Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft States Full TCP/IP Too Dangerous

Posted by Zonk on from the don't-let-them-have-all-the-toys dept.

daria42 writes "To fully implement the TCP/IP protocol in Windows XP would make creating denial of service attacks 'entirely too trivial', Microsoft has claimed. The company was responding to claims by Nmap author and well-known security expert Fyodor that by repeatedly disabling the ability to send TCP/IP packets via the 'raw sockets' avenue, Microsoft was asking the security community to 'pick their poison': either cripple their operating system or leave it open to hackers. Admitting that a recent security patch had intentionally disabled a community-developed workaround to Microsoft's TCP/IP changes - which were first implemented in Windows XP Service Pack 2 - the company claimed it had received little negative feedback on the issue."

8 of 575 comments (clear)

  1. FMEA by millahtime · · Score: 5, Interesting

    Failure Modes and Effects Analysis... I would love to see that done on windows. Maybe find the problem itself rather than work around it and leave the faulires in there. Bad by design.

    --
    Evolution or ID?
  2. Replacement by Mr_Silver · · Score: 5, Interesting
    As soon as I saw this, it made me rememeber this article by Cringely (written in August 2001) which discusses the "problem" of raw sockets.

    From it:

    According to these programmers, Microsoft wants to replace TCP/IP with a proprietary protocol -- a protocol owned by Microsoft -- that it will tout as being more secure. Actually, the new protocol would likely be TCP/IP with some of the reserved fields used as pointers to proprietary extensions, quite similar to Vines IP, if you remember that product from Banyan Systems. I'll call it TCP/MS.

    How do you push for the acceptance of a new protocol? First, make the old one unworkable by placing millions of exploitable TCP/IP stacks out on the Net, ready-to-use by any teenage sociopath. When the Net slows or crashes, the blame would not be assigned to Microsoft. Then ship the new protocol with every new copy of Windows, and install it with every Windows Update over the Internet. Zero to 100 million copies could happen in less than a year, and that year could be prior to the new protocol even being announced. It could be shipping right now.

    Food for thought.
    --
    Avantslash - View Slashdot cleanly on your mobile phone.
  3. Re:Ulterior motives by Anonymous Coward · · Score: 5, Interesting

    Then again, they have demonstrated a supreme lack of understanding when it comes to security so who knows.

    Actually, I think we're seeing the maturation of a "corral the wagons" paranoia in Microsoft's culture. Lacking the ability to push any serious innovation internally (let's be serious, most of Microsoft's innovations during the past 20 years were brought in through acquisitions or copycat development ala VMS for NT, liberal borrowing from OS/2, Apple and Mach, etc). Now that antitrust severely limits acquisition growth, Microsoft is facing the same threat that broke Worldcom. Unable to make significant acquisitions, unable to meet growth internally, and now unable to cook the books like Worldcom, Microsoft's certain to get very defensive as the pressures heat up.

    I thought I saw the beginnings of this phenomenon in 1998 at the IPv6 summit, where Microsoft's techs at the conference were explaining their implementation at first with great pride, only to be somewhat ashamed at how much they hadn't followed the specification very well, had numerous bugs and compatibility issues, and were clearly well behind everyone else. Nearly every other operating system had a much more mature implementation. (How long did that IPv6 stack remain a beta too?)

    Amazingly, Microsoft is now attempting to patent IPv6 through a copy-cat specification (as was discussed on slashdot). Somehow it's not amusing when the kid who was not very successful in his participation in the group assignment decides to take exclusive credit for the group's effort.

    So now Microsoft is blaming IPv4's engineering (when just like IPv6, everyone else seemed to understand and master the assignment EXCEPT Microsoft)?

    As a teacher of mine once said to perpetual underachievers in class: Perhaps you might consider a career in food service instead?

  4. MS Windows Server 2003 also has buggy TCP/IP by spadadot · · Score: 5, Interesting

    I wrote an article about a very serious problem related to Windows Server 2003 TCP/IP.

