Microsoft States Full TCP/IP Too Dangerous

daria42 writes "To fully implement the TCP/IP protocol in Windows XP would make creating denial of service attacks 'entirely too trivial', Microsoft has claimed. The company was responding to claims by Nmap author and well-known security expert Fyodor that by repeatedly disabling the ability to send TCP/IP packets via the 'raw sockets' avenue, Microsoft was asking the security community to 'pick their poison': either cripple their operating system or leave it open to hackers. Admitting that a recent security patch had intentionally disabled a community-developed workaround to Microsoft's TCP/IP changes - which were first implemented in Windows XP Service Pack 2 - the company claimed it had received little negative feedback on the issue."

News Flash: Butter is good on toast!

[TripMaster+Monkey]

News Flash: Butter is good on toast!

From the Article:

"Supporting packet sends from simple user-mode raw sockets makes it entirely too trivial for compromised systems under control of hackers to launch massive distributed denial of service attacks," Microsoft warned in a statement to ZDNet Australia .

Interesting that M$ sees fit to lecture us on the dangers of raw sockets now, given their prior stand on the issue.

Re:News Flash: Butter is good on toast!

[rsmith-mac]

Let's give MS some credit here, I think even they've come to realize that Gibson was right and raw sockets for users was a mistake. The fact of the matter is that they fixed the issue by taking away raw sockets, and now they have to defend that position.

Re:News Flash: Butter is good on toast!

[Le_Batleur]

Seconded.

Gibson came in from a lot of flak from hecklers who didn't understand his concerns, both here and on his own website. The attacks were quite vitriolic and energetic, surprisingly so.

The concept can be used for good or evil, depending on their application. So do you remove them, or keep them? Most will use them (accidentally, by trojans) for evil, so they should at least have to be enabled by some extra process, like the filter or monitor drivers for Windows have to be added manually. Deliberate misuse of them can only be effectively blocked by the next layer up - the router on that connection, controlled by the ISP, filtering out such harm.

Ironically, I use Nmap in my work and would like to continue to use raw sockets in conjunction with this and other Penetration-Testing software.

His "Nanoprobe" (Bad Trekkie-style name for very cool technology) custom TCP/IP stack can manipulate, interrogate, and interpret conventional datagrams to quite astonishing levels - well worth learning more.

Re:News Flash: Butter is good on toast!

[Deathlizard]

Restricting them is a start in the right direction, but the way Microsoft did it is screwed up.

What they should have done is make raw socket restrictions mandatory on Windows XP home and below (Media Center, Reduced Media and Starter edition) and allowed Windows XP professional and above to at least be able to run with full raw sockets if you turn on a setting in TCP/IP settings.

They have this new Security center thing running all the time warning you about your antivirus and firewall changes. It would have been trivial to make it scream at you all day if it found unrestricted raw sockets was turned on in XP Pro, and have an option to turn off the warning if you really turned the Raw Sockets on just like you can with the antivirus and firewall settings.

The only good thing here is that they at least left it on in their server line. If they shut it off there they would have a real mess.

Re:News Flash: Butter is good on toast!

[cortana]

Any malware that wanted raw sockets turned on would then be able to turn it on itself.

Re:News Flash: Butter is good on toast!

[Deathlizard]

True, but you can make it very difficult to change it.

For example, you can make it an addon in "Add/remove Programs" like they do with UPNP. that way, in most cases you would need to put the Windows XP CD into the machine in order to install open Raw Sockets.

Yes the malware could include the files to install Unrestriced Raw sockets, but if the files to enable Raw Sockets are protected and restriced correctly it would be dfficult for any program other than Windows to modify them.

Re:News Flash: Butter is good on toast!

[Deathlizard]

Even if the OS was designed Correctly, it would get hacked.

Lets say they had a full security model designed from the ground up to completely protect Administrator. Lets say that on a default install it made you a user account instead of admin. lets go even as far as everything you install is installed on your account only and that simply erasing your profile removes everything you ever done with that profile on the machine.

All it's going to take to get that machine hacked is one single Privilage Esclation exploit. It doesn't matter if it's local or remote, or what you have to do to exploit it, if it there it's over.

Don't Believe me, ask Kevin Mitnick. He's a prime example of how to get into a machine using Social Engineering. He understood that the machine wasn't the weakeast link in the chain but the person behind the keyboard was, and it's really easy to fool that person to do whatever you want them to do because most people dont know (or care) what they are doing.

It would be trivial for someone to create an executible file that can exploit said root vulnerability, send it to John Q Luser and poof, his box is now the hackers box. How do you think sobig got on so many machines? All it is is an attached file that someone opens. If no one opened the file their wouldn't be such a huge oubreak of it. Doing the same thing with a rootkit instead of a virus would be just as trivial.

And if you think it can't happen to linux or OSX or whatnot, think again. both of those OS's have or had local and global exploits this year alone, and it's a safe bet that there are a lot of unpatched machines out there, but in any case I can almost bet you could make a program for any of those OS's, and if it asked for the root password to install it and the person really wanted it, they would type the password in and it's over anyway. So if 10 Year old Billy really wants that new "Shoot the kitten out of the cannon" game that just came out on adware4freesearch.com, he will do anything to install it, even if it exploits root and formats your hard drive if the kitten breaks the 1000 YD Barrier

The only true way that this would ever be stopped is if every user ran in a True VM environment (Like VMWare) that was totally seperate from the host os and had a disposable operating environment independent of the user's profile, which would be erased once the user shut down or logged off, and even then, they could be doing something malicious for the time they are logged in.

Baby, meet bathwater.

[mfh]

To fully implement the TCP/IP protocol in Windows XP would make creating denial of service attacks 'entirely too trivial'

This is because XP is not designed right, not because the TCP/IP protocol is wrong. (just to be clear)

The quote from Fyodor is:
"Pick your poison: Install MS05-019 and cripple your OS, or ignore the hotfix and remain vulnerable to remote code execution and DoS."

It's like... we just... can't... win.

Fyodor goes on to say...

"Nmap has not supported dialup nor any other non-ethernet connections
on Windows since this silly limitation was added. The new TCP
connection limit also substantially degrades connect() scan. Nmap
users should avoid thinking that all platforms are supported equally.
If you have any choice, run Nmap on Linux, Mac OS X, Open/FreeBSD, or
Solaris rather than Windows. Nmap will run faster and more reliably.
Or you can try convincing MS to fix their TCP stack. Good luck with
that."

The answer, my friend, is to drop Microsoft.

Baby, meet bathwater.

Re:Baby, meet bathwater.

[shird]

Or perhaps if you are going to write apps that require such low level network access, you should be using a packet driver (or whatever the mechanism is in windows) to do that.

The same can be said for any access to hardware that could be considered unnecessary for typical applications or 'harmful' to the hardware (harmful in the sense that it is 'harmful' to the network and your connection).

I think what MS has done is quite acceptable, given the number of trojans uot there that are DoS'ing and spamming like crazy. Trojans that are on the systems often because of user stupidity rather than an insecure OS. As long as it is possible to actually write such a 'driver' (I think there is a different name for it, but I can't remmeber).

Re:Baby, meet bathwater.

[iainl]

Presumably, the reason for not doing so is that if you can run something reasonably tiny to get access to raw-mode anyway, then that is the first thing any worm is going to do.

The real message is that if you need these proper TCP/IP features, use a proper OS.

Re:Baby, meet bathwater.

[fudgefactor7]

Actually, TCP/IP is broken. It was never intended to be secure, rather just a means of communication. The creators of the stack never envisioned people doing what they are with it. It needs a complete reworking--thus the need for IPv6 with all the security hoo-ha's in play. MS was in a quandry: force the patch out and fix the issue, and thereby hamstring some machines; or don't fix it and have an explosion of zombies and compromised machines--for which there would be no end to the complaints (on Slashdot or anywhere else, for that matter.) What's your pick: a more secure Internet experience for everyone or not?

