS server S2, the connection would be at a minimal (public) privilege level. This would cause the resulting thread|process to run at the untrusted/public level. Then, when the buffer overflow hands control to the attacking worm, the worm has only gained 'public' level of access, rather than root. (Yes I know they don't call it root.) In other words, this is a redesign of the OS kernel, not just the protocol. Otherwise it's meaningless.
3. ...it doesn't solve the problem of people launching viruses from public terminals, or obtaining free trial dialup accounts using fictitious information.
   Imagine that you have a TCP/MS credential - could be a smartcard, more likely a bit of paper with a RSA private key on it. If you use the library computer, you can only access TCP/IP anonymously. To access TCP/MS, you need your credential, which links every packet you send to your real-world identity. The credential could be available from banks, for example. Maybe even at grocery stores. Just need to provide proof of identity. Likewise, your free dialup account can not be used to send unsigned TCP/MS packets, because unsigned TCP/MS packets never make it through a router.

Anyhow, I take this theory with a grain of salt, but it's remotely possible. All that public key cryptography would put a huge burden on routers, which would be good news for equipment makers left stranded by the end of the bubble.

Re:Somehow I doubt it

[strags]

Filling in the gaps Cringely left, I'll postulate that each packet would be digitally signed with the private key of the individual authorizing that packet. Handling of the packet at the receiving host would be dependent on that host's trust level of the signer. When an infected IIS server S1 makes a TCP connection to a clean IIS server S2, the connection would be at a minimal (public) privilege level. This would cause the resulting thread|process to run at the untrusted/public level. Then, when the buffer overflow hands control to the attacking worm, the worm has only gained 'public' level of access, rather than root. (Yes I know they don't call it root.) In other words, this is a redesign of the OS kernel, not just the protocol. Otherwise it's meaningless.

I may be mistaken, but this sounds pretty much equivalent to just making sure that your httpd (for instance) daemon (and any chilren it spawns) don't run as root. I don't think you need a whole new packet-level protocol for this.

I believe that authentication and crypto are best left to higher-level protocols. IP is for shunting packets around - nothing more, nothing less. If we really want to avoid spoofing, a much better way would be to make routers stricter with regard to packets arriving on an unexpected network interface.

Strags

Re:Somehow I doubt it

[crucini]

I guess there are really three questions:

1. Would MS do it?
2. Who would it benefit?
3. Would MS do it right?

Starting with the third, I agree with you that they wouldn't do it right. But lets look at who could benefit from this scheme, regardless of whether it's really secure:

1. Microsoft would have a good chance of locking out competing OS's from the new net. They could release a (deliberately crappy) compatibility layer, which will later break. They could sell MSBSD with closed-source kernel mods to speak the new protocol. Or they just slam the door immediately.
2. Content Owners could benefit if the new net incorporates anti-copying and content control mechanisms into its very fabric. For example, the net could slow p2p connections to a crawl, while allowing extra high bandwidth and priority for authorized streaming media.
3. Router Makers, as I mentioned, would enjoy a new demand that 'decomoditized' routers and helped to raise the price.
4. Law Enforcement would like a world in which each packet is provably linked to its author. Of all interests, they're most likely to carry weight with Congress.
5. Struggling ISP's would enjoy the ability to differentiate and make some profit by offering access to the 'new net' during the cutover period.
6. Verisign and ICANN would love to become the monopoly supplier of credentials. They have already proved to be effective lobbyists when they smell cash.

So, would MS do it? With the right alignment of interests, this could happen. And pointing out the flaws in the system won't help at all. It could even land you in jail, ala Sklyarov. The only thing that could scuttle such a plan, once it's under way, is lack of interest from the public. And that's a viable hope, because no matter how much marketing and propaganda are used, this plan doesn't really benefit Joe Sixpack at all.

Re:Somehow I doubt it

[crucini]

I agree that it's mostly equivalent to not running things as root. But maybe it could provide a mandatory clue wrapper, no matter how clueless the programmers and admins. More importantly, the new scheme does not necessarily have to benefit anyone but Microsoft - it just has to appear to benefit.
As for leaving authentication/encryption to higher level protocols, the trend is in the opposite direction. First we got SSL, which became the de facto standard for application level encryption. Then many companies started using VPN's between remote offices. When I first saw this I thought it was stupid - why not just use ssh/scp? Then I started to appreciate the vast number of protocols used within a corporate network. Some are utterly insecure, while some offer flawed or illusory security. Instead of trying to get every vendor to secure every program (and still get it wrong) corporations prefer to secure with firewalls and VPNs, which puts the onus on security specialists.
If you read Bugtraq, there's a constant stream of exploits in software where security was an afterthought. I'm afraid that application-layer security is an unworkable idea.

Must be some good stuff

I want some of whatever Cringely is smoking. He seems to having some really wild hallucinations.

Re:Sock_Raw

[strags]

SOCK_RAW access permits applications to spoof source IP addresses, thus disguising the source of a DoS attack.

mod up

[jon_c]

thank you. like he said, people attack windows because windows is always the same, they all have the same setup (more or less), they all run the EXACT same programs, i.e. it's much easyer to get your buffer overflow to work with winnt/iis then it is with linux/apache because the binary or IIS and NT are going to be the same.

in linux and apache the kernal and apache executables are configured differently before they are compiled, so it's much more diffecult to have a overflow work against all instances.. of course for a standard distro like redhat and apache binary rpms this isn't true.

Windows is also more common, so your expliot will be more used.

Windows is also owned my Microsoft, a "evil" company, all the better to attack then.

-Jon

Re:Gibson wrote zone alarm?

[Safety+Cap]

Gibson constantly plugs Zone Alarm

Seeing as how Zone Alarm is the only darn free/software firewall that appears to work, then why run anything else? I'd like to see Microsoft's crack team of security "experts" come up with something comparable.

Oh wait, they did.

Hahahahah

Re:Raw Sockets == IP packet spoofing-- So?

