×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft States Full TCP/IP Too Dangerous

Zonk posted more than 8 years ago | from the don't-let-them-have-all-the-toys dept.

Microsoft 575

daria42 writes "To fully implement the TCP/IP protocol in Windows XP would make creating denial of service attacks 'entirely too trivial', Microsoft has claimed. The company was responding to claims by Nmap author and well-known security expert Fyodor that by repeatedly disabling the ability to send TCP/IP packets via the 'raw sockets' avenue, Microsoft was asking the security community to 'pick their poison': either cripple their operating system or leave it open to hackers. Admitting that a recent security patch had intentionally disabled a community-developed workaround to Microsoft's TCP/IP changes - which were first implemented in Windows XP Service Pack 2 - the company claimed it had received little negative feedback on the issue."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

575 comments

News Flash: Butter is good on toast! (3, Interesting)

TripMaster Monkey (862126) | more than 8 years ago | (#12371023)

News Flash: Butter is good on toast!

From the Article:


"Supporting packet sends from simple user-mode raw sockets makes it entirely too trivial for compromised systems under control of hackers to launch massive distributed denial of service attacks," Microsoft warned in a statement to ZDNet Australia .


Interesting that M$ sees fit to lecture us on the dangers of raw sockets now, given their prior stand on the issue. [grc.com]

Re:News Flash: Butter is good on toast! (5, Insightful)

rsmith-mac (639075) | more than 8 years ago | (#12371211)

Let's give MS some credit here, I think even they've come to realize that Gibson was right and raw sockets for users was a mistake. The fact of the matter is that they fixed the issue by taking away raw sockets, and now they have to defend that position.

Baby, meet bathwater. (5, Informative)

mfh (56) | more than 8 years ago | (#12371026)

To fully implement the TCP/IP protocol in Windows XP would make creating denial of service attacks 'entirely too trivial'

This is because XP is not designed right, not because the TCP/IP protocol is wrong. (just to be clear)

The quote [seclists.org] from Fyodor is:
"Pick your poison: Install MS05-019 and cripple your OS, or ignore the hotfix and remain vulnerable to remote code execution and DoS."

It's like... we just... can't... win.

Fyodor goes on to say...

"Nmap has not supported dialup nor any other non-ethernet connections
on Windows since this silly limitation was added. The new TCP
connection limit also substantially degrades connect() scan. Nmap
users should avoid thinking that all platforms are supported equally.
If you have any choice, run Nmap on Linux, Mac OS X, Open/FreeBSD, or
Solaris rather than Windows. Nmap will run faster and more reliably.
Or you can try convincing MS to fix their TCP stack. Good luck with
that."


The answer, my friend, is to drop Microsoft.

Baby, meet bathwater.

Re:Baby, meet bathwater. (4, Interesting)

shird (566377) | more than 8 years ago | (#12371252)

Or perhaps if you are going to write apps that require such low level network access, you should be using a packet driver (or whatever the mechanism is in windows) to do that.

The same can be said for any access to hardware that could be considered unnecessary for typical applications or 'harmful' to the hardware (harmful in the sense that it is 'harmful' to the network and your connection).

I think what MS has done is quite acceptable, given the number of trojans uot there that are DoS'ing and spamming like crazy. Trojans that are on the systems often because of user stupidity rather than an insecure OS. As long as it is possible to actually write such a 'driver' (I think there is a different name for it, but I can't remmeber).

Re:Baby, meet bathwater. (2)

EvilTwinSkippy (112490) | more than 8 years ago | (#12371474)

I had to reprogram my switches to not accept partial packets because Windows clients infected with scanning trojens where hogging the lines with crap UDP traffic.

Mind you, I'm not talking about our 3Mb link to the internet. I'm talking about our 100Mb switch in the basement.

Whatever Microsoft thinks they are doing, it isn't helping in the areas that count.

Hammer, meet nail. (4, Funny)

lheal (86013) | more than 8 years ago | (#12371295)

This is because XP is not designed right, not because the TCP/IP protocol is wrong. (just to be clear)

You nailed it.