IPv4 is broken, like it or not. Our only hope is to fix it.

Re:Baby, meet bathwater.

[EvilTwinSkippy]

I had to reprogram my switches to not accept partial packets because Windows clients infected with scanning trojens where hogging the lines with crap UDP traffic.

Mind you, I'm not talking about our 3Mb link to the internet. I'm talking about our 100Mb switch in the basement.

Whatever Microsoft thinks they are doing, it isn't helping in the areas that count.

Re:Baby, meet bathwater.

[Krach42]

After walking throught he MS articles and stuff, I came across this: http://support.microsoft.com/kb/897656/

Quoted from there is basically. If you want to use hand-crafted TCP/UDP packets over a raw IP connection, you must enable the Internet Connection Firewall.

At least, this is for SP1, I don't know if you can get away with this in SP2.

Re:Baby, meet bathwater.

[aug24]

Or perhaps if you are going to write apps that require such low level network access, you should be using a packet driver (or whatever the mechanism is in windows) to do that.

Which, if you are right, is what the DDoS malware will now start to do.

Justin.

Re:Baby, meet bathwater.

[Slashcrap]

Quoted from there is basically. If you want to use hand-crafted TCP/UDP packets over a raw IP connection, you must enable the Internet Connection Firewall.

I was about to reply pointing out that you had obviously meant to say, "disable the Firewall".

Then I read the Knowledgebase article.

God, that's retarded. The firewall doesn't do jack shit to block outgoing traffic anyway. Why the hell should it be safer to allow raw sockets when it's on?

Re:Baby, meet bathwater.

[kfg]

No justification whatsoever for your cliam of XP not designed right.

While this is correct, providing such justification would be like providing justification for a claim that Pintos weren't designed right and had a tendency to blow up.

There might be some who have missed that, but it's still common knowledge that doesn't bear repeating every damned time the issue comes up. I suppose we could all attach standard disclaimer files to all of our posts, but they would take up two or three library of congresses to only cover the most common of the bases.

Follow one of the links provided in subsequent posts to Steve "Foaming at the Mouth" Gibson's site to get a rundown on the issues. Note that Steve will cheer this move by MS because flaws in the OS design make it necessary.

The core issue being that XP Home Edition runs apps in administrator mode, giving all apps, like a trojan, full access to raw sockets. Most home users that use Pro are still silly enough to run in admin mode as well. But hey, at least it's hardened against trojans, eh?

Easy to infect with malicious code, malicious code runs with full privileges. That's bad design.

. . .i do think they should make available as a download or on CD a TCP/IP pack that does support raw sockets.

A patch to restore what a patch took out. That alone should clue you in that something braindead is going on.

Please note that only "desktop" versions of XP are affected, so all you have to do is buy a server product from MS.

Or install BSD for free.

KFG

Re:Baby, meet bathwater.

[gowen]

"Supporting packet sends from simple user-mode raw sockets makes it entirely too trivial for compromised systems under control of hackers"

You see, there are two ways to address this problem.
i) Stop using raw sockets.
ii) Make systems much harder to compromise.

The real problem here is the massive abundance of comprimised systems

Re:Baby, meet bathwater.

[PurpleXanathar]

Wether this is a good or bad choice, it shouldn't bother you if you are writing internet applications, since only a few apps really need raw socket access.

Re:Baby, meet bathwater.

[dougmc]

The limitations of IPV4 have nothing to do with Zombies.

That's not quite true. Many (most?) zombies and other forms of malware out there that are used to DDoS remote sites take advantage of the limitations of IPv4 (mostly the ease of forging your source IP address) to hide the true sources of the attack.

Re:Baby, meet bathwater.

[shird]

Actually, yes it does. By not spoofing the source of the attacks, you are able to filter the traffic and track where it is coming from. DDoS style attacks will still be possible initially, but these machines will be singled out soon enough as they can no longer hide.

Re:Baby, meet bathwater.

[shird]

This 'fix' was only just introduced in SP2. Most of those attacks are likely to be from infected machines that aren't patched up - and therefore aren't running SP2. So you cannot really draw the conclusion that its not helping.

Re:Baby, meet bathwater.

[throughthewire]

...DDoS remote sites take advantage of the limitations of IPv4 (mostly the ease of forging your source IP address) to hide the true sources of the attack.

Which could be all but eliminated if ISPs would implement access lists in their routers to drop packets with source addresses other than those assigned to the downstream networks.

Problem solved without relying on OS vendors or end users to implement anything at all.

Re:Baby, meet bathwater.

[hedora]

I see this as a three pronged approach by Microsoft.

• Take a new, innovative direction in security. In the long run, they can cripple windows until it cannot be useful enough for a virus/work author to target. (If you are an end user, see the next point.)
• Microsoft understands that some "enterprise" applications like nmap or ping require a modern operating system. Therefore, maybe a special "enterprise' version of XP (with all the functionality of Windows XP SP1) is in the works. It will only cost a 'little' more than XP Pro. Maybe they'll use the average of the price of XP Pro and 2003 server...
• If everyone signs their code with an MS approved key, the code that results will be non-malicious and bug free. (Look at ActiveX!) Code in the kernel runs faster. (Especially since it bypasses the .NET VM!) Therefore, application developers can simply write at kernel level. This has the added benifit of being really, really, hard to get right. We all know that virus authors are complete idiots, and professional software developers are willing to jump through arbitrarily high hoops to deal with arbitrary bugs/limitations in Windows, so there is no downside to further obfuscating it's API's.

By extrapolating this reasoning over the next few years, we can see that other dangerous operations will be moved into the kernel. For instance, preventing user-space code from writing files in binary mode will prevent malicious third party software from writing invalid application data. (This way, the terrorists that wrote Open Office will not be able to crash Office XP any more...this also kills off polymorphic viruses that spool the outgoing versions of themselves to disk!)

Finally, they can set all of C:\Proram Files and C:\Windows read only, unless you write your installer as a kernel level driver. This will further protect the system from malicious applications.

This combined with a few hundred ill-advised random hacks will lock down the dangerous administrator accout. If any customer complaints are generated, they'll simply have the default user run everyting in a cooperative-multitasking, in-kernel setting. It will be like Windows 3.0, but secure.

Maybe they'd be better off if they moved away from this idea that pushing application code into the kernel is a good idea...

Ulterior motives

[bmw]

It's quite obvious that Microsoft has other motives for doing this as this really doesn't do anything to improve security. As was quoted in the article, Fyodor correctly points out that Windows (AFAIK) is the only operating system to put such restrictions on raw sockets and it certainly has not helped their dismal security.

Of course, there's always the possibility of ignorance...

Never attribute to malice that which is adequately explained by
stupidity.

but I really have to doubt that Microsoft is quite this dumb. They've got a lot of really tallented people working there so you have to think that someone would have thought about this. Then again, they have demonstrated a supreme lack of understanding when it comes to security so who knows.

Re:Ulterior motives

[harrkev]

Microsoft can't win no matter WHAT they do.

Steve Gibson (author of Spinrite, among other things), has been on a crusade for years to get raw sockets taken out. See his web page. And I tend to trust this guy. He makes Windows programs in assembly! That is the geek equivalent of crushing a beer can on your head! That may make you question his sanity, but certainly not his technical knowledge.

Implemnt raw sockets, get blasted by one security "expert." Take them out, and get blasted by another.

For what it's worth, I think that raw sockets in user-mode are a bad idea. The average user does NOT need raw sockets.

Re:Ulterior motives

[grasshoppa]

Gibson is a nit. His site is propiganda, written to manipulate and distort.

He writes win32 programs in Assembly. So what? All that proves is he has tons of time on his hands. The real test is writing reusable, easy to understand code, portable if possible.

