Security expert Steve Gibson (of SpinRite storage system maintenance software fame) is embroiled in a controversy concerning Windows XP's security features that's worth examining. Gibson's Web site recently suffered a Distributed Denial of Service (DDoS) attack that cut off the site from its audience. An investigation into the attack showed that a 13-year-old hacker had kept Gibson's site offline by spoofing IP addresses and using 474 "zombie" Windows PCs—other users' machines on which attackers secretly install hacking code—to send raw packets at Gibson's site. Gibson's Web site suffered five such attacks in May—apparently all from the same 13-year-old hacker.
"He was like a child pulling the legs off a spider to see what it would do, watching it flail and attempt to get away from its tormentor," says Gibson in an article on his Web site. "He experiences absolutely no remorse and has no regard for any damage being done as a consequence. He believes that he can not and will not be caught. Hiding behind the anonymity created by the Internet's trusting technology, he exhibits no social conscience. I hope it is becoming clear to everyone reading this, that we can not have a stable Internet economy while 13-year-old children are free to deny arbitrary Internet services with impunity."
Gibson's story is interesting on many levels (despite the hyperbole on his site, I strongly recommend you read it), but his charges against Windows XP put the story on my radar. Gibson says that the attacks were made possible by a technology called raw sockets. Raw sockets have been in various UNIX versions for some time, and Microsoft will finally fully implement this standard networking technology in Windows XP; previous Windows versions contained only a limited version.
Gibson's charges put him on Microsoft's radar also: He met with the company, but came away unimpressed. "With a bit of horror, I learned that Microsoft's developers have no understanding of security," he wrote after the meeting. "Because of the danger of abuse of full raw sockets, all other operating systems restrict its use to only the most highly privileged applications running with 'root' privileges (the equivalent of Administrator in UNIX). But the need to run legacy Windows 9x applications under Windows XP has forced the notion of 'privilege' to be discarded and thus eliminated a crucial layer of protection. All Windows XP Home Edition applications will, therefore, be running as 'root' . . . and a dangerous capability that was never meant to be globally available to all applications—has been made available to all applications."
The problem is that Microsoft designed Windows XP to replace all current Windows versions. So Gibson envisions a future in which every Windows machine could help hackers attack Web sites, and we'll all be "zombies," at the beck and call of young hackers (insert scary music).
I asked to speak to a Microsoft representative about this controversy, but received a statement instead—a bit of a slap in the face from a company trying desperately to prove that it cares about security. The company says that Windows XP is the most secure desktop product that it has ever created and answers Gibson's claims with what appears to be a more level-headed explanation of the raw sockets feature and why it's included in Windows XP. Microsoft also notes that customer demand for Winsock standard compliance drove the decision to include raw sockets support in Windows XP.
"Windows XP will be a major step forward in Microsoft's 'war on hostile code' that was announced at this year's RSA Security Conference," the statement reads. "Among the new features integrated into Windows XP are Software Restriction Policies that can help prevent hostile code from running on Windows XP and the Internet Connection Firewall that will protect systems from outside attack. While Mr. Gibson is a respected security expert, we believe that he has focused on the wrong issue in making his dire predictions. He extrapolates from his experience with a denial of service attack to a more threatening scenario that he believes could occur if the attacking systems (zombies) could spoof arbitrary IP addresses, and then focuses on an industry standard mechanism built into Windows 2000, Windows XP, and most other platforms that he says would facilitate such spoofing."
Microsoft says that the key behind DDoS attacks is running hostile code on other users' machines (thus creating zombie machines that hackers can use to attack other systems). And the company correctly notes that it designed much of the security hardening in Windows XP to prevent this sort of activity. "We believe that Windows XP systems will reduce rather than increase the incidence of denial of service attacks," the company says. Microsoft also notes that the raw sockets technology that Gibson focuses on is not to blame for IP address spoofing and, ultimately, DDoS attacks. "A variety of system tools and some hacker tools, all capable of running on Windows 9x systems, have this capability," Microsoft says. "The Internet community has been fortunate that none has yet been diverted as the base for a 'zombie' script that would spoof IP addresses, but it's important to note that there's no technical impediment to this being done for a script that would run on Windows 9x."
So who's right? Like many things in life, this argument falls into a gray area, although both sides are convinced that the other is wrong. My admittedly untechnical take on the situation is that Microsoft needs to be concerned with security first and a bulleted list of features second: If features such as raw sockets prove to be a risk to many users, maybe Microsoft shouldn't include this support out of the box. But if users want to manually install features such as raw sockets, that option should be available. I honestly don't know where to fall on this matter, but I'm very interested in your feedback. Please let me know what you think.
Resources
Steve Gibson's GRC Web site
Microsoft Security
Register
Mark Deneen July 25, 2001