[PureFiction]

It makes things easier on the target machine. Filters themselves require a fair amount of bandwidth and CPU to process incoming packets.

If you are running web services on a limited bandwidth connection (T1/etc) a filter at your ISP (i.e. before your gateway router and you) prevents all the bogus traffic from reaching your machine and wasting bandwidth (and CPU).

Capitalism?

[child_of_mercy]

It's not a fact of Capitalism, it's a fact of Consumerism.

But it would appear to be a fact

Don't read, it's a rehash.

[strredwolf]

I took a look... and it looks like Cringley summarized items from other sources, including Gibson, PC Mag, and more.

That, and we normal folk already knew them anyway.... well, for odd values of "normal", anyway.

Hi, I've lived under a rock for a while

[Dancin_Santa]

We could implement a secure user identity system precisely like telephone Caller ID. It would be essentially an Internet ID. All Internet transactions could be based on it. Anyone who sends me e-mail can be identified. Anything I send can be traced to me. People wouldn't be forced to participate, but if they remain anonymous, I might choose to block them. I certainly wouldn't accept file attachments from them.

You can already do this. You can trace email. You can block email from those you don't know. And this system won't work to block email worms because usually they come from people who you know.

Get with it, man!

Dancin Santa

Oh give me a friggin' break!

[ellem]

--News Flash Y2K was a hoax.

--News Flash The internet is not going to be "shut down" by any stupid virus.

--Any half decent FW comes with its own proprietary TCP/IP stack... Yeah MS might think about changing over to something else.

--It is time for "technologists" to cut it out and stop trying to scare the Hell out of everyone with this MS is evil and the internet is falling shit.

--Bottom line if MS was as bad as WE all think it is it WOULD disappear. Truth is it isn't that horrible. For 90 minutes at a time it's a great gaming platform.

Re:Oh give me a friggin' break!

[finkployd]

--News Flash Y2K was a hoax.

Really??!! You mean thousands of cobol and natural programs running on our mainframe didn't need to be changed? Geeze, where the hell were you when I needed you? I wouldn't have put so much unpaid overtime in :)

Finkployd

Wow, man...

[tulare]

I think cringely needs to quit posting while stoned.
After reading his rant, which admittedly does bring up a couple of interesting points (although the idea of M$ trying an Embrace and Extinguish on TCP/IP strikes me as one which, if attempted, would be laughable in its arrogance and stupidity), I think overall Cringely contradicts himself. First he talks like setting a GUID for everyone on the internet is a Good Idea, and then later on in the article, he attributes the same idea to the Evil Software branch of Microsoft. So, which is it?
On one point I totally agree, however. The current rash of email worms are entirely due to a business decision on the part of Microsoft, and they are culpable. The best, simplest, and most obvious way to fix a good part of this would indeed be to prevent email software promiscuous access to attachments embedded in email messages. No amount of restating the obvious, it seems, is able to either convince institutions to quit sending these (which are often, most unneccessarily and foolishly, in Word format), or to convince mom and pop users to not open them, or at least scan them for viruses before opening. And I'm sorry, but if you open a file sent from someone you've never heard of promising to display a naked celebrity, you get what's coming.

raw sockets: DOS using TCP port 80!

[mjh]

The deal with raw sockets seems to be more complex than any of the posts that I've read here.

The deal is that w/out raw sockets, in order to send large ammounts of data, you have to send UDP packets with the data. When creating a datagram socket (i.e. for sending UDP packets), you don't have to get a succesful return from connect() prior to sending data. Thus you can just start sending huge packets.

But with stream socket (i.e. for sending TCP packets), you have to get a successful return from connect() before you can start sending data. Which means that before you can send any data to a server, you have to send a SYN packet, get a SYN-ACK packet back, and then send an ACK packet. Only then will connect() return with a success, and then you can start bombing away at the server with huge packets. But even then if you don't send them in a form that is recognizable by the application, the server will just issue a RST and close down the connection. For example, if your stream doesn't include HELO foobar, when you connect to an email server, the server will just disconnect.

Non-raw sockets make it easier to filter out attacks at the upstream provider because they are usually UDP packets which your web application does *not* need. So you just filter them and then you're done with it.

With raw sockets, it becomes *much* harder to filter upstream. WIth a raw socket, you can create a SYN packet from a random IP address to a web server on PORT 80. That SYN packet can be 9k long if you want it to be. And it will be to a port that you can't easily filter out . Basically, it makes the DDoS attack much easier and harder to prevent. The attack could come from any IP address , and it will be destined for your web server, which (presumably) you want to keep running. How do you filter out a packet destined to port 80 from possibly anywhere without also filtering out the legitimate connections?

Of course, even without raw sockets, you can still initiate a DDoS attack against a TCP port. If there were fewer script kiddies and more programers, it would not be that difficult to write a simple program that uses a stream socket, and DDoS's with a well formed HTTP POST that posts 18MB of data. If the DDoS kiddies were able to program, then that's what they'd do, and they wouldn't need raw sockets to accomplish it.

So while I agree that the addition of raw sockets really isn't that big of a deal, it seems to me that it's a little bit more complex than what I've seen so far.

$.02

Re:raw sockets: DOS using TCP port 80!

[JoeBuck]

Packets with spoofed addresses are easy to filter out, if ISPs would do the right thing. Every router has knowledge of what IP addresses exist on each side of the router; all it has to do is to reject packets with "impossible" addresses.

If the situation gets bad (because of XP), then the DSL and cable modem providers can put a filter on each customer's line, bouncing any packet that does not give the correct address in the case of a customer who has been assigned only one IP address. The spoofed SYN packet game will then be over.

This doesn't require new technology; any router that's been sold recently already has the support for this.

Re:raw sockets: DOS using TCP port 80!

[mjh]

Packets with spoofed addresses are easy to filter out, if ISPs would do the right thing.