Re:Ulterior motives

[0x461FAB0BD7D2]

If they locked down raw sockets and made it available only to administrators or root users, that would solve it.

Gibson points out that other operating systems do this, while Windows doesn't. The problem lies there, not in the inclusion of raw sockets API.

Re:Ulterior motives

Then again, they have demonstrated a supreme lack of understanding when it comes to security so who knows.

Actually, I think we're seeing the maturation of a "corral the wagons" paranoia in Microsoft's culture. Lacking the ability to push any serious innovation internally (let's be serious, most of Microsoft's innovations during the past 20 years were brought in through acquisitions or copycat development ala VMS for NT, liberal borrowing from OS/2, Apple and Mach, etc). Now that antitrust severely limits acquisition growth, Microsoft is facing the same threat that broke Worldcom. Unable to make significant acquisitions, unable to meet growth internally, and now unable to cook the books like Worldcom, Microsoft's certain to get very defensive as the pressures heat up.

I thought I saw the beginnings of this phenomenon in 1998 at the IPv6 summit, where Microsoft's techs at the conference were explaining their implementation at first with great pride, only to be somewhat ashamed at how much they hadn't followed the specification very well, had numerous bugs and compatibility issues, and were clearly well behind everyone else. Nearly every other operating system had a much more mature implementation. (How long did that IPv6 stack remain a beta too?)

Amazingly, Microsoft is now attempting to patent IPv6 through a copy-cat specification (as was discussed on slashdot). Somehow it's not amusing when the kid who was not very successful in his participation in the group assignment decides to take exclusive credit for the group's effort.

So now Microsoft is blaming IPv4's engineering (when just like IPv6, everyone else seemed to understand and master the assignment EXCEPT Microsoft)?

As a teacher of mine once said to perpetual underachievers in class: Perhaps you might consider a career in food service instead?

Re:Ulterior motives

[Andrewkov]

Except everyony does their daily work signed on as administrator (by everone I mean the majority of average users). Maybe a desktop OS for the masses *should* be crippled in some ways, to protect people from themselves. And people who need a full featured OS can use something else (a seperate version of Windows, or whatever).

Re:Ulterior motives

Steve Gibson is a blabbering idiot. If you have any technical knowledge you realise that at least half of his articles doesn't even make sense.

And yes, I also write windows programs in assembly. I even earn money from it. It's not any harder than C or any other language.

Re:Ulterior motives

[LWATCDR]

How about turning off raw sockets as default but letting the admen open the up if the machine needs them.
You can make any system insecure if you are dumb enough. Put a Linux box on the net running every servers known to man, no firewall, and the root password set to root. It will be owned in a second.
The trick is to make the defaults safe. So put in an option.
Of course the problem is that most windows users run as admin so IF a malware program is run it will have the ability to change it :( Crap I hate windows.

Re:Ulterior motives

[pg110404]

If they locked down raw sockets and made it available only to administrators or root users, that would solve it.

The only problem to that argument is that a good number of people who bother to create separate accounts apart from administrator don't bother to (at least in the xp pro version I use) unclick the checkbox that by default gives them administrator privileges.

If microsoft did do this AND changed their security policy so additional users by DEFAULT DON'T have administrator rights, it would certainly go a lot farther.

Re:Ulterior motives

[misleb]

Except everyony does their daily work signed on as administrator (by everone I mean the majority of average users).

THIS is the problem that needs to be solved. Otherwise you are treating the symptoms and not the disease.

Maybe a desktop OS for the masses *should* be crippled in some ways, to protect people from themselves

Or maybe users shouldn't be given admin access by default. That way you can restrict the user without crippling the operating system. OS X does this. Users are by default are put in the admin group, but they still have to enter their password (su) to perform any administrative functions such as installing an application.

And people who need a full featured OS can use something else (a seperate version of Windows, or whatever).

Totally unacceptable.

-matthew

Re:Ulterior motives

[Reality+Master+101]

The kind that recognizes that everyone has limitations, and once you have made an honest effort to reach as high as you can, continued striving above your limitations benefits no one.

Everyone has limitations, but it's not for the teacher to judge who has them and who doesn't, because he can't. That fucker should be fired, if not put in jail. I wonder how many kids he screwed up with his smack down comments.

I also wonder how many kids would have done well with a more positive teacher, but now think they have "limitations" due to this teacher.

Gah, that's maddening.

Re:Ulterior motives

[blahtree]

As a teacher of mine once said to perpetual underachievers in class: Perhaps you might consider a career in food service instead?

Some people are too arrogant for words. People learn differently and are motivated by different things. That teacher has clearly not studied learning in any meaningful way.

Re:Ulterior motives

[Gabrill]

Maybe a desktop OS for the masses *should* be crippled in some ways, to protect people from themselves. And people who need a full featured OS can use something else (a seperate version of Windows, or whatever).

That won't fly in homespace. It won't even walk. It'll work in the workplace and nowhere else.

Home users ARE their own admins, and they need to be able to install software, develop programs, and do other "insecure activities" as a matter of course.

The best you can do for a home operating system is to demand a password for EVERY new piece of software, including Java and Flash apps.

Expect to see automatic password programs soon after.

Re:Ulterior motives

[Skjellifetti]

This, too, is the fault of Microsoft. If you design the O/S such that it's difficult or impossible to run apps as a normal user, this is the result.

I refuse to believe that it is difficult or impossible to write an app for MS OSs that does not require the app to be run as admin. This is more often than not the fault of application programmers who are too damn lazy to write user specific data to the user's home directory instead of to either the system or the app's installation directory thus requiring the user to be admin or have write perms on the system directories.

A lot of what MS has written is buggy and full of security holes, but too many applications have carried over bad practices from the days when Win 3.1 was a single user system.

A wise decision

[jawtheshark]

Of course nobody needs raw sockets, and after all no other operating system supports them. I mean, it's not as if OpenBSD, Mac OS X, FreeBSD, NetBSD, the various Linux flavours support it. It would be too dangerous.

No, Microsoft... none of those support raw sockets. Oh, wait... they all do. The problem is not raw sockets, the problem are the holes in the OS in the first place. If your OS doesn't run services that can be hacked, or if the applications don't allow to execute untrusted code there is no problem. Avoiding raw sockets is treating the symptoms, not the cause.

Re:A wise decision

[TheRaven64]

On UNIX-like systems, creating a RAW socket can only be done by the superuser. Putting a similar restriction on Windows (substitute Administrator for superuser) would provide no benefit, since Windows is designed in such a way that most users run as an Administrator. Depressingly, the RunAs service has been around for many years now, completely eliminating the need to run as an Administrator. Unfortunately, the lack of a decent UI for this service has prevented its widespread use.

Re:A wise decision

[Karzz1]

the RunAs service has been around for many years now, completely eliminating the need to run as an Administrator

You must be kidding. The runas service is *nothing* compared to a true multi-user environment. Other than installing software runas is useless. How do you modify the registry without logging out the local user? How do you add printers to the machine without logging out the user?

Runas is a hack to make up for oversights in the OS.

Re:A wise decision

[Chibi+Merrow]

How do you modify the registry without logging out the local user?

runas /user:Administrator@domain regedit.exe

How do you add printers to the machine without logging out the user?

runas /user:Administrator@domain "C:\program files\internet explorer\iexplore.exe"
Click View, Explorer Bar, go to printers control panel, add printer...

Yes, you're right, there are some things you still can't do using runas, but not many. Be creative.

Re:A wise decision

[NoMoreNicksLeft]

Set my girlfriend up with a non-admin account. So, I end up having to install all her software for her... except at the time, things like ICQ simply wouldn't run right, even when installed by admin and ran as user. Many of those have changed, many haven't. Still too many dumb apps and games that won't run with anything less, even if you did manage to install them.

