Slashdot Mirror
Vista's TCP/IP Promises and Perils
boyko.at.netqos tips us to a new writeup on Vista's TCP/IP stack, which is called Compound TCP/IP (CTCP). From the article: "...security policy will come from a centralized source. When you get your DHCP lease, your computer will report to the stack what OS you're using, what version level, what patches, what anti-virus software that's active — all that kind of stuff. It will have the ability to restrict your network access if you have a down-level machine... We could see a lot of our customers with much higher WAN network utilization because of this new TCP/IP stack... CTCP can be enabled/disabled from the command prompt but there has been no mention of tuning parameters which leads us to ask the question: How are you supposed to configure this setting in Vista?... What worries us... is that Microsoft is basing this on packet round trip time. The round-trip time from the client-side will have the server processing time in it; but the clients aren't likely going to be the running the CTCP at first. If you have a server-to-server backup running, for example, CTCP may think its part of the round-trip time and it'll throw the delay window through the roof..."
So my trojan will be reporting values honored by the DHCP servers. This system is still relying on the information sent by the (possibly infected) machine, so it is not secure in any way.
Life is just nature's way of keeping meat fresh.
apart from providing some "security" measures, is to lock Linux out of the corporate network. As soon as a Longhorn server goes into a network, then Linux boxes will have all sorts of problems. And there won't be any way to legally get around it as Microsoft will have all the required patents to wave in the faces of anyone who attempts to do so.
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
How are you going to ask the client, when said DHCP client is one of those nifty routers we all own?
/., or even most in the world, directly connect their machines to a network connection anymore. All the broadband connections all go through some sort of router these days, provided by the ISPs themselves.
I don't think anyone on
The cesspool just got a check and balance.
"It will have the ability to restrict your network access if you have a down-level machine."
Ehm... and who decides what is a down-level machine?
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
"It will have the ability to restrict your network access if you have a down-level machine..."
Translation: "You WILL upgrade all of your machines to Vista, or Microsoft will artificially degrade their performance." It's called "market development."
Those M$ asshats are actually going to try to sell this as a NAC feature, when it's nothing but another license fee grab. Piss on them: I'm still running several totally stable, bullet-proof web servers on NT4 with 128Mb (albeit behind a good firewall), and I have neither the need nor the intention to "upgrade" them anytime soon (or ever, for that matter).
About the word "if": If bullfrogs had wings, they wouldn't bounce around on their little green butts.
Specifically, something to tell the CTCP stack that you're running the very latest version of everything, so that you don't get penalized by other nodes.
Of course, that would be bad news for everyone else on the network, if in fact your old, unpatched OS (which you are reporting as new and patched to avoid having to upgrade to Vista 2.5.9.396) _is_ infected. But then, that's part of the problem with including features that work AGAINST the person buying/using them.
To sum up: malicious/hijacked computers will report that everything's OK. Computers controlled by savvy users who don't want hassle will report that everything's OK. Computers that really have nothing interesting about them will report that everything's OK. There'll be a thin band of computers that really do have old OS versions but that nobody cares about enough to doctor -- these will report that everything's not OK, until they become an issue and are considered a painful extra cost of MS-based networks. The remaining 90% of all computers will have this feature disabled, thus saving all the bother at a very very low cost in security.
It's not that this feature is evil, it just comes from the wrong mindset. I think MS's misconception that it's good to start from the question 'how can we restrict or coerce customers', rather than 'how can we empower and help customers', is likely to prove permanent.
Whence? Hence. Whither? Thither.
Thats exactly the point. It's a bastardization of the TCP/IP standard by M$. They want everything to operate to the M$ standard not the approved W3C/ISO standards. Which means that if someone implements an opensource version then M$ sues them. This should be a Security Service that runs in the background and annoys the user that they may be using an "insecure" connection.
The first time the CEO can't get his email because his laptop wasn't patched to the right level all hell will break loose and this will be turned off.
It's also insecure as hell, someone could write a virus that does nothing but shut off this checking and then erases itself. Then you got a lot of time spent by the Help Desk and/or Techs trying to figure out why no one can connect! And unless the techs are ultra sharp about how the "new" TCP/IP stack operates they are going to be really puzzled and frustrated.
People keep saying that your trojan'd box could report false information, but what about a rooted DHCP server (like in a coffee shop, or any area with free WIFI)? You computer would be telling an unknown system its exact patch level. Screw brute force attacks, it would know exactly where you're vulnerable. didn't microsoft learn anything about offering too much information?