This is true, of course. This is even trivial to accomplish in Linux:

echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter

But this does nothing to prevent a user from sending a 10^6 SYN packets each of size 10k to TCP port 80. Or 10^6 ACK packets of the same size to the same port. Raw sockets allow that, and more importantly make it difficult to filter a widely distributed attack.

I don't really understand Gibson's gihad on raw sockets, and in general I agree that the risk is overblown, but it's not zero. Even if we do get all the ISP's to do proper route filtering.

It wasn't actually Microsoft.

[rahl]

The local news programs that dispense opinions to the average folks have a tendency to simplify technological reports WAY past the point of inaccuracy. These news shows are aimed at the kind of user who doesn't know that there IS anything beyond what they do, and they don't really have a clue exactly what it is they're doing, anyway. They just do it, and most of the time, it works well enough for them.

Back to my point, the majority of reports are not going to point out that these email virii only work through MS Outlook - because the news perceives that web-based mail and Outlook make up the totality of their target audience's concept of 'email'. And why should they take the time to be accurate? They might piss off Microsoft, they might alienate some viewers from their "friendly" news service, and it's close enough anyway.

Re:Gibson wrote zone alarm?

[Cardhore]

But would it use raw sockets?

Re:In other news...

[Cardhore]

funny. although i don't think there is much value in controlling the underlying packet layer--it would be like Micro-Channel Architecture all over again. i think microsoft would be more concerned with content and .net.

Re:You're all missing Cringely's main point

[Infonaut]

Mike, apologies for the title of the post. What I meant to convey was that all of the posts I'd seen indicated that people were missing the forest for the trees. You're right, though - it was an inflammatory subject line.

Re:Raw sockets

[Chagrin]

..but if someone doesn't have 300,000 machines at their disposal, raw sockets make all the difference.

Somewhat Flawed...

[kstumpf]

Here is my preferred solution for Internet security. We could implement a secure user identity system precisely like telephone Caller ID. It would be essentially an Internet ID. All Internet transactions could be based on it. Anyone who sends me e-mail can be identified.

This seems like a nice idea, but I'm not for it, and I'm not sure if it even feasible. An IP address is already like caller ID.

Lets say you were assigned this new unique ID. Who's responsible for ensuring the identity of the payload remains unaltered? The software maker? That sounds familiar! Today, when you send mail, your message might sit at several relays. Is it up to the mail server to implement tracking of this ID? Could you not simply make a mail server that ignored this precedent and spoofed whatever it wanted? This seems the same as someone getting a shell on a box and running some kind of custom relay meant for delivering spam mail anonymously.

I also can't imagine a business deciding to ignore mail based on the lack of this identification. If you have to favor security over a new customer, you have other problems.

The funny thing about this article is that a PC implementing his ideas for security could easily exist now, but the fact is Microsoft isnt going to do that. If they can't follow measures to implement good security now, why would they under this new system?

Personally, I hope the answer to all this DOS'ing does not involve me losing what anonymity I do have (which doesnt seem like much at this point anyway).

Internet ID

[Adrian+Lopez]

We could implement a secure user identity system precisely like telephone Caller ID. It would be essentially an Internet ID. All Internet transactions could be based on it. Anyone who sends me e-mail can be identified. Anything I send can be traced to me. People wouldn't be forced to participate, but if they remain anonymous, I might choose to block them. I certainly wouldn't accept file attachments from them. I know you hate this idea, but I think the Internet needs a fingerprint. It does not have to have personal information, but if you break the law it can be traced to you.

Imagine that! No longer will cookies be used to track user activity. These won't be necessary, since the Internet ID would be much more effective at tracking user activity.

There are better ways to promote security than to adopt such measures. I prefer his less intrusive suggestions, such as improving the way the OS handles potentially insecure software.

Sock_Raw

[NitsujTPU]

This is true, I have NO IDEA what Cringley is saying when he says that raw sockets allow for more viruses and such to be introduced to your system.

For the uninitiated...

Generally, when programming, you define a great many things when defining a socket, the layer of abstraction to tcp/ip defining a single connection.

SOCK_RAW is a bit less abstract, you define more of the data that is being used by hand rather than allowing for the socket code to do it for you. Generally the you use SOCK_STREAM of SOCK_DGRAM, which define TCP and UDP sockets, respectively. SOCK_RAW writes directly to IP, so you must encode many of the headers manually rather than automatically, as the other 2 would do, and then write them to this socket.

In other words, it has NOTHING to do with getting viruses! SOCK_RAW is just another socket, but you are writing to the IP protocol, rather than TCP or UDP (which sit on top of IP). It also has nothing to do with being DoS attacked. I have NO CLUE where he got that from.

In other news...

[LyNXeD]

Micro$oft (NASDAQ: M$FT) today realized that their new TCP/MS protocol will not function over the Internet's (mostly-non-M$) infrastructure. The TCP/MS protocol is designed to address some of the security issues involved with the industry-standard TCP/IP protocol. It allows for authentication and tracing, to allow large corporations to know who does what, when, where, and how.

Micro$oft is not held back by this issue, however. They are currently working on developing a solution called "MS-over-IP" which will allow TCP/MS packets to travel over non-M$-compliant IP networks. This will be available as a patch to the upcoming Windows XP, for approximately $300. Micro$oft also notes that if your ISP refuses to conform to the new TCP/MS standard, and you do not wish to spend $300, you may switch to their M$N Internet $ervice, which will support native TCP/MS connections.

Micro$oft did not return any calls to our reporters on this issue, and simply sent us an E-Mail saying: "All your packets are belong to us."

Microsoft's Strategy for Net Control: TCP/MS-- NOT

[einhverfr]

Actually, the folks at Redmond have been thinking about this one long and hard. The strategy that they have decided to do is to hire a haxor to harrass Steve Gibson so that he would write an article bashing XP. Then you can pay people like this fellow to write derivative works about how scary the Net is and how Microsoft is Evil and how we have to allow for a lack of annonymity...