What I really need, is a firefox theme that looks like IE, and a desktop theme that looks like XP. She'd never know the difference. (and when wine fails to run the dumb shareware games she tries to install, I'd be like "They must not have programmed them very well, I can't make them work!".)

Re:A wise decision

[10101001+10101001]

It's different primarily because there's more than su. Most user-friendly distros, along with KDE itself, have been moving towards a system somewhat like OS X; ie, when necessary you're prompted for the root password. There's even a nice "Konqueror File Manager (Admin)" on the desktop for some distros. Add to that things like sudo and ksu, and it's a lot more than simply su.

Having said all that, su is still better than RunAs. Why? Because Linux distros that demand you use su don't hide from you the configuration program. It's not a question of running "rundll32 ..." at some point. And while getting root X programs to securely run on the desktop is not trivial, there's a lot of command-line programs that never touch X and for which su is perfectly capable of doing its job. With Windows, which is so GUI centric, not having a GUI interface to RunAs is blatantly obviously bad. Just like if there was only a GUI interface to su in *nix.

Re:A wise decision

[snorklewacker]

Runas is not the pile of shit, the installer is. Most of those broken installers will fail if you rename the Administrator account. Is microsoft to blame for stupid installers that can't use the *excruciatingly* well-documented APIs for this sort of thing? Go complain at the folks who wrote the installer.

I can write a unix installer that requires root but will fail if your uid 0 isn't named root, or you merely used su instead of "su -". I've even *seen* installers that do idiotic things like if [ `whoami` != root ] ...

Re:A wise decision

[nusuth]

runas /user:Administrator@domain "C:\program files\internet explorer\iexplore.exe"

So you run internet explorer to add a printer. And I thought adding a printer to OS/2 was unintuitive...

Re:A wise decision

[shird]

and when wine fails to run the dumb shareware games she tries to install. I'd be like "They must not have programmed them very well, I can't make them work

Why don't you just say that when things like shitty ICQ fail to run correctly? Afterall, in this case it actually *is* the fault of the programmers of the application, unlike the 'shareware windows games running under Linux' case you described.

Re:A wise decision

[mordejai]

RunAs doesn't always work as expected
But this guy has a blog dedicated completely to the whole non-admin subject, including some utilities to make it easier.

They picked C

[Nijika]

Cripple the OS, and leave it open to hackers!

In Redmond, this is what they call a win win.

//no Karma Bonus for that one... ;)

Re:They picked C

[Temporal]

For a minute there, when you said "They picked C", I thought you meant as in the programming language. Ironically, your post makes almost as much sense with this interpretation. /me runs away.

Core Routers

[republican+gourd]

This is just part of the push to get the core internet routers cut over to NetBEUI well in advance of any ipV6 rollout. If Microsoft can manage that, the internet will be theirs again, just like when they initially built it between Steve, Bill and Woz's offices back in the early seventies.

Scary thing is, from what I've been reading Oracle will go along with this. And they can tell the future!!

Re:Core Routers

[drinkypoo]

Steve, Bill and Woz's offices back in the early seventies.

OMGWTFBBQ you noob! You forgot Al Gore's node.

Maybe Microsoft wants to

[Trigun]

rewrite TCP/IP? Embrace and extend it, so that we can have a safe, trusted internet?

Going back on their word

[jelevy01]

Wow, talk about going back on their word. Anybody remember of GRC.COM had this concern before XP came out? He did all the yelling and screaming that he could and MS just laughed at him. Guess he gets the last laugh.

Re:Going back on their word

[Smallpond]

Cringely never gets more than about 50% correct in his articles. In this case he calls it "raw tcp/ip sockets". Wrong. Raw sockets access IP, so you can forge tcp packets in a DOS attack. Every OS allows access to TCP/IP. How else would your browser work?

He then proposes a secure ID system. Gee. Maybe if every connection to the network had a unique 32-bit number that could be traced somehow? Maybe there could be a world-wide database connecting names and administrative information to these numbers? If only that were possible. Thanks, Bob.

Responding to Steve Gibson

[darylb]

Microsoft is just responding to Steve Gibson, of Gibson Research, who has hounded them for making raw sockets accessible to all programs in the past.

Re:Responding to Steve Gibson

[Bryson]

And he is wrong.

To be clear: The security problem is that the net routs any
packets it can, and some TCP/IP stacks will choke upon
*receiving* (a flood of) bad packets. Trying to make it
difficult to *send* those packets from Windows is essentially
useless.

Removing raw socket support from an operation system is a
trivial, bogus attempt to hide the problem without fixing it. A
root-compromised system can send raw packets no matter what the
vendor implements.

There are two reasonable places at which to resist these denial-
of-service attack: At the hosts, we can tolerate bogus-packet-
floods with things like SYN-cookies or random-early-drop; in
the routing infrastructure, we could halt floods of hostile
messages from reaching their destinations.

Microsoft's approach here is nonsense. If an attacker takes
control of a system, he can send from it any packets he wants.

--
--Bryan

Re:Responding to Steve Gibson

[Lothsahn]

Technically, you are right... But Gibson's claim is that by not providing easy access to raw sockets, it becomes much harder to engineer viruses or other malware to produce successful attacks. He never claims it's impossible--in fact, he claims that the user can reimplement raw socket support--but reimplementing raw sockets is significantly more difficult than using an existing API. And considering that a large majority of viruses and malware is due to 5cr1p7 k1dd135, and not real hackers, this helps. Remember, this doesn't make Windows secure, it's just one step to make it less harmful... and that's Gibson's claim. It's one piece of the puzzle (that's mostly empty at this point).

I remember...

[Karpe]

Steve Gibson's crusade againts Windows raw socket capabilities. Did Microsoft listen, and now is being criticised for doing that?

raw sockets+MS?!

[quetzalc0atl]

are they kidding?

if you are mucking with protocols by using raw sockets, are you really going to be coding it on a windows platform? i can imagine a worm or trojan doing it perhaps - in a ddos scenario - but since when has raw sockets become the red-headed stepchild implicated in this?

Re:raw sockets+MS?!

[Rui+Lopes]

IDS? PF? Basically, anything that's not application-level...

My TCP/IP

[wombatmobile]

Maybe Microsoft is right. Protocols are dangerous.

Wouldn't it be safer if we all just had a My TCP/IP folder?

Re:My TCP/IP

[tehshen]

If they implement the full protocols, everyone could have your TCP/IP folder :)

Privileges anyone?

[bigberk]

I can't believe this issue of Windows security is so difficult to understand. You read all these articles about viruses and trojans but people keep failing to mention the obvious - you must never casually run Windows with Administrator privileges.

It's because so many people are used to doing this by default, and so many third party apps demand Admin privileges, that Windows security is a nightmare.

There's more to the Windows security picture of course (insecure services as well) but you can prevent so many problems just by avoiding that Admin account. It's quite normal to have raw sockets via root/Administrator privileges. The problem is that all windows users (and any software they download) are Admins.

Re:Privileges anyone?

[yagu]

..., you must never casually run Windows with Administrator privileges.

It's because so many people are used to doing this by default, and so many third party apps demand Admin privileges, that Windows security is a nightmare. ...,

I find the problem to be the insidious architecture of XP specifically the lack of clear demarcation between a priveleged user and an admin. I consult in both unix and Windows worlds for a living, so I'm on a Windows box a lot! (way more than I like) And I pretty much always have myself configured as an admin type user... not because I have to all the time (I do lots of work not needing that level of access) but more because of the unpredictability of what isn't going to work in some strange way when I'm using XP as an un-priveleged user. It sucks, but I've found it to be the most expedient way, and I'm always nervous about it. I DO configure others as non-priveleged, but it's amazing how often I get called to help with some problem caused by their lack of access (even though the problem SHOULDN'T exist).