Microsoft is clearly trying to shift the blame from their dain-bramaged design to TCP/IP. How many other operating systems are there that do (more or less) fully implement TCP/IP, including raw sockets? It's almost universal.

Oh well. I guess Microsoft knows the neighborhood is safer with a crippled lunatic than healthy one.

Re:Baby, meet bathwater. (1, Insightful)

badriram (699489) | more than 8 years ago | (#12371301)

Now that was the dumbest answer i have ever seen. No justification whatsoever for your cliam of XP not designed right.

Microsoft is doing somehting that i do belive is better for 99% of the drones out there that do not need raw TCPIP. However i do think they should make available as a download or on CD a TCP/IP pack that does support raw sockets.

Re:Baby, meet bathwater. (0)

Anonymous Coward | more than 8 years ago | (#12371430)

You are joking, surely. Microsoft's implementation of TCPIP stack is deliberately hampered - they know this, they admit it. It makes it more difficult for security professionals to use Microsoft platforms for testing...so we will end up using Linux or other OSs all the time, instead of mostly:-)

Re:Baby, meet bathwater. (2, Insightful)

iainl (136759) | more than 8 years ago | (#12371447)

Presumably, the reason for not doing so is that if you can run something reasonably tiny to get access to raw-mode anyway, then that is the first thing any worm is going to do.

The real message is that if you need these proper TCP/IP features, use a proper OS.

Re:Baby, meet bathwater. (1)

Martin Blank (154261) | more than 8 years ago | (#12371452)

Perhaps something could be clarified... Have there been any significant viruses, worms, bots, or whatever that have taken advantage of raw sockets? Almost all of the alerts I've seen from Symantec, McAfee, etc, cover worms that cause problems via other means.

Re:Baby, meet bathwater. (2, Insightful)

fudgefactor7 (581449) | more than 8 years ago | (#12371462)

Actually, TCP/IP is broken. It was never intended to be secure, rather just a means of communication. The creators of the stack never envisioned people doing what they are with it. It needs a complete reworking--thus the need for IPv6 with all the security hoo-ha's in play. MS was in a quandry: force the patch out and fix the issue, and thereby hamstring some machines; or don't fix it and have an explosion of zombies and compromised machines--for which there would be no end to the complaints (on Slashdot or anywhere else, for that matter.) What's your pick: a more secure Internet experience for everyone or not?

IPv4 is broken, like it or not. Our only hope is to fix it.

Ulterior motives (4, Interesting)

bmw (115903) | more than 8 years ago | (#12371038)

It's quite obvious that Microsoft has other motives for doing this as this really doesn't do anything to improve security. As was quoted in the article, Fyodor correctly points out that Windows (AFAIK) is the only operating system to put such restrictions on raw sockets and it certainly has not helped their dismal security.

Of course, there's always the possibility of ignorance...

Never attribute to malice that which is adequately explained by
stupidity.


but I really have to doubt that Microsoft is quite this dumb. They've got a lot of really tallented people working there so you have to think that someone would have thought about this. Then again, they have demonstrated a supreme lack of understanding when it comes to security so who knows.

Re:Ulterior motives (2, Insightful)

harrkev (623093) | more than 8 years ago | (#12371294)

Microsoft can't win no matter WHAT they do.

Steve Gibson (author of Spinrite, among other things), has been on a crusade for years to get raw sockets taken out. See his web page [grc.com]. And I tend to trust this guy. He makes Windows programs in assembly! That is the geek equivalent of crushing a beer can on your head! That may make you question his sanity, but certainly not his technical knowledge.

Implemnt raw sockets, get blasted by one security "expert." Take them out, and get blasted by another.

For what it's worth, I think that raw sockets in user-mode are a bad idea. The average user does NOT need raw sockets.

Re:Ulterior motives (1)

bmw (115903) | more than 8 years ago | (#12371343)

As many many people have pointed out, including the article itself, Microsoft's poor security has little to do with support for raw sockets. Pretty much every other OS out there supports raw sockets and you don't see anywhere near the amount of security issues as you do with Windows. The problem is in the overall design of Windows and the mindset of most of its users.