Then the folks at Readmond step forward and say, "When you're right, you're right. As you have no doubt heard, we are offering services like Passport as part of our Hailstorm initiative. These services are pretty much exactly what you have described. See, we truly are the leaders of innovation!" And (hopefully) everyone is sold on Hailstorm ;)

Re:You're all missing Cringely's main point

[Hard_Code]

The movie, "The Matrix," at least metaphorically speaking, is not far from the truth. In the future, I see a day when people are too "attached" to a system to let go. In this future, I see people who can't define their own reality or even define freedom because of the constraints that are placed upon them since birth. In other words, they will have lost the ability to step outside the box and question the facade they call "reality".

Holy fuck Batman! You just defined American "culture". Unlike other nations which can trace their heritage back many hundreds or thousands of years, America is an "invented" country, whose identity resides pretty much in the day to day consciousness of the people (ask somebody what being "American" means). Thus, this identity is rather susceptible to the frequently changing winds of public opinion. America is already a society of the spectacle - if you are not aware and entangled in pop culture, you are virtually a pariah. Your television will NOT be revolutionized.

Anyway, I have to go log on to AOL so I can view _Inside the Making Of Survivor Pop Stars on Temptation Island_ hosted by The Rock.

Re:Already been done...

[Billly+Gates]

One of the reasons that IPv6 is not very popular is because the MS version is proprietary as hell. MS is waiting for the big switch to IPv6 so incompatabilities between Unix and NT/winME could show up. At the time when the first MS-IPv6 stack was written, ms arrogantly assumed NT would own %80 of the server market by the time IPv6 became standard.

With almost everything running on NT, MS could then easily convince IT managers to only run NT on all servers for full network compatibility. The good news is that Microsoft's server dream never came quite true. Unix is still king on the Internet and is surprising gaining marketshare. At only %35 of the server market, I believe the MS IPv6 will not be very standard even if the whole Internet switches to the standard IPv6. But due to the MS-IPv6 problem, IPv4 will never quite go away.

Re:Already been done...

[Cato]

IPv6 will take a long time to happen, and complete stacks are hard to implement - however, most system and router vendors are quite a way down this track, and not all devices/hosts need support all features. The biggest issue is router support, and Cisco is finally committed to an IPv6 roadmap ending in late 2002.

Something like a billion mobile phones will require IP addresses quite soon, and NAT will be enough of a pain that the European 3G standards have mandated IPv6 in UMTS release 5. In other words, without IPv6 you won't be getting IP multimedia on your mobile phone any time soon - this is what will push IPv6 adoption, first in mobile operators, then wireless application hosting networks (W-ASPs), then enterprises, then finally in core networks.

Already been done...

[ckm]

We already have a replacement for IP that does many of these things. It's already supported under Linux, and probably a couple of other OSs I don't know about.

It's called IPv6, and it has QOS, guarenteed delivery, traceablity, and a whole host of other goodies. C'mon, do you really thing Cisco would let MS take away their bread and butter? IPv6 has been in the works for years and was designed specifically to solve all of the issues he mentions. I guess he thinks that only MS is smart enough to develop a new protocol...

This whole article is a red herring, and Cringley's about a technically literate as a door knob.

Re:Already been done...

[Cato]

Please tell us exactly how Microsoft's IPv6 is supposed to be 'proprietary as hell'. I'm not aware of any basis for this statement, given that MS Research's IPv6 is interoperating right now with IPv6 from a number of vendors.

Any supposed strategy to make TCP/IP proprietary would be better off starting with IPv4 since that is deployed today. I really doubt Microsoft is dumb enough to attempt this - far more likely that they will try to dominate at the level of .NET APIs and web services such as HailStorm, rendering the standard layer of TCP/IP as relevant as whether you are using USB or Firewire.

Re:Already been done...

[gorilla]

Who the hell WANTS multimedia on their mobile phone?

You're all missing Cringely's main point

[Infonaut]

Sure, Cringely is not a technical maven, and debating the finer points of TCP/IP is probably best left to people like.. well, like Slashdot members.

But Cringely's real point is that Microsoft is a very powerful company with a long history of turning its own technical shortcomings into market strengths. Microsoft's PR machine is incredibly effective - witness the FUD that kicks into high gear any time MS announces anything.

It's also instructional to remember a few Microsoft projects that didn't go off as planned. Ever wonder why journalists never bring up those failed efforts, or points to the millions of wasted dollars MS has spent over the years on vaporware?

Remember how Microsoft Bob was going to "personalize" the computing experience? Well, it failed not once, but twice!. Remember how Chrome was going to "revolutionize the industry," according to the drooling press?

Because Microsoft is the 800-lb. gorilla of the software world, even when they fail, they get the benefit of the doubt. It comes with the territory. Also, because the Microsoft culture is fantatical about continuous improvement, they have a long history of sucking hard at v1, sucking at v2, becoming fairly usable at v3, and taking over the market by v4 and beyond.

Microsoft has been doing this long enough to realize an opportunity when they see one. Cringely is reminding us that unlike all of you Slashdot readers out there, Microsoft is driven not by desire to build cool, useful technology, but by the desire to control marketshare. That's the be-all, end-all of their existence.

So whether Cringely is correct about raw sockets or the demise of TCP/IP doesn't really matter. Almost every company that has gone toe-to-toe against Microsoft in a market segment has failed because they continually underestimate and miscalculate Microsoft's strengths (IBM, Novell, Apple, WordPerfect, Lotus).

Microsoft has an overarching vision of the computer marketplace that is far more evolved than any of their competitors, with the possible exception of Sun.

Microsoft remains unconcerned with business ethics, is unafraid of censure by the government, and wouldn't hesitate to use the ubiquitous of their own flawed products as an excuse to move the foundation of the Internet to a proprietary framework.

Microsoft doesn't give a shit about the history of the Internet and the spirit in which it was created. They don't give a shit about letting everyone in.

If Microsoft believes they can make the Internet a proprietary environment that they can control, they will work relentlessly toward that end.