On the other hand, I NEVER (as in don't remember the last time I logged in as) log in as root on unix machines, and don't even put myself in a root or bin group. I do use sudo when I need it both for the protection of not inadvertantly mucking something up and for the nice logging artifacts (makes it easy to go back and find out where *I* mucked something up if *I* did). And, I don't give my users any exceptional access rights... AND, I (comparatively speaking) virtually never get support or help calls from those users. Everything pretty much works the way it's supposed to in a unix world -- the unix community is pretty savvy about what the various directory structures are for, what levels of access they provide, and how to work within that paradigm.

My experience leads me to conclude MS is a long way from really solving the admin/general user problems -- it's SO entrenched in their philosophy (remember, Windows really started out and was developed for PC's -- remember what the "P" stands for? -- it should be no surprise there aren't any bright lines drawn between super and regular users.)

Re:Privileges anyone?

[gaspyy]

The default users get Administrator priviledges because many popular programs simply refuse to work correcty with limited rights. Over the top of my head, Winamp 5 and Trillian 3.1 are guilty of this. Sure, you can workaround by giving write access to everyone for those folders, but it's crazy.

Re:Privileges anyone?

[Foolhardy]

I find the problem to be the insidious architecture of XP specifically the lack of clear demarcation between a priveleged user and an admin.

Power Users is kinda in the middle. I guess the idea is that you can assign permissions and privileges to users as needed.

And I pretty much always have myself configured as an admin type user... not because I have to all the time (I do lots of work not needing that level of access) but more because of the unpredictability of what isn't going to work in some strange way when I'm using XP as an un-priveleged user. It sucks, but I've found it to be the most expedient way, and I'm always nervous about it.

Yeah, I usually end up doing the same thing too, for the same reasons. There are way too many apps that are somewhat broken, fail to start silently or otherwise balk at getting only reasonable access to the system. To mitigate this, I logon, run the shell and trusted apps as an admin, but start everything else with restricted tokens with the administrator's group SID and often the user identity SID deleted. Also, I usually make jobs for them which restrict USER handles and some reasonable memory and process quotas. These are really useful security features that have been available since Windows 2000, but as usual Microsoft provides no easy way to exploit them. I wrote a little command-line program that exposes most of the features of job objects and restricted tokens, jobprc.
For example, I can run jobprc iexplore -dsid administrators -dprivmax -handles -prclimit 20 -jobmem 64000000 and be assured that a vuln in IE could damage my own profile or stuff that everyone has access to at most (since it still has my user SID enabled). Denying access to my profile breaks tons of apps (they get read-only access to the default user profile instead). Restricting SIDs are very powerful, (closer to a capabilities style system) but tend to break things in all kinds of weird ways.
Anyways, the underlying system is there, but 1. it's hard to get to and use and 2. it's popular to ignore.

Everything pretty much works the way it's supposed to in a unix world -- the unix community is pretty savvy about what the various directory structures are for, what levels of access they provide, and how to work within that paradigm.

Yeah, espescially UNIX developers vs Windows developers. I find that cross platform or UNIX software ported to Windows is the best behaved.
Plus, the biggest problem with the NT security model is that it's too complicated for most developers (let alone most users) to bother with. Good old rwx permissions on files are very simple by comparison. An operating system for The People should use something at least as simple.

FMEA

[millahtime]

Failure Modes and Effects Analysis... I would love to see that done on windows. Maybe find the problem itself rather than work around it and leave the faulires in there. Bad by design.

Not disabled in Windows Server

[figleaf]

Raw Sockets are not disabled at the server versions.
Under Windows 2003, programs with admin privleges can use Raw sockets.

Another note from Bill Gates

[PenguinBoyDave]

Dear MS Employees, We have started the FUD about TCP/IP. Now press forward with MS/IP. Once we release it we'll charge everyone a fee to use it because we know it will be more secure than TCP/IP. After all, it comes from Microsoft. With Love, Bill

So when...

[RailGunner]

So, they're going to re-disable raw sockets? I'd suggest that the IP implementation on SP2 is broken already. For example - when will you be able to send more than 8K in a single packet using a Java Socket on Windows XP Service Pack 2?

String sString = "Some string more than 8K";
Socket client;
PrintWriter sock_out;
try
{
client = new Socket (InetAddress.getByName
("127.0.0.1"), 5678);
sock_out = new PrintWriter
(client.getOutputStream(), true);
sock_out.flush();
sock_out.println (sString);
sock_out.close();
client.close();
}
catch (EOFException eof)
{

}
catch (IOException e)
{

}

Try it yourself - see if you can receive more than 8K in a recv() call in Windows XP SP2. You can't.
If you do the same on Linux or OS X, you can. On Windows XP SP1, you can.

Thanks, Microsoft.

Re:So when...

[RailGunner]

I don't think the TCP window size has anything to do with the size of packets that can be sent and received. It just determines when the packets are broken up for transmission... right?

You are correct. The default window size, btw, is 32K, if memory serves me correctly. Grandparent is a troll.

Re:So when...

[Temporal]

Why are you relying on such things? A TCP conection is a continuous stream of bytes, not a bunch of separate packets. There has never been any guarantee that send()s and recv()s would match up 1:1, even if they are less that 8k. If you are relying on this behavior, you need to fix your design.

Re:So when...

[Lunix+Torvalds]

Hi,

With Windows sockets, it is imperative to look at the error returned by send() if it fails. If the error is WSAENOBUFS, then it means that the packet you are trying to send is too large and must therefore be reduced. It is possible that the Java implementation doesn't do this.

Here is a snippet of code that is NECESSARY to be able to transfer data reliably on Windows. Please note that while just a single send() will work most of the time, there is no garantee that it will. Try, for example, sending chunks of 1MB, 8MB, 64MB, 128MB and 256MB and see at what point you get WSAENOBUFS. You may be surprised.

while (cbBuffer > 0)
{
for (cbToSend = cbBuffer;;)
{
cbSent = send(Socket,Buffer,cbToSend,0);
if (cbSent >= 0)
{
Buffer += cbSent;
cbBuffer -= cbSent;
break;
}
else if ((WSAGetLastError() != WSAENOBUFS) || ((cbToSend >>= 1) == 0)) return FALSE;
}
}

Note that on UNIX you should check errno for ENOBUFS as well, just in case.

Re:So when...

[PurpleXanathar]

Because XPSP2 recv Buffers are limited to 8KB.
Every OS has a size for those buffers, you have just discovered the XPSP2 size, congratulations.

Every other OS has a limit on that buffer, and I guess for every OS it is configurable in some way (in Windows there is some remote key in the registry).

this wont make a bit of difference...

[quetzalc0atl]

...since the admin can always write packets (in frames)directly to the layer 2 driver. all they are doing is breaking the BSD sockets API - security through obscurity? right....

I agree...

[ebrandsberg]

If you can't have a secure OS, the OS should be less vulnerable to being abused. So in effect, use Linux or other OS's if you need to use raw sockets.

Re:Ha!

[Pakaran2]

It isn't "almost crippled."

Ordinary users on Unix are subject to even worse limitations (which is, in fact, why ping among other utilities runs setuid root).

Has anyone found that this makes Unix unusable for them? For that matter, outside of DDoS, connection hijacking, and abusing smtp servers to cover your tracks when spamming, is there ever any need for an application programmer to falsify a source address? Doing so means you won't get a reply from whatever you're trying to do.

All that said, I imagine if MS actually put some effort into fixing the security issues with their flagship product in the first place, so it didn't get hacked (hint: disable activex by default, along with integrated vb scripting in outlook), then there'd be no hacked machines to be used in attacks.

Replacement

[Mr_Silver]

As soon as I saw this, it made me rememeber this article by Cringely (written in August 2001) which discusses the "problem" of raw sockets.