Re:Ulterior motives (2, Insightful)

grasshoppa (657393) | more than 8 years ago | (#12371351)

Gibson is a nit. His site is propiganda, written to manipulate and distort.

He writes win32 programs in Assembly. So what? All that proves is he has tons of time on his hands. The real test is writing reusable, easy to understand code, portable if possible.

Re:Ulterior motives (4, Informative)

0x461FAB0BD7D2 (812236) | more than 8 years ago | (#12371367)

If they locked down raw sockets and made it available only to administrators or root users, that would solve it.

Gibson points out that other operating systems do this, while Windows doesn't. The problem lies there, not in the inclusion of raw sockets API.

Re:Ulterior motives (5, Insightful)

Andrewkov (140579) | more than 8 years ago | (#12371487)

Except everyony does their daily work signed on as administrator (by everone I mean the majority of average users). Maybe a desktop OS for the masses *should* be crippled in some ways, to protect people from themselves. And people who need a full featured OS can use something else (a seperate version of Windows, or whatever).

Re:Ulterior motives (1)

austad (22163) | more than 8 years ago | (#12371348)

This makes their OS pretty much useless for network engineers. Maybe they should cripple it, and then have a package you can download to enable full functionality.

I do network security, and several of my co-workers use windows, but all this is going to do is make it harder for them to do their jobs. Me, I'm happily plugging away on OSX, so I don't care what they do. All this will do is reinforce my idea that all of our engineers get powerbooks.

Re:Ulterior motives (5, Interesting)

Anonymous Coward | more than 8 years ago | (#12371388)

Then again, they have demonstrated a supreme lack of understanding when it comes to security so who knows.

Actually, I think we're seeing the maturation of a "corral the wagons" paranoia in Microsoft's culture. Lacking the ability to push any serious innovation internally (let's be serious, most of Microsoft's innovations during the past 20 years were brought in through acquisitions or copycat development ala VMS for NT, liberal borrowing from OS/2, Apple and Mach, etc). Now that antitrust severely limits acquisition growth, Microsoft is facing the same threat that broke Worldcom. Unable to make significant acquisitions, unable to meet growth internally, and now unable to cook the books like Worldcom, Microsoft's certain to get very defensive as the pressures heat up.

I thought I saw the beginnings of this phenomenon in 1998 at the IPv6 summit, where Microsoft's techs at the conference were explaining their implementation at first with great pride, only to be somewhat ashamed at how much they hadn't followed the specification very well, had numerous bugs and compatibility issues, and were clearly well behind everyone else. Nearly every other operating system had a much more mature implementation. (How long did that IPv6 stack remain a beta too?)

Amazingly, Microsoft is now attempting to patent IPv6 [zdnet.com] through a copy-cat specification (as was discussed on slashdot [slashdot.org]). Somehow it's not amusing when the kid who was not very successful in his participation in the group assignment decides to take exclusive credit for the group's effort.

So now Microsoft is blaming IPv4's engineering (when just like IPv6, everyone else seemed to understand and master the assignment EXCEPT Microsoft)?

As a teacher of mine once said to perpetual underachievers in class: Perhaps you might consider a career in food service instead?

Re:Ulterior motives (1)

badriram (699489) | more than 8 years ago | (#12371401)

This move was not designed to protect Windows itself. It was made to protect servers, and other boxes from DDOS etc. And MS is absolutely correct on that. Windows is the only OS to put those restrictions because that is the only OS on 90% of people desktops.

This is a preventative fix, I do not remember but someone did warn MS not to support RAW sockets, but they defended and supported it anyways. Now they are just backtracking after they realize that 99.99% of the population do not need it. The only ones that do need it are Sys admins and network admins, and well they know should know their way around other OSes.

A wise decision (5, Insightful)

jawtheshark (198669) | more than 8 years ago | (#12371043)

Of course nobody needs raw sockets, and after all no other operating system supports them. I mean, it's not as if OpenBSD, Mac OS X, FreeBSD, NetBSD, the various Linux flavours support it. It would be too dangerous.