This Seems to be a VERY Risky Strategy

[GroundBounce]

I can see the part about TCP/MS as being a remote possibility, but the real problem with the theory is the part about Microsoft introducing something like raw sockets specifically to encourage abuses that they hope will subsequently be blamed only on hackers, UNIX, and TCP/IP itself.

This would seem to be an extremely risky strategy due to the high potential that it could backfire from a public perception point of view. My experience is that despite the fact that some people are apologetic toward Microsoft as Cringley points out, there is a steadily growing public perception of the weakness of Microsoft products.

Many Windows users that I know use it because they feel they have to, either for the applications they need, because their workplace demands it, or because they feel they are too non-technical to use an alternative like Linux (and believe me, many of them are). They are well aware of the instabilities and the susceptability to virii, and in fact many of the Windows users I know joke about it all the time even though they use Windows for various practical reasons.

I think at this point in time, if Windows XP doesn't live up to the MS hype about it being a more stable and robust platform, and ends up in fact being less robust, they run a significant risk of damaging their public perception; probably not fatally, but noticably none the less. Given the fact that a wholesale migration to TCP/MS, while possible, is far from a sure thing, this would seem to be a rather risky strategy.

Good morning Slashdot

[ObligatoryUserName]

What so far, most of what I've seen people post are Microsoft apologists, and predictions that it's all overblown, and confused people who think Cringly's confused because they can't follow all his threads.

No he's not saying viruses spread over raw sockets. He's saying that many viruses/worms like Code Red have the end effect of creating a denial of service attack; denial of service attacks are very difficult to block when the addresses of the packets are spoofed. He's saying that in the future, when 90%+ of the world is running Windows XP (and Windows 95/98/ME/2000 has been discontinued by Microsoft- ever try to get Windows 3.1 anymore?), and 90% of those people haven't used third party tools to secure their computers, there will be a continuous series of distributed denial of service attacks, and viruses like Code Red which will effectivly bring the Internet to a halt. (Most servers aren't running Microsoft OSes, but most of the clients are- the fact that Apache is the most used server is completly unimportant in this matter. Code Red isn't as bad as predicted because most people don't run Windows 2000, but XP unifies the server and consumer OSes so it'll be running on a very large number of computers, making these future problems several orders of magnitute worse.) The end result (as predicted by Cringly) is that Microsoft will extend and embrace TCP to get the Internet (which will be rendered useless by script kiddies and/or attacking foreign governments) working again.

Once implemented, if your web server doesn't speak MS/TCP then no one with Windows will be able to see your site. (And the only servers that will have bug free implementations of MS/TCP will be running a Microsoft OS.) Think that little ploy is hardly enough to overturn the Internet? Then why am I using IE right now? Their ploys have undone greater marketshares.

Someone said that Cisco is working on a way to prevent spoofed IPs at the router, if this is true, then this speculation is for naught. However, the fact that this is plausible should be a wake up call. Microsoft owns all of us. This is the straw that broke the camel's back, I'll resign before I install Windows XP. Microsoft's abuse of their monopoly is an affront to freedom. Live free, or die.

Re:Good morning Slashdot

[Cato]

It's already very easy to prevent spoofed source addresses on almost any router. It's just that it's enough of a hassle that most ISPs don't bother.

On any router connecting to customers of an ISP, you just put ACLs (access control lists) on the ingress interfaces that drop packets with the wrong source addresses.

On most Cisco's it's even easier - you just drop packets for which there is no route back via that interface (e.g. if you can't route packets back to 10.0.0.1 via this interface, you shouldn't accept packets with that source address). Linux has this feature as well, since 2.2 I think. Search for 'reverse path forwarding' on Cisco and Linux sites.

Most BSD and Linux users really did make a choice

[A+nonymous+Coward]

Most PC users don't get a choice. SPARC users don't get a choice. Don't know about IBM systems, nor HP. But anyone who installs BSD or Linux has made a choice, and can make another one if it doesn't work out.

Can WE Sue Microsoft?

[BigBlockMopar]

Quoted from Cringely:

If it were not for Microsoft's carefully worded user license agreement, which holds the company blameless for absolutely anything, they would probably have been awash in class action lawsuits by now.

But can't sysadmins sue Microsloth for the gross negligence that consumes our bandwidth?

I know the license agreement that I made when I opened my Windows 2000 CD only affected my Windows 2000 desktop. It has *nothing* to do with the bandwidth - which I pay for - that this stupid [expletive deleted - Ed.] worm has consumed.

I'm not normally litigious, but Microsoft needs to clean up their act.

Anyone know a good class-action lawyer?

Outlook already does part of what he suggests

[sheldon]

I'm using Outlook XP at home on a Win2k box.

If I try to send an email to someone from the Outlook Express news agent, there is a message box that pops up and states "This program is trying to use Outlook to send email, do you wish to allow this?"

This isn't quite as complicated as his proposal to authenticate and tie applications down to the socket, but it is very effective. Further this type of tie down is a fundamental design change for the TCP/IP network stack and would probably end up breaking an awful lot of current applications. Of course then when only Outlook Express worked, everybody would accuse Microsoft of purposefully breaking apps to promote their stuff.

So it's basically a no-win situation for Microsoft(or any other vendor), and they just have to do their best to solve a problem and not get in the way of the consumer.

Honestly, I don't know what else people expect Microsoft to do. This functionality to lock down Outlook was introduced as a patch to Outlook 2000 last year. It's built into Outlook XP by default.

Sadly most people don't use the patch.

Glue languages considered evil

[nwetters]

You would register your e-mail program as the only application that could talk SMTP, POP3, etc. If Microsoft Word wanted to send an e-mail, your e-mail program would pop up, ask you to authenticate yourself and explicitly send the message.

If someone suggested this on Unix, people would just laugh - 'lose the ability to script my whole system using my favourite glue language; no way'. Why it seems any more appealing on Windows, I have no idea.

Gibson wrote zone alarm?