From it:

According to these programmers, Microsoft wants to replace TCP/IP with a proprietary protocol -- a protocol owned by Microsoft -- that it will tout as being more secure. Actually, the new protocol would likely be TCP/IP with some of the reserved fields used as pointers to proprietary extensions, quite similar to Vines IP, if you remember that product from Banyan Systems. I'll call it TCP/MS.

How do you push for the acceptance of a new protocol? First, make the old one unworkable by placing millions of exploitable TCP/IP stacks out on the Net, ready-to-use by any teenage sociopath. When the Net slows or crashes, the blame would not be assigned to Microsoft. Then ship the new protocol with every new copy of Windows, and install it with every Windows Update over the Internet. Zero to 100 million copies could happen in less than a year, and that year could be prior to the new protocol even being announced. It could be shipping right now.

Food for thought.

I Can't Believe It...

[cyngus]

I am actually going to side with Microsoft on this one. It is not as if they removed raw sockets, but rather restricted access to them. Let's consider who needs raw sockets, mostly advanced users. Advanced users are going to have an Administrator or root account on the Windows machine and therefore should have access to raw sockets, no? There is almost no reason for the average user to have raw sockets. They do create a real risk of bad network behavior and I imagine if someone were to create TCP/IP today instead of 30 years ago when the Internet was a much smaller, nicer place, raw sockets would not be part of the spec.

As an aside, I think I'm going to take the rest of the day off, agreeing with Microsoft is mentally jarring. It has to make you question existence just a little and also make you a touch ill.

Microsoft's Real Plans

[PipianJ]

Why embrace and extend? All they really need to do is support the evil bit.

But of course, being Microsoft, you're probably right. They'll make their own implementation of the evil bit, patent it, and charge royalties to others who want to support their new "EDDP" protocol (Evil Data Detection Protocol).

Not to mention that IIS, Exchange, IE, and Outlook will grow to require use of EDDP during transfers of data, locking Mozilla, Apple, Linux, and others from accessing much of the internet.

Finally, John C. Dvorak will boldly claim that EDDP is the wave of the future, and Apple, Linux, and Mozilla are clearly inferior for not supporting what is clearly a web standard, because if Microsoft says it is, it MUST be.

Easy to see why

Thousands of people gripe about Windows having this "awful security hole" thanks to misinformation on GRC, and are generally so uptight about information they find on there that they'll cripple their internet connections, wreck the data on their harddrives, and so on...all in the name of being secure! (his entry on http://attrition.org/errata/charlatan.html links to http://www.grcsucks.com/ which describes some of the mania people will go through at Gibson's prompting)

So what happens if MS doesn't pander to them? They constantly get bad press from people who constantly spout off about "security" that they gleaned from the Gibber's site. What happens if MS does pander to them? A few people are upset, but most of the bad press on this issue goes away.

So what should they have done? Wait it out, and take the high road? They've tried that. Educate the users? We've tried that. What else?

batton-down the... industry standard protocols?

[dionysian.mind]

But why properly implement anything when you can just cripple it instead?

Seriously, this is the all-too-common fatal flaw that I have seen in *almost* every tech organization I have ever worked for, or with. It is always easier to throw crap together with no reguard for how it actually works. If it limps along, that is enough for some people (maybe because they were all raised on Windows?).

At this point, if M$ had any respect for itself or the tech industry they would liquidate their company and give all their capital to a more helpful and pertinent organization... dare I say, the OSDL?

... but then again, where would be the mafia-capitalism joy that can only come from making a 4th rate product and then strong-arming tech markets into using it...

Hammer, meet nail.

[lheal]

This is because XP is not designed right, not because the TCP/IP protocol is wrong. (just to be clear)

You nailed it.

Microsoft is clearly trying to shift the blame from their dain-bramaged design to TCP/IP. How many other operating systems are there that do (more or less) fully implement TCP/IP, including raw sockets? It's almost universal.

Oh well. I guess Microsoft knows the neighborhood is safer with a crippled lunatic than healthy one.

Re:Hammer, meet nail.

[cirisme]

The brain damaged part has nothing to do with TCP/IP, because their implementation has nothing to do with security.

Seriously? You really think it's their brain damaged TCP/IP implementation that's at fault? Think again. It may be bad, but giving every program access to raw sockets is a bit silly considering how easy it is to get programs into Windows. But this is a good move, a better one would to have been to make it so it's not as simple to get untrusted programs running in Windows but I digress.

Re:Hammer, meet nail.

[RealProgrammer]

I think you misunderstood the GP post. It's XP in general that's brain-damaged, not the XP TCP/IP stack.

Microsoft is trying to blame the design of TCP/IP instead of the design of Windows. Everybody else makes it work; why can't they?

Erm, cough, cough, excuse me...

[pandrijeczko]

I run Linux and UNIX with my "insecure" full TCP/IP stack. My UNIX-y machines have an IP address, subnet mask, gateway, etc. etc. These machines do not get worms or viruses.

I run Windows 2000 with my "secure" limited TCP/IP stack. My Windows machine has an IP address, subnet mask, gateway, etc. etc. This machine would get virii if I didn't run a virus checker, firewall, etc.

There is one difference between the two scenarios above - the operating system!

Yes, my UNIX-y boxes are subject to attacks from the Internet but not random attacks like viri and worms.

An attack on my UNIX-y boxes comes from a single, person or script trying to get into my box and trying to (probably) buffer overflow a specific application daemon like FTP, Telnet, etc (not that I run either of these on the Internet anyway!)

So let's not blame it on the "TCP/IP" stack because all attacks are as a result of attacking applications that use the stack, not the stack itself.

We'll also remind ourselves here that UNIX was built around TCP/IP 25 years ago whereas MS refused to believe TCP/IP existed until 15 years ago after Windows 3.11 came out and they had to write a limited stack to install into Windows.

Re:Erm, cough, cough, excuse me...

[dills]

Thus proving that running a Unix operating system doesn't indicate level of clue.

Wow.

You do realize that raw sockets have nothing to do with "worms of viruses" as you put it, right? It has to do with mitigating the effects of what can be done to a compromised windows box.

Raw sockets don't decrease security; they increase the amount of damage that can be done if somebody has taken control of your computer.

I don't run a virus scanner on any of my windows boxes, never have, and I've never gotten a virus. So, your assertion that you would get a virus if you didn't have a firewall makes me realize you have absolutely no idea what you're talking about.

Yes, Unix is more secure. But for the most part, that's because idiot users don't use it.

Re:Erm, cough, cough, excuse me...

[pandrijeczko]

You seem to have an inability to read my posting correctly so I'll simplify it for you.

Putting DDoS-type attacks aside, compromising a system, whether UNIX, Windows, whatever, involves attacking an application, not the stack. Therefore, whether you have a full or limited IP stack makes no difference to security - it's about what applications you're running.

If you honestly believe security is about accepting you'll be broken into but just mitigating the results of it, then it's you without the clue, my friend.

You don't run a virus scanner and never got a virus? Fine, I can believe that but then tell the whole story - you probably don't run Outlook for your email or, if you do, you're really careful about who you open emails from; you probably don't use IE and you've probably got your head screwed on properly when it comes to not downloading stuff from certain places on the Internet.

However, when most Windows users are "without-clue" Joe Sixpacks, raw-sockets and mitigation mean nothing, it's the vulnerabilities of the apps they run that are the problem.

How about you and I take a Joe Sixpack user each, put one in front of your fully secured Windows boxes and I put one in front of a fully secured Linux box? You set him up IE and Outlook, I'll give him Firefox and Thunderbird and we leave them both to it. Tell me, who's going to rife with spyware and one or two viruses after a week or two?

Like I said, it's the applications and nothing to do with lame excuses about stacks.

Re:So now

[JPrice]

Umm, while I'm not siding with Microsoft on the issue, I also think that yours is a ridiculous statement.