No, Microsoft... none of those support raw sockets. Oh, wait... they all do. The problem is not raw sockets, the problem are the holes in the OS in the first place. If your OS doesn't run services that can be hacked, or if the applications don't allow to execute untrusted code there is no problem. Avoiding raw sockets is treating the symptoms, not the cause.

Re:A wise decision (5, Informative)

TheRaven64 (641858) | more than 8 years ago | (#12371177)

On UNIX-like systems, creating a RAW socket can only be done by the superuser. Putting a similar restriction on Windows (substitute Administrator for superuser) would provide no benefit, since Windows is designed in such a way that most users run as an Administrator. Depressingly, the RunAs service has been around for many years now, completely eliminating the need to run as an Administrator. Unfortunately, the lack of a decent UI for this service has prevented its widespread use.

Re:A wise decision (2, Informative)

Karzz1 (306015) | more than 8 years ago | (#12371319)

the RunAs service has been around for many years now, completely eliminating the need to run as an Administrator

You must be kidding. The runas service is *nothing* compared to a true multi-user environment. Other than installing software runas is useless. How do you modify the registry without logging out the local user? How do you add printers to the machine without logging out the user?

Runas is a hack to make up for oversights in the OS.

Re:A wise decision (5, Informative)

Chibi Merrow (226057) | more than 8 years ago | (#12371432)

How do you modify the registry without logging out the local user?

runas /user:Administrator@domain regedit.exe

How do you add printers to the machine without logging out the user?

runas /user:Administrator@domain "C:\program files\internet explorer\iexplore.exe"
Click View, Explorer Bar, go to printers control panel, add printer...

Yes, you're right, there are some things you still can't do using runas, but not many. Be creative.

Re:A wise decision (1, Insightful)

aaamr (203460) | more than 8 years ago | (#12371255)

I realize you were being sarcastic, but consider: from TFA:
  • In addition, the software giant said only a small number of programs were affected by the change: "The only applications that care deeply about the ability to send over raw sockets are enterprise security applications that use 'fingerprinting' techniques to characterise a host on the network based on its response to carefully crafted packets." Consequently, the company has restricted access to raw sockets in desktop versions of its software, but not on servers.
Since the majority of windows users are not well-versed in good security practices and just want to get online, this is actually a Good Thing, since these folks really don't need access to the described functionality. Those people that do will typically run a non-crippled OS, or one of the Windows server varieties.

Re:A wise decision (1)

Master of Transhuman (597628) | more than 8 years ago | (#12371473)

In other words, you're saying that someone who doesn't know what a raw socket is doesn't need an OS that has one, whereas a hacker who does will use an OS that does ANYWAY?

By this logic, most users don't need most of the "features" on Windows.

Oh, wait...

Ha! (1)

X0563511 (793323) | more than 8 years ago | (#12371059)

It isn't already easy to create and launch a DDoS attack from Windows XP? So we get an almost crippled TCP stack in the name of making something a little less easy to do.

Sounds like a fair trade to me! [/sarcasm]

Re:Ha! (5, Insightful)

Pakaran2 (138209) | more than 8 years ago | (#12371180)

It isn't "almost crippled."

Ordinary users on Unix are subject to even worse limitations (which is, in fact, why ping among other utilities runs setuid root).

Has anyone found that this makes Unix unusable for them? For that matter, outside of DDoS, connection hijacking, and abusing smtp servers to cover your tracks when spamming, is there ever any need for an application programmer to falsify a source address? Doing so means you won't get a reply from whatever you're trying to do.

All that said, I imagine if MS actually put some effort into fixing the security issues with their flagship product in the first place, so it didn't get hacked (hint: disable activex by default, along with integrated vb scripting in outlook), then there'd be no hacked machines to be used in attacks.

So now (-1, Troll)

redcaboodle (622288) | more than 8 years ago | (#12371060)

Microsoft decides what I may do on my computer or not?
What's next? Microsoft deciding I may not run OpenOffice on my computer because I may write threatening letters on it?

Re:So now (1, Insightful)

Anonymous Coward | more than 8 years ago | (#12371171)

Microsoft decides what I may do on my computer or not?

This statement applies to any operating system -- you can only do things within the OS's limitations.