    Here's a quote : "Trying to set up a Windows Media streaming server to stream high-quality videos, I came across what I can now call a TCP/IP bug in Windows Server 2003 (Standard Edition). In some (not unusual) situations, the server simply cannot use all available bandwidth between itself and the client.
    [...]
    Eventually, I came to accept the idea that Windows Server 2003, an OS designed for server tasks, is not able to fill a 2Mbit/s ADSL connection. Yes I know it sounds incredible but I've been looking without success for another conclusion for the past 3 months."

    Read the full technical explanation and see what Microsoft has to say about it : Microsoft Windows Server 2003 Buggy TCP/IP ?

  5. The Metro of netoworking protocols by SuperKendall · · Score: 5, Interesting

    Yes, the path becomes clear...

    Abandon the industry standard for VMs (Java) and roll your own (.Net).

    Abandon the industry standard for portable documents (PDF) and roll your own (Metro).

    Abandon the industry standard for networking (TCP/IP) and roll your own (???).

    Each sounds more improbable than the last. Yet the first one has happened, the second is going to happen, and thus the third seems much less improbable than it would have otherwise.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  6. Re:Hammer, meet nail. by cirisme · · Score: 5, Interesting

    The brain damaged part has nothing to do with TCP/IP, because their implementation has nothing to do with security.

    Seriously? You really think it's their brain damaged TCP/IP implementation that's at fault? Think again. It may be bad, but giving every program access to raw sockets is a bit silly considering how easy it is to get programs into Windows. But this is a good move, a better one would to have been to make it so it's not as simple to get untrusted programs running in Windows but I digress.

  7. Something is wrong, alright by ajs318 · · Score: 5, Interesting

    The various BSD flavours support raw sockets. So does Solaris, and even Linux for that matter.

    The difference with the Unix-like systems is that ordinary users don't get to poke about with dangerous stuff.

    The real point is that Windows software has for too long depended on the assumption that the user has full unfettered access to every resource on the computer -- an assumption which had to cease to be true when Windows became network-aware, because in a networked environment some things are properly restricted. Yet for the best part of ten years, Windows continued to run without privilege separation; and application programmers took advantage of that, creating code which turned out to be fundamentally broken.

    Face it, the bathwater is minging and the baby is dead -- there is nothing worth saving in the whole sorry mess. Whether bad water killed the baby, the dead baby made the water worse, or the two are unconnected, isn't really important right now. What is important is to get rid of them both, scrub out the bathtub and start again.

    Of course, if you're going to switch to a new version of Windows -- which would have to be totally incompatible with all that sloppily-written software needing root access for no good reason -- then that would be about as big a change as switching to some other operating system. That must worry Microsoft .....

    --
    Je fume. Tu fumes. Nous fûmes!
  8. Pushing more people towards Linux by Anonymous Coward · · Score: 5, Interesting

    I work for a company that sells a high-end network security scanning product. We have been dealing with this XP issue now for almost 2 years, and we are not the only ones who have complained to Microsoft. We have pushed our complaints as far through the channels as we can. Microsoft isn't listening.

    Their response is: buy Windows Server 2003 if you want raw sockets. We asked them if there was any guarantee that they would not break the raw sockets feature in 2003, and they would not give us that guarantee. Besides, Windows Server 2003 ships with a lot of stuff we would have to disable to make the box even remotely secure.

    Our CEO even registered a complaint with Microsoft, saying "We pay to use your software and you are hurting our business and hurting our customers and costing us money with this change. And you have heard our complaints and you are ignoring them." Microsoft responded that they would pass our criticism up the chain, and that's the last we heard.

    That's why it irritates me to read in the article that Microsoft has had "little negative feedback" on this issue. I'm sure we're not the only paying customer of Microsoft that has been affected. And they are not telling the truth when they say that "the only thing affected by this change is fingerprinting software": port scanning is affected too.

    So we have started recommending that our customers use the Linux version of our product. Now Microsoft is losing hundreds of thousands of dollars of revenue per quarter just from our company.