Microsoft is not deciding what you can do on your computer. They are deciding what you can do with a product they sell. It's a free market - if their product doesn't do what you want, buy (or download for free in many cases) a product that does.

Translation

[nuintari]

Translation: Our OS is a dog and we need to neuter it to keep it under control.

Not that this will solve anything, no raw sockets? I don't need no raw sockets, I have 48 billion bogus dns lookups!

Consider the Source

[k96822]

Okay, the company with a baffling amount of security holes is giving advice on computer security. That is about as absurd as, say, the company with worst software quality giving us advice on how to develop quality software.

To quote Ted Kennedy, "Hello? Hello?!!"
Some days, life is just a little too weird to take.

MS Windows Server 2003 also has buggy TCP/IP

[spadadot]

I wrote an article about a very serious problem related to Windows Server 2003 TCP/IP.

Here's a quote : "Trying to set up a Windows Media streaming server to stream high-quality videos, I came across what I can now call a TCP/IP bug in Windows Server 2003 (Standard Edition). In some (not unusual) situations, the server simply cannot use all available bandwidth between itself and the client.
[...]
Eventually, I came to accept the idea that Windows Server 2003, an OS designed for server tasks, is not able to fill a 2Mbit/s ADSL connection. Yes I know it sounds incredible but I've been looking without success for another conclusion for the past 3 months."

Read the full technical explanation and see what Microsoft has to say about it : Microsoft Windows Server 2003 Buggy TCP/IP ?

Steve "Ahab" Gibson

Since you link to Steve Gibson Research, I'll have to link to grcsucks. His (Steve's) views were wrong then, and they're still wrong today. The "raw socket == ddos" argument was thoroughly discredited:

Dissecting Steve Gibson GRC DoS Page
Raw Sockets are not a Security Risk

Bloody, I know about too many old flamewars.

Re:Steve "Ahab" Gibson

[TripMaster+Monkey]

Funny...if Steve's views were so discredited, why does M$ agree with him now?

Re:Steve "Ahab" Gibson

[nsayer]

"Steve's views were so discredited" = chicken
"M$ agree[s] with him now" = egg

Re:Steve "Ahab" Gibson

Microsoft agrees with him because this is an easier excuse than trying to fix Windows so not everyone website's active-X control has admin privileges.

The real solution to the problem isn't breaking networking functionality depending on if you bought the cheap or expensive version of the OS.

The real solution would be to restrict raw sockets to require Administrator/root privileges, and make it harder for the averages Outlook attachment to get root privileges.

Microsoft, on the other hand, sees this as an excuse to not fix Outlook and Internet Explorer, and instead sell more of the expensive version.

The Metro of netoworking protocols

[SuperKendall]

Yes, the path becomes clear...

Abandon the industry standard for VMs (Java) and roll your own (.Net).

Abandon the industry standard for portable documents (PDF) and roll your own (Metro).

Abandon the industry standard for networking (TCP/IP) and roll your own (???).

Each sounds more improbable than the last. Yet the first one has happened, the second is going to happen, and thus the third seems much less improbable than it would have otherwise.

Bad Logic

[Master+of+Transhuman]

People who are saying the "average" user doesn't "need" raw sockets while saying that the hacker who does will use another OS ANYWAY are obviously missing the point.

Why bother disabling something that's part of a standard when it will have no effect on either the average user or the hacker?

MS is saying here that if the "average" user had raw sockets, they could program DoS code? I don't think that's gonna happen.

All disabling sockets has done is inconvenience nmap users - who just happen to be sys admins running security scans on their networks from their workstations.

Maybe MS doesn't want them to be able to run nmap? Like maybe they might find out how insecure their systems are?

Something is wrong, alright

[ajs318]

The various BSD flavours support raw sockets. So does Solaris, and even Linux for that matter.

The difference with the Unix-like systems is that ordinary users don't get to poke about with dangerous stuff.

The real point is that Windows software has for too long depended on the assumption that the user has full unfettered access to every resource on the computer -- an assumption which had to cease to be true when Windows became network-aware, because in a networked environment some things are properly restricted. Yet for the best part of ten years, Windows continued to run without privilege separation; and application programmers took advantage of that, creating code which turned out to be fundamentally broken.

Face it, the bathwater is minging and the baby is dead -- there is nothing worth saving in the whole sorry mess. Whether bad water killed the baby, the dead baby made the water worse, or the two are unconnected, isn't really important right now. What is important is to get rid of them both, scrub out the bathtub and start again.

Of course, if you're going to switch to a new version of Windows -- which would have to be totally incompatible with all that sloppily-written software needing root access for no good reason -- then that would be about as big a change as switching to some other operating system. That must worry Microsoft .....

Re:Something is wrong, alright

[Master+of+Transhuman]

Windows was never a bathtub - it was a sewer.

Security is an Illusion (and a bolt-on hack)

[Proudrooster]

What's the fuss? So RAW sockets aren't available in user mode. That will keep infected PC's from DDoS'ing the universe (temporarily), until the virus/spyware writers exploit holes in the O/S to escalate their priveledges.

MS is just temporarily making exploiting a machine harder, but it will ultimately be futile and lead to even more nefarious and hostile virus/worm/spyware applications. This is a bandaid at best.

Windows is architected so poorly from a security standpoint, that it's probably time to just start over. Security in Windows has always been a "bolt-on" hack. And just remember, no matter what you do, Security is an Illusion.

Is it time for developers at SlashDot provide an interface similar to GMAIL so that I don't have to put HTML tags in my comments?

Oh my god, this has been debated since 2000

[presroi]

I remember "Steve Gibson" was bashed and debunked for talking about raw sockets in 2000 or 2001.

There is a short audio file from Rob Rosenberg from where he repeadingly laughs at his claims.

By the way, wasn't Gibsons site defaced today by Fluffy Bunny?

http://www.farook.org/arc20010701.htm

http://www.vmyths.com/rant.cfm?id=335&page=4

http://www.theregister.co.uk/2001/06/12/security_g eek_developing_winxp_raw/

and so on. Is there anything new that has happened in the last 4 years?

Correct URL

[SSpade]

For the truth about Mr Gibson, look here

Re:MS innovates counter arguments shock!!

[sqlrob]

As long as the account has "Load Driver" privilege, you don't need to reboot to install kernel level code. Unloading it takes a reboot though...

It's also not "vastly more complicated", it's a different interface and *gasp* requires correct code to not blue screen.

Re:Ha!

[CreatureComfort]

Recap, almost all Win users run as Admin. Mostly because that is the default, everything they use works, and some things that shouldn't require admin privledges do.

Microsoft's solution then is to cripple Admin so that "bad things" can't be done in that mode.

This will inevitably lead to Admin on Win being reduced to an equivalent of user mode in *nix. Eventually we will see a new Super Admin that can be entered to do the things that MS takes away from Admin. As long as we can keep developers from writing programs requiring super admin privleges, Win might actually eventually get to where it should have started out at.

The problem lies somewhere else

[MemoryDragon]

In a system which grants admin priviledges to every user of course raw sockets can be dangerous. But the problem is less raw sockets, the problem is more the system itself which uses it.

Re:For a bunch of you who dismiss MS as crap

[Lukey+Boy]

You asked: If MS sucks and you don't use 'em for anything, why do so many of us invest so much time following them, complaining about them, and posting stories about them?

Microsoft has a monopoloy in a lot of different areas, so regardless of whether or not a Slashdot reader personally uses their software it still permeates everyday computer life - like it or not. If someone does have strong feelings against the software giant then they would be guilty of complacency for not following it's actions.

I don't care particularily about the guy complaining about his ex-girlfriend, but when companies such as Best Buy screw consumers I'd rather hear about it than not.