Remember when the 2.6.8 kernel suddenly broke CD/DVD burning in several prominent distros, because they implemented certain security features? That was fun...

Re:So now (0)

Anonymous Coward | more than 8 years ago | (#12371283)

microsoft decides what you can or can not do with a microsoft OS. Don't like it? switch to something else.

Re:So now (3, Insightful)

JPrice (181921) | more than 8 years ago | (#12371321)

Umm, while I'm not siding with Microsoft on the issue, I also think that yours is a ridiculous statement.

Microsoft is not deciding what you can do on your computer. They are deciding what you can do with a product they sell. It's a free market - if their product doesn't do what you want, buy (or download for free in many cases) a product that does.

They picked C (5, Funny)

Nijika (525558) | more than 8 years ago | (#12371068)

Cripple the OS, and leave it open to hackers!

In Redmond, this is what they call a win win.

//no Karma Bonus for that one... ;)

Re:They picked C (2, Funny)

Temporal (96070) | more than 8 years ago | (#12371485)

For a minute there, when you said "They picked C", I thought you meant as in the programming language. Ironically, your post makes almost as much sense with this interpretation. /me runs away.

Core Routers (4, Funny)

republican gourd (879711) | more than 8 years ago | (#12371077)

This is just part of the push to get the core internet routers cut over to NetBEUI well in advance of any ipV6 rollout. If Microsoft can manage that, the internet will be theirs again, just like when they initially built it between Steve, Bill and Woz's offices back in the early seventies.

Scary thing is, from what I've been reading Oracle will go along with this. And they can tell the future!!

Maybe Microsoft wants to (2, Funny)

Trigun (685027) | more than 8 years ago | (#12371087)

rewrite TCP/IP? Embrace and extend it, so that we can have a safe, trusted internet?

Microsoft's Real Plans (3, Funny)

PipianJ (574459) | more than 8 years ago | (#12371233)

Why embrace and extend? All they really need to do is support the evil bit [rfc-editor.org].

But of course, being Microsoft, you're probably right. They'll make their own implementation of the evil bit, patent it, and charge royalties to others who want to support their new "EDDP" protocol (Evil Data Detection Protocol).

Not to mention that IIS, Exchange, IE, and Outlook will grow to require use of EDDP during transfers of data, locking Mozilla, Apple, Linux, and others from accessing much of the internet.

Finally, John C. Dvorak [dvorak.org] will boldly claim that EDDP is the wave of the future, and Apple, Linux, and Mozilla are clearly inferior for not supporting what is clearly a web standard, because if Microsoft says it is, it MUST be.

Going back on their word (2, Interesting)

jelevy01 (574941) | more than 8 years ago | (#12371094)

Re:Going back on their word (0)

Anonymous Coward | more than 8 years ago | (#12371438)

Yeah, I remember the concern that raw sockets being added to XP were bad. Funny how 1.5 years later, Microsoft finally understands what Gibson was trying to say and removes them. Back then, we were chastising Microsoft for being so stupid, now we're chastising Microsoft for being so stupid.

So which is it? Is MS stupid for including the sockets without thinking about the problems they would cause or for removing them when they were clearly causing problems?

Responding to Steve Gibson (4, Interesting)

darylb (10898) | more than 8 years ago | (#12371098)

Microsoft is just responding to Steve Gibson [grc.com], of Gibson Research, who has hounded them for making raw sockets accessible to all programs in the past.

I remember... (2, Informative)

Karpe (1147) | more than 8 years ago | (#12371106)

Steve Gibson's crusade [grc.com] againts Windows raw socket capabilities. Did Microsoft listen, and now is being criticised for doing that?

raw sockets+MS?! (2, Interesting)

quetzalc0atl (722663) | more than 8 years ago | (#12371108)

are they kidding?

if you are mucking with protocols by using raw sockets, are you really going to be coding it on a windows platform? i can imagine a worm or trojan doing it perhaps - in a ddos scenario - but since when has raw sockets become the red-headed stepchild implicated in this?