By making these changes in the stack you can improve the windowswindows performance while reducing the windowsother performance. It creates an environment which in which it is strongly beneficial to have a windows only network.
Deleted
Microsoft is famous for its "Embrace and Extend" philosophy of locking people into their products by corrupting open standards. This looks to be the same thing once again.
I have to admit, it's been a while since I've read the TCP/IP protocol specs, but I don't remember there being any provisions for communicating things like OS type, version, or patch lists over the TCP/IP headers.
This brings up a major compatibility question as to how this is going to work with routers, linux servers, printers, and other devices on a network who either don't know about CTCP or don't give a shit about CTCP. This scheme also seems to be extremely vunerable to spoofing.
If M$ would spend half as much effort in securing their OS as they do coming up with these hare-brained schemes, then we wouldn't need such contrived solutions to security.
When all else fails, run.
The network admins. Won't apply patches? You don't get network access. Won't run AV software? You don't get network access. Infected with known malware? You lose network access until it's cleaned up.
Or you could go with the paranoid conspiracy theory and assume that MS will shoot themselves in the foot by trying to close out competing OSes at the network level; that would be the slashdot way, after all.
It's official. Most of you are morons.
Paranoid or not, it matches Microsoft's M.O. However, they're more likely to use subtle patent FUD to prevent interoperability with this technology than explicit lockout. Note that network admins don't control patent FUD. Microsoft alone decides who they choose to vaguely bless or rebuke.
Allowing sysadmins to keep unpatched Windows boxes off their networks is obviously nothing but pure evil. It's Microsoft, so it must be evil, right?
Keeping windows boxes off a network would be nice, but it would be better to simply cut off machines that misbehave. Every machine on the botnet is going to know exactly what to tell the silly C(luster fuck)DHCP server for maximum access. Brands of OS M$ does not like will not. DHCP is already slow, adding this overhead won't rid your network of infections, it will just make it slower.
Yes, Microsoft is evil and commits both technical and social vandalism. They break competitor's products and do things behind their sysadmin's backs. Don't you remember how their resolve configuration had M$ IP addresses hard coded, overriding your hosts files? Think this DHCP thing will be any easier to override? The social aspects of discouraging sharing and suing public schools beggar debate. So there you have it, evil from propaganda to implementation and enforcement. You still trust those people?
Friends don't help friends install M$ junk.
Some MS patches are made to add hard DRM (WMP10) or police liscenses (GenuineAdvantage) and maybe there are some other tinfoil-needy reasons.
MS and the next-gen DVD consortium for that matter treat the customer as a potential criminal and require the ability to disable functionality in whole or in part. In other words, "security" to these people, including Microsoft, means keeping things secured against the user.
As a real security scheme it looks quite weak and vulnerable. But engineering a way to get user's machines to spy on them and report not only compliance with security policies but also use of arbitrary applications seems quite useful both for pushing OS upgrades and conversions to Windows down people's throats and for providing ammo to content liscensing organizations. Vista will be able to tell centralized servers who you are, whether you comply with some policy, and whether you can withstand an arbitrary network attack. Doesn't sound too secure to me. Wonder how SuSE will "interoperate" with this.
Maybe to kill off or flag and issue red alerts on Linux boxes in corporate quarterly security audits/reports? If Linux keeps popping up, and if the bandwidth is screwed with by the server running undocumented code to hamper or impede services run on Linux boxes....
Well, I guess smart IT shops will just put such servers outside the CDHCP servers....
Nice try, mshaft. Take your bat and ball and go home. Try again another day...
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Exactly. This strategy has been advocated in Microsoft internal documents dating from years back. Eric S. Raymond quotes a Microsoft confidential Linux strategy report as saying:
I know I've been waiting since then for this particular shoe to drop. As for the rest of you, especially those who don't believe that Microsoft would do such a thing: Please read the documents, study Microsoft's strategy, and then decide where you want to be when their execution [sic] is complete.
Crumb's Corollary: Never bring a knife to a bun fight.
There's a specific difference. Residential ISPs are more likely to require something that is available as part of the Windows base install than something that requires proprietary software from Cisco. In addition, something from Microsoft is more likely to be used to deny Linux users the ability to connect or to require them to move up to the next tier of service at twice the monthly rate.