Pushing more people towards Linux

I work for a company that sells a high-end network security scanning product. We have been dealing with this XP issue now for almost 2 years, and we are not the only ones who have complained to Microsoft. We have pushed our complaints as far through the channels as we can. Microsoft isn't listening.

Their response is: buy Windows Server 2003 if you want raw sockets. We asked them if there was any guarantee that they would not break the raw sockets feature in 2003, and they would not give us that guarantee. Besides, Windows Server 2003 ships with a lot of stuff we would have to disable to make the box even remotely secure.

Our CEO even registered a complaint with Microsoft, saying "We pay to use your software and you are hurting our business and hurting our customers and costing us money with this change. And you have heard our complaints and you are ignoring them." Microsoft responded that they would pass our criticism up the chain, and that's the last we heard.

That's why it irritates me to read in the article that Microsoft has had "little negative feedback" on this issue. I'm sure we're not the only paying customer of Microsoft that has been affected. And they are not telling the truth when they say that "the only thing affected by this change is fingerprinting software": port scanning is affected too.

So we have started recommending that our customers use the Linux version of our product. Now Microsoft is losing hundreds of thousands of dollars of revenue per quarter just from our company.

If the virus gets into the kernel...

[argent]

It also pointed out that "writing and installing kernel-mode code is vastly more complicated" than using an existing raw socket feature,

Yeh, that's why the majority of people doing this use an widely available rootkit or equivalent to do it for them.

and that if malware did make it into the kernel of a Windows machine, the user would have more serious concerns than just SYN attacks launched from their machines.

"If malware can execute code on a Windows machine, the user has more serious concerns than just SYN attacks launched from their machines. That's why Windows doesn't bother trying to close local exploits."

Re:If the virus gets into the kernel...

[quantum+bit]

It also pointed out that "writing and installing kernel-mode code is vastly more complicated" than using an existing raw socket feature,

Yeh, that's why the majority of people doing this use an widely available rootkit or equivalent to do it for them.

Exactly. All it takes is one person to do it. Once the cat is out of the bag, malware authors can just all copy that one.

It might not even be a black hat that does it. It wouldn't surprise me if the open source pcap driver for windows could be used to send arbitrary packets.

Windows is much more secure

[Perl-Pusher]

With any TCP/IP, I've found that by just unplugging the ethernet cable, a windows desktop can be just as secure as an OpenBSD Server.

Lack of negative feedback != no problems

[MilenCent]

the company claimed it had received little negative feedback on the issue.

In other news, a noted chemical manufacturer was found to have been dumping toxic waste products into a nearby water supply for years. In their defense, company spokesmen claims they had received little negative on the issue.

Local police have been caught on camera beating up suspected felons. When cornered on the issue, they responded by saying that there had been little negative feedback on the issue -- at least, from anyone who mattered.

In a press conference today, Bush defended his administration's handling of the war on terrorism by saying that they had little negative feedback on the issue. (Possibly because they had suppressed their own report on the issue; outside sources indicate that terrorist activity around the world is four times worse than in the previous year.)

There, three possible responses to the negative feedback defense. Pick your favorite, I need a drink after this.

responding to an A.C...

[bmajik]

Raw sockets have a use when you want to implement your own IGMP/ICMP packet.

Sure. Average home users do nothing but write their own protocols using raw sockets.

If i suggested or said that nobody has a use for raw sockets, i misspoke or you misunderstood. The _average_ user only suffers from raw socket support, because it makes thier machine a more desirable target for 0wnage.

for the people that legimately need raw sockets, they're smart enough to figure out how to get them.

"we don't want to admit we were wrong because then those 200 million people would know what really crappy software we sell". If Microsoft made a mistake then fix it.

Well, pick your argument. Should raw sockets be in or out? Was it a mistake to ship it with them in or not?

Our "mistake" was shipping an operating system that suffered from remote root exploits. This mistake, compounded with the need to keep home users running as admin, and also with us shipping a fully functional TCP/IP stack, allows for an unpatched xp machine to easily be turned into a botnet member. That was a big problem for us, our customers, and the internet at large. We can't ship an operating system that does what it needs to do yet has _zero_ security bugs ever discovered over its lifecycle. We don't know how. If you do, or you know somebody that does, we'll hire them. For whatever money they want.

One of the core tenets of security is defense in depth. We know that eventually someone will break into a windows machine. When they get there, we want it to be harder for them to turn it into a botnet drone/zombie. In the future we'll hopefully get away from running-as-admin which will further raise the bar.

Put some of that ill gotten gain to use and fix the problem the "Right Way"

I said we were working on doing just that, and that running as non-admin almost made it into WinXP. Unfortuneately, all those people out there with badly written software (some of it by us, probably) running on windows expect it to still work. We couldn't get everything sorted out in the Windows XP time frame. It's been a source of non-stop work and the story for longhorn will be better but i dont know to what degree (i.e. it may not be all the way fixed).

A kernel that can be patched and have its own hooks intercepted by malicious software is the problem.

Show me a kernel in use on home computers that doesn't suffer from this.

Which department are you in, Public Relations or Marketing?

Testing, actually :) As many defects as you find in MS software, beleive me, there are plenty that never make it to you.

so, put an ACL on it?

[multi+io]

...and disable the feature by default for all accounts, including admin.

I mean, on other occasions you hear them blather about Windows' totally stellar, fine-grained security architecture, and now they want to prevent Joe Average user from accidentally using raw sockets by, uh, removing the feature altogether?

Re:Baby, meet bathwater. tsarkon reports

[dougmc]

I have no idea why ISPs don't do this

Because it doesn't really help them except for helping them be a good Internet member.

When you set up proper egress filtering on your network, you make it harder for your network to be used to attack other networks -- at the very least, they can't forge their addresses to appear to come from other ISPs anymore. But it doesn't make your network any less vulnerable to attacks.

Yes, everybody should do it. But since there's no real benefit to doing it beyond knowing that you're doing `the right thing', many ISPs don't do it. Also, doing egress filtering can break a few legitimate applications such as dual homing, requiring some further configuration.

I'm not saying this is right or wrong -- just saying why everybody doesn't do it.

really?

[bmajik]

there's nothing to suggest that Linus et al would be able to improve the security of windows while ensuring that it meets its requirements. Linus has enough problem with is own operating system (but can conveniently choose to say all of userland isn't his fault when thats where the vulns are)

In any case, it's funny that you chose linux - arguably the least secure of the modern unixes. I'd have entertained a suggestion of Theo, but he'd fail because im sure his approach would be "the requirements don't matter, this is how i think it should be done", and then half of the crap customers expect would be broken.

I'm not sure how you read my statement about raw socket support being a bad thing for home users, but the point i was making is that they're not using it, so it doesn't help them, and because of the other factors i outlined, it makes thier machines more attractive and more potent for botnet membership.

If its not helping them, and its a risk, then removing it is a good thing, right ?

I don't understand some of your accusations as "bullshit". Are you telling me i'm lying to you? Do you have informatoin that I don't?

I remember the announcement internally that XP home would run with users= admin and being irate about it. Lot's of us were hoping that we'd get it right for xp but the people upstairs couldn't stomach the amount of appcompat breakage it would cause. As it is the amount of custom code in the various versions of windows for 3rd party app support is pretty outlandish. Read raymond chen's blog for a glmipse of what he was doing back in the windows 95 days to help appcompat. Things like this matter when you have 1) an installed base 2) a bunch of 3rd parties making money off your platform 3) binary compat as a requirement. Note that linux has none of these 3 aggrivating factors to deal with. (not anywhere within an order of magnitude of where MS is, at least)

For what it's worth, I agree that our testing, design, and management are all inadequate. We're just human. As an aside, we're hiring. Are you qualified to help, or just to bitch?

Get Ready for... MS TCP/IP!!

[skeptictank]

We all knew it was coming, I am surprised it took them this long to get around to it.

Linux is looking better and better everyday, even to our management.