Re:raw sockets+MS?! (2, Insightful)

Rui Lopes (599077) | more than 8 years ago | (#12371154)

IDS? PF? Basically, anything that's not application-level...

Re:raw sockets+MS?! (0)

Anonymous Coward | more than 8 years ago | (#12371433)

IDS? PF? Basically, anything that's not application-level...

which are the sort of thing you'd expect to run on a server, not a desktop. Guess what? Windows 2003 now has raw sockets, XPSP2 doesn't. So everything's fine and dandy, right? What's the problem?

Privileges anyone? (4, Insightful)

bigberk (547360) | more than 8 years ago | (#12371117)

I can't believe this issue of Windows security is so difficult to understand. You read all these articles about viruses and trojans but people keep failing to mention the obvious - you must never casually run Windows with Administrator privileges.

It's because so many people are used to doing this by default, and so many third party apps demand Admin privileges, that Windows security is a nightmare.

There's more to the Windows security picture of course (insecure services as well) but you can prevent so many problems just by avoiding that Admin account. It's quite normal to have raw sockets via root/Administrator privileges. The problem is that all windows users (and any software they download) are Admins.

Re:Privileges anyone? (1)

chucks86 (799149) | more than 8 years ago | (#12371267)

I think that it is much too difficult to even start using a non-admin account. I'm almost positive that the default user when someone buys a new PC is Owner/Admin. One actually has to do a lot of work out of the box in order to somewhat safely use a computer, but people don't see it that way. The majority of consumers see computers as something that "just works.

Re:Privileges anyone? (1, Interesting)

Anonymous Coward | more than 8 years ago | (#12371309)

you must never casually run Windows with Administrator privileges.

PLEASE tell this to the executive staff at every fortune 500 company.

those knobs DEMAND that they run as admins, then their subordinates demand it and so on... so the poor lowly IT manager get's reamed because the CTO can not install elf bowling because of security reasons.

until we stop installing stupidity in the executive staff of corperations, running without admin priv's on windows is not an option.

Re:Privileges anyone? (0)

Anonymous Coward | more than 8 years ago | (#12371366)

until we stop installing stupidity in the executive staff of corperations

You have the tool for that... short sell SPY ;)

Re:Privileges anyone? (2, Insightful)

yagu (721525) | more than 8 years ago | (#12371415)

..., you must never casually run Windows with Administrator privileges.

It's because so many people are used to doing this by default, and so many third party apps demand Admin privileges, that Windows security is a nightmare. ...,

I find the problem to be the insidious architecture of XP specifically the lack of clear demarcation between a priveleged user and an admin. I consult in both unix and Windows worlds for a living, so I'm on a Windows box a lot! (way more than I like) And I pretty much always have myself configured as an admin type user... not because I have to all the time (I do lots of work not needing that level of access) but more because of the unpredictability of what isn't going to work in some strange way when I'm using XP as an un-priveleged user. It sucks, but I've found it to be the most expedient way, and I'm always nervous about it. I DO configure others as non-priveleged, but it's amazing how often I get called to help with some problem caused by their lack of access (even though the problem SHOULDN'T exist).

On the other hand, I NEVER (as in don't remember the last time I logged in as) log in as root on unix machines, and don't even put myself in a root or bin group. I do use sudo when I need it both for the protection of not inadvertantly mucking something up and for the nice logging artifacts (makes it easy to go back and find out where *I* mucked something up if *I* did). And, I don't give my users any exceptional access rights... AND, I (comparatively speaking) virtually never get support or help calls from those users. Everything pretty much works the way it's supposed to in a unix world -- the unix community is pretty savvy about what the various directory structures are for, what levels of access they provide, and how to work within that paradigm.

My experience leads me to conclude MS is a long way from really solving the admin/general user problems -- it's SO entrenched in their philosophy (remember, Windows really started out and was developed for PC's -- remember what the "P" stands for? -- it should be no surprise there aren't any bright lines drawn between super and regular users.)

So use another operating system for scanning (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#12371123)

Personally, I like the seemingly agressive stance Microsoft is taking on security. They needed to start making difficult decisions like this and while it may incovienence a handful of users it's for the greater good.