[Safety+Cap]

By default, under this scenario, your PC becomes a TCP/IP read-only device. By running applications like Gibson's Zone Alarm you can -- right now -- severely limit the use of TCP/IP by applications on your PC

I didn't know Steve Gibson wrote Zone Alarm. When did this happen? What happened to Zone Labs?!

Re:Gibson wrote zone alarm?

[RedX]

Actually, Tiny Personal Firewall is also free for personal use and is much more customizable for a someone with half a clue. I've tried both and prefer Tiny by far on my Win2k box.

Re:Gibson wrote zone alarm?

[bl968]

Actually ZoneAlarm is an ok piece of software however Tiny Software's Tiny Personal Firewall is a much much better piece of software. The firewall in addition to allowing applications access to the net allow you to setup specific permit and deny rules based on localport, remote port, local address, remote address, application, protocol, and much more. I look at it as a much improved version consisting of a hypothetical merge of ZoneAlarm with Conseal PC firewall and like products. In addition Tiny Software's product is in use by the US Airforce on 500,000 desktop machines. Oh ya it's also free for personal use.

FEATURES AT A GLANCE

Multi-layer security protection (NDIS & TDI) Since the DSE resides on each computer in the network, it communicates directly with the operating system and negotiates what applications are even allowed to transmit and/or receive data.

MD5 Signature Support As the DSE mandates what applications can bind for communication, it can also check for an MD5 digital signature for permitted applications. This ensures that Trojan horse applications cannot gain access by using the name of a permitted application.

Stateful filtering based on SRC/DST IP address, port & application The DSE maintains a record of all sent packets and can therefore compare incoming packets to the record table to determine if they were requested. Additionally, the DSE can restrict applications to certain ports or destination IP addresses.

Remote access to logs and statistics The DSE contains a separate statistic view that displays all active sessions and includes the status, port, remote IP, application or service and the time associated with each session. Logs may be viewed from the statistics view or sent directly to a syslog server for analysis and reporting.

Suspicious activity monitoring and Intrusion detection The Tiny DSE contains a highly configurable reporting mechanism that can report specific intrusion attempts, or any other type of communication deemed suspicious, to a syslog server or to the CMDS server through an SSL connection.

not to worry

[peccary]

The bee in Gibson's bonnet (and therefore Cringely's, cuz we know where he gets his material) is IP source address spoofing. He thinks that Windows XP will somehow make this much easier.

He's right.

But it doesn't matter.

There are already several easy technical fixes to prevent source spoofing, and if Gibson and Cringely's phantasy comes true, they will all be deployed in various Internet routers in a matter of weeks. Some of them already are implemented in Cisco routers, but are not enabled by default. Long before things can come to sufficient head to justify Microsoft's appearance as an off-white knight to ostensibly save the day.

See also this article from Network Magazine.

Raw sockets

[XNormal]

Raw sockets are a just a slightly easier way to spoof IP addresses. But if someone has 300,000 machines at their command why would they need to spoof the IP addresses at all? Knowing the IPs will not really be of much help against a distributed attack of this scale.

IPv6 myths

[Cato]

IPv6 does not have any more support for QoS than IPv4 (except for the flow label, only useful with RSVP, which is very rarely deployed). I work for a software company that enables people to deliver QoS today on IPv4, and quite a few are happily doing so.

IPv6 does not have 'traceability' - there is an IETF RFC detailing how to have slowly changing IEEE identifiers (MAC addresses) so that your IPv6 address will not include a static ethernet card MAC address. No more traceable than IPv4, and better in some ways.

IPv6 has no more guaranteed delivery than IPv4 - both of them can use TCP to ensure delivery of packets, but IPv6 has no special features in this area.

IPv6 is all about larger address space, easier router/host configuration and auto-configuration, easier re-addressing, better mobile IP, reduced routing table sizes, simplified options processing, and simplified headers. Please read up on IPv6 at http://www.ipv6forum.com before making these misleading statements.

Not necessarily

[marm]

If these attacks used spoofed IP packets, there would be no easy defense.

Except for if every damn net admin would WAKE UP and SMELL THE COFFEE and IMPLEMENT EGRESS FILTERING or SOURCE ROUTE VERIFICATION or whatever your router calls it.

If you have a router built within the last 5 years, I can pretty much guarantee you it supports it. So turn it on already!

If every border router on the internet used it, we could stamp out IP address spoofing overnight. No magic about it. All the border router has to do is check that the source address of the packet is within the range of addresses that it 'owns'. If it isn't, drop it, and log the MAC address so that it can be traced.

Easy huh? Any router worth its salt can do it, so...

Please!?!? What does it take to convince you?

Please remember history...

[weave]

Most slashdot readers are young. One day you'll be cursed and promoted into management, then decision making jobs. Don't forget this kind of crap. Don't grow old and start buying default corporate lines, etc, etc...

When *I* was a youngin, IBM could do no wrong with many decision makers. I swore I'd never have my head in my ass when I got into decision making positions.

Now I'm 42 and one step away from making the decisions. I can INFLUENCE them now, and due to that, we run Apache for our web servers, I've stopped any thought of IIS from being implemented, and run Linux where possible and NT reluctuntly in some applications....

So don't forget this stuff. Microsoft may gain that market share, but one day hopefully pointy-haired bosses will be a bit better educated and make better decisions and not get sucked in by marketing hype.

Oh, I can dream, I can dream...

Use Linux?

[wirefarm]

If you're not using Linux now, you should be.
Don't like what MS does? Make sure that they don't get a single nickle of your money.
Linux is getting to the point where it is just about as easy to use *on the desktop* and once you know the desktop, you are halfway to knowing the server.
You *do* have a choice, you know...
Get Linux, install it, learn it. Burn a copy for a friend. Help them install it and learn it.
Lather, rinse, repeat.
Cheers,
Jim in Tokyo

Exactly why I don't like IPv6

[Bob_Robertson]

IPv6 is a perfect example of this "second system effect".