In other news... I just became aware of 5 brand new high and medium Firefox / Mozilla vulnerabilities in analysis at iDefense.

Why do people use Firefox again? Oh yeah, security.

Re:So use another operating system for scanning (0, Flamebait)

LifesABeach (234436) | more than 8 years ago | (#12371444)

I believe that the elders of redmond are not foolish. If they allow cracking, virii, worming, and root kitting; then it is because it is not in their interest to consider it. They are driven by ego, greed and a desire to consume all; not for helping you.

Be weary of the tiger that builds tiger traps.

FMEA (5, Interesting)

millahtime (710421) | more than 8 years ago | (#12371125)

Failure Modes and Effects Analysis... I would love to see that done on windows. Maybe find the problem itself rather than work around it and leave the faulires in there. Bad by design.

Not disabled in Windows Server (2, Interesting)

figleaf (672550) | more than 8 years ago | (#12371127)

Raw Sockets are not disabled at the server versions.
Under Windows 2003, programs with admin privleges can use Raw sockets.

Another note from Bill Gates (4, Funny)

PenguinBoyDave (806137) | more than 8 years ago | (#12371131)

Dear MS Employees, We have started the FUD about TCP/IP. Now press forward with MS/IP. Once we release it we'll charge everyone a fee to use it because we know it will be more secure than TCP/IP. After all, it comes from Microsoft. With Love, Bill

Re:Another note from Bill Gates (1)

GreyPoopon (411036) | more than 8 years ago | (#12371365)

Once we release it we'll charge everyone a fee to use it because we know it will be more secure than TCP/IP.

You forgot to add: "Muhahahaha!!!".

Why support TCP/IP? Create a new one? (1)

freedom_india (780002) | more than 8 years ago | (#12371133)

**Microsoft** WHy support TCCP/IP? Anyway i own THE default OS of the world. 95% market share in desktops should mean establishing standards. I will build my own networking standard.***

**Me** What about OS like UNIX, Linux, Mac OSX or even OS/2 Warp? They implement TCP/IP without the gaping holes you have? And how do i connect to internet if you implement your own standard?

**Microsoft** Bah Linux ! OS/2 is dead. Mac OS X? The one with 5% market share? Are you kidding? Well, we will give a niiiceee safe, good network. Ta da !!! MSN Reborn ! You will still be able to access your favorite websites without need for the pesky Google.
Your kids will be *safe* online. After all they can't visit iTunes or for that matter any other non-Microsoft site.
You get to save money by not needing to communicate with inferior OS like UNIX.

**Me** I don;t know. I think i need interoperability more than conformation. Switch to Mac guys !

**Microsoft** Nooooo.... So near yet so far

So when... (4, Interesting)

RailGunner (554645) | more than 8 years ago | (#12371137)

So, they're going to re-disable raw sockets? I'd suggest that the IP implementation on SP2 is broken already. For example - when will you be able to send more than 8K in a single packet using a Java Socket on Windows XP Service Pack 2?
String sString = "Some string more than 8K";
Socket client;
PrintWriter sock_out;
try
{
client = new Socket (InetAddress.getByName
("127.0.0.1"), 5678);
sock_out = new PrintWriter
(client.getOutputStream(), true);
sock_out.flush();
sock_out.println (sString);
sock_out.close();
client.close();
}
catch (EOFException eof)
{

}
catch (IOException e)
{

}

Try it yourself - see if you can receive more than 8K in a recv() call in Windows XP SP2. You can't.
If you do the same on Linux or OS X, you can. On Windows XP SP1, you can.

Thanks, Microsoft.

Re:So when... (-1, Troll)

Anonymous Coward | more than 8 years ago | (#12371167)

Uh, change your TCP window size, dork.

Re:So when... (0)

Anonymous Coward | more than 8 years ago | (#12371262)

I don't think the TCP window size has anything to do with the size of packets that can be sent and received. It just determines when the packets are broken up for transmission... right?

If not, then what's the default window size, and why isn't it documented in the send() and recv() calls? There is no mention (at least in the otherwise-good MSDN docs) of any artificial cap on packet sizes.