I dreamed once, likely from having a fever, that I went back in time and told the developers of IPv4, "Add two more octets to the address space. Yes, I know it seems like overkill right now, but it will solve so many problems in the future!"

Bob-

Perhaps if people start using TCP/MS...

[Karpe]

...they can use this wonderfull "Micronet", with all those pay-per-use video-on-demand, content protection, secure audio path, flashy pages and can give the good old "broken" tcp/ip internet, without all that wonderfull stuff back to those who don't mind using text terminals, and "legacy" stuff. Perhaps then we will be able to use IRC, USENET, even telnet, back again.

Give them (tcp/ip) 10% of the bandwidth. It will be more then enough.

Technology is generally used in ignorance

[mikey573]

> they don't really have a clue exactly
> what it is they're doing, anyway. They
> just do it, and most of the time, it
> works well enough for them.

Good point. This goes along my theory/view that technology is created with knowledge, but generally used in ignorance.

Let's review how we get technology:

1. Scientist acquires knowledge by pure research.
2. Engineer applies scientist's shared knowledge to solve problems. This often includes designing technology.
3. Technologist uses devices and methods (technology) made by engineer, with the special point that the user can be ignorant on how the thing works.

Of course there is lots of interconnection, as scientists and engineers use technology, but whenever you use something that you don't know how it works or how to make it yourself, you are a "technologist". 99% of computer users are technologists, to a certain degree myself. Heck, there is a whole industry based on ignorance of how computers work called "Information Technology" where people just "troubleshoot" and never really know what the problems are. (I worked in that for a short while as an intern.) Software programmers fall somewhat under the "engineer" category if they have been trained correctly.

Anyway, society will always have "technologists" (perhaps "lamers") because:

1. People are generally not technically capable of learning how technology really works or how it is made.
2. There isn't enough time for everyone to learn everything. See mortality.

Sorry for the rant, but its important that people understand this situation.

Welcome to the future!

A controversial opinion on Redmond

[hearingaid]

Before going into my opinion on why people see M$ in this way, I should explain a few things first.

• I am not a Micro$oft-lover; I am posting from an iMac, I own two FreeBSD machines and one Win95B machine, plus a collection of older computers.
• I use some M$ products, but I avoid them as much as possible. As will be clear later on, I like Word. I have never bought any of their products, but I did once recommend that my employer buy a copy of FoxPro (which recommendation was followed up on). I am posting from IE5, though, so I can't claim total innocence. :)
• I don't really have very much against closed-source code. IMO one of the problems with the hacker world is that they've become a bunch of whiners who don' t even know how to use disassemblers and decompilers anymore. If you have the code, you can figure out how it works. Sure it's hard, but there it is.

so, all that aside. People love Microsoft because their products are incredibly useful.

As programmers, we know that Microsoft products are buggy, poorly written, and often just plain stupid.

However, you try writing a book with a pen and paper. Now open, even, Word 6 running on Win 3.1 and compare. It's not hard: the M$ product wins out every time.

Or try doing some serious accounting work on a paper ledger, then open M$ Money. Damn, but, you know...

The problem, fundamentally, is that computers are too good. Computers in general are such fantastically useful tools that people love them, even when they're seriously non-optimal.

As far as I can tell, the only really strong link in the whole M$ apps network is Word. Word has so many features, I find it quite incredible. (It does have security failings and other failings, of course. But given the size of its codebase, it's actually pretty reliable, I think. Unlike, for example, IIS, which is just a little program.)

Which is why people shell out all that cash for Office, because Word is amazing, and the features it has are stuff they understand. People understand writing. They don't understand email. They like email, they just don't know how it's supposed to happen. So most of them use Outlook because it comes with their Word, and they assume that because Word is amazing, Outlook is too.

So anyway: that's my point. Computers have radically changed people's lives and made possible things that they found hard to imagine before. Even when they're running M$ operating systems, they're still fantastically useful, so nobody thinks to ask if there's something better around.

Anybody for the resurrection of Fidonet?

[cr0sh]

Naaaah...

TCP/IP over 802.11 - community freenets!

I was looking at the Seattle Wireless/Freenet site yesterday - marveling over a directional antenna members had built for 802.11 communications that got 3db of gain - and was essentially constructed out of PVC pipe, threaded steel rod, and washers, with a reflector made from a candy tin!

They had an omni that was constructed in a similar "use-whatever-parts-you-can-buy-cheaply" manner.

I think we would see these things springing up rapidly, and to hell with the FCC. That, or wireless lasercomm solutions. Perhaps individual community nets would be tunneled across the new MSnet - at least until long distance interconnects could be built and put in place. Or perhaps connected in a FIDOnet type fashion over multiple long distance modem-to-modem connects.

Never thought I would see the day I would go back to BBSing...

Amerika and "invented" culture...

[cr0sh]

Unlike other nations which can trace their heritage back many hundreds or thousands of years, America is an "invented" country, whose identity resides pretty much in the day to day consciousness of the people (ask somebody what being "American" means).

What you say is true today - but America does have a culture, and a history - one of the most colorful ones in the history of the world, as well as one of the most bloody.

But it isn't taught - and when and where it is taught, rarely is it in a way to excite people.

I remember my senses and thoughts almost dulled to the point of exhaustion by American History. But today, as an adult - I have begun to see that how we were taught had a lot to do with my boredom of the subject. One thing I mean to do, and soon, is to study up on the history and people of the "Old West" - what I have learned so far, living in Arizona and visting surrounding "Old West" towns (as well as about Phoenix itself) has taught me about the hard and dangerous life that the expansion of the west was really about. Similarly, I am interested in the colonial and revolutionary periods. Even the Civil War era holds my interest. I have always been excited about the days I consider between the Civil War and oh, say Kitty Hawk (1903) - and the technical advances in steam transportation, electricity (and the whole Tesla vs. Edison debate), computing (Hollerith), and flight (Langly vs the Wrights) - all of which happened here in America (and yes, I know that much of steam and electricty were invented and developed in Europe, but many great advances in uses of electricity and distribution, as well as locomotive transportation, happened here). It is so colorful, so amazing - the things that have happened and transpired here in our country. As much as I would like to someday tour Europe and see the history and ideas of that continent firsthand, I dare say that it is more important to me as a citizen of this country, the United States of America, that I learn about it first.

Unfortunately, I wish other people of this country would realize this as well. I only touched upon the color that makes up this country - there is so much more - and what makes it amazing, is that the majority of it has happened in only the last 200 odd years...

I predicted this 4 years ago

[gsfprez]

When i worked at a Air Force base - and we had perfectly good Sun Sparc20's running as our servers (mail, dns, SQL, etc)...

my boss told me that because we were upgrading to Windows 95.. that it was time to ditch all those servers and get Windows servers with Exchange, et al...

i asked him why should we get rid of our perfectly running servers which had given us no trouble at all just to move to Microsoft? "Because, we're getting in contractors now, and they only know Windows Nt 4.0."

Later on, it was then decided that instead of bases having their own servers and their own email systems, that now that we'd all moved to Exchange, that we'd all put our GALs together (Global Address List - the list that Outlook/Exchange VBScripts use as their distro lists to replicate themselves), then we'd really kick ass.. no more joe.blow@otherairforcebase.af.mil...

my reply was - um... LDAP servers? open Source? Hello? Anyone?

well, skip ahead to today - the US Air Force (and soon all of DoD) is going to be moving from its now Air Force-wide GAL (why we just pull the plug now during virus scares and why we were down for weeks during Melisa) to Active Directory.

back when i shut down all my Sun boxes.. i told my boss that this was just stupid.. why should we give up on what works just to buy what Microsoft is giving us? Their goal was not to give us good products, but to get us to buy their products... and things like Exchange, with its GAL, are just the first protocols that they are trying to hijack and take back on the internet... eventually, all the open ones would be overthrown by the new default MS proprietary ones that would ship someday with newer versions of Windows.

I thought it might end with email.. but i see that i'm wrong.. i agree with Cringley... its going to go all the way.. and we have no way to stop it..

MS will take over the internet.. they are already took over filesharing with SMB, they are taking over email with Exchange, they have taken over HTM L with Explorer, they are trying to take over java with .NET.. why should we think that they will stop there?

sigh.. oh well..

Re:a couple of thoughts

[Chris+Johnson]

Actually, that's the only part of it I _don't_ doubt. The actual mechanics of the process won't necessarily work like that, the scaremongering really depends on a great deal of assumptions that are not legitimate (just like people swore up and down that first Jackson, then the Appeals Court, would let MS off with a 'naughty naughty'), but the one aspect that IS entirely convincing is that MS is laying long range plans of this nature.

Unless, of course, you believe that everything they say in the way of empty reassurances is entirely trustworthy, sincere, and not an outright, intentional, manipulative lie. But then, Microsoft does not lie ;) right?

The one thing Cringeley DOES have exactly right is Microsoft's intent. This really should enter into the ongoing antitrust investigation. Who says that release of Windows XP is REALLY the Big Issue at stake? I would say that was a relatively minor issue compared with the more longrange plans in process, and although Cringeley is painting worst-case scenarios regarding the _ease_ of MS doing this, he is dead-on regarding the general idea of it.

Re:dear god

[Chris+Johnson]

Well, the American Revolution was more or less fought over taxation, and this is the position Microsoft wish to place themselves in: taxation. It's all very well to talk of hacker uprisings, but it is also possible there will come a point when there is a physical uprising: 1,000,000 Joe Averages, running their little shoe stores or whatever, become outraged at crashes, spyware, MS taxation on their transactions, having copies of XPIII self-destruct on deadline forcing Joe to buy a new copy or license over the net to fix the deadline situation and be able to work, having server-stored vital documents mysteriously disappear or become corrupted or be used to sell to spammers...

At this point, and it could happen, Joe Average freaks out. Thing is, Joe doesn't have any really constructive solutions- what he'll want then is roughly equivalent to nationalizing Microsoft and switching off all those forms of taxes and 'piracy protections' that are abusing him. He has no clue of the significance of things- he will just want to destroy Microsoft at that point.

Bob Cringley doesn't really exist.

[cyberformer]

No, really!

It's a pseudonym for a team of (quite knowledgeable, quite talented) writers. The guy who presents the TV show is just an actor. The story about Apple is completely false. (Jobs doesn't mind, of course --- it adds to the mythology.)

There was a front-page story in the WSJ a few years ago, about how InfoWorld, PBS and various freelance writers were locked in legal battles over who had rights to the name.

Not so lame, was: How DID they do that?

[evilpenguin]

It wasn't THAT backwards. IT was written as an expression:

A> pip b:=a:*.*

That copied all the files on drive A to drive B.

Just like good old BASIC's LET A=B set variable A to be equal to B. FWIW, it is true that many of the lamest things in MS OSes date back to CP/M. Drive letters instead of mount points, ^Z for EOF, CR/LF instead of newline, and so on. Even the infamous DOS PSP (program segment prefix) is practically a byte-for-byte clone of the CP/M base page (did you know you could make DOS calls from a small-model DOS program by doing a CALL 0x0005 instead of an INT 0x21? That's how you called CP/M.) For all I know, the old "FCB-style" file system calls still work in NT's command-line window! (The FCB stands for File Control Block. CP/M didn't use file handles. Instead the OS filled in a structure in the application's memory with all the data neede to access an open file. The real downside of FCBs was they were never made able to work with heirarchical directories).

All of these "klunky" designs of CP/M make a lot of sense when you realize that CP/M had to be able to run on a machine with only 16k of memory and still had to leave room for an application program that could do something useful.

MS-DOS has little excuse (with its ability to address 1M - barring IBM's goofy BIOS placement that limited it to 640k), and Windows 32-bit has no excuse whatsoever.