Re:So when... (2, Insightful)

RailGunner (554645) | more than 8 years ago | (#12371303)

I don't think the TCP window size has anything to do with the size of packets that can be sent and received. It just determines when the packets are broken up for transmission... right?

You are correct. The default window size, btw, is 32K, if memory serves me correctly. Grandparent is a troll.

Re:So when... (0)

Anonymous Coward | more than 8 years ago | (#12371410)

also.. how do you know that its not a java for windows socket bug? Test your example without an interface to the OS socket interface

Re:So when... (0)

Anonymous Coward | more than 8 years ago | (#12371501)

Try it yourself - see if you can receive more than 8K in a recv() call in Windows XP SP2. You can't.
If you do the same on Linux or OS X, you can. On Windows XP SP1, you can.


OK, so how does that violate the BSD sockets interface?

I wish they had a patch for their idiociy (0)

Anonymous Coward | more than 8 years ago | (#12371141)

Thanks to the MS05-019 patch we now have to roll out a NEW PATCH to fix the bugs the MS05-019 introduced worldwide...

If you get some weird problems with clients operating on your WAN you might want to contact your MS rep and ask for a patch for the bugs introduced with MS05-019s TCPIP.SYS ..

this wont make a bit of difference... (2, Interesting)

quetzalc0atl (722663) | more than 8 years ago | (#12371152)

...since the admin can always write packets (in frames)directly to the layer 2 driver. all they are doing is breaking the BSD sockets API - security through obscurity? right....

I agree... (2, Insightful)

ebrandsberg (75344) | more than 8 years ago | (#12371158)

If you can't have a secure OS, the OS should be less vulnerable to being abused. So in effect, use Linux or other OS's if you need to use raw sockets.

No matter what MS does, people will complain (1, Redundant)

harlows_monkeys (106428) | more than 8 years ago | (#12371160)

Before XP, they did not support raw sockets, and they got blasted by Steve Gibson [grc.com] for adding support for them in XP.

So now they are getting blasted for taking them out.

Sounds like MS gets to choose: make Gibson happy, or make Fyodor happy.

Informative? Try Redundant (0)

Anonymous Coward | more than 8 years ago | (#12371472)

He's like the third person here to post *that exact link*, and there's even more who've linked to grc.com. Like the first post, for example.

why does anyone need raw packets? (0)

Anonymous Coward | more than 8 years ago | (#12371178)

on a desktop ? what network traffic would one really be analyzing on a desktop?

ATTENTION: ALL TROLLS (-1)

Anonymous Coward | more than 8 years ago | (#12371183)

Is this site gay? [blogspot.com]

If so, please post your thoughts. Include various pictures of goatse, tubgirl and others.

Your support is appreciated.

Replacement (5, Interesting)

Mr_Silver (213637) | more than 8 years ago | (#12371184)

As soon as I saw this, it made me rememeber this article [pbs.org] by Cringely (written in August 2001) which discusses the "problem" of raw sockets.

From it:

According to these programmers, Microsoft wants to replace TCP/IP with a proprietary protocol -- a protocol owned by Microsoft -- that it will tout as being more secure. Actually, the new protocol would likely be TCP/IP with some of the reserved fields used as pointers to proprietary extensions, quite similar to Vines IP, if you remember that product from Banyan Systems. I'll call it TCP/MS.

How do you push for the acceptance of a new protocol? First, make the old one unworkable by placing millions of exploitable TCP/IP stacks out on the Net, ready-to-use by any teenage sociopath. When the Net slows or crashes, the blame would not be assigned to Microsoft. Then ship the new protocol with every new copy of Windows, and install it with every Windows Update over the Internet. Zero to 100 million copies could happen in less than a year, and that year could be prior to the new protocol even being announced. It could be shipping right now.

Food for thought.

MS innovates counter arguments shock!! (1)

ABCC (861543) | more than 8 years ago | (#12371194)

The company is expecting further debate on the issue, it said, even going to the extent of forecasting typical counter-arguments to the TCP/IP changes. One example cited was "worms/viruses can just install a kernel-mode driver that would still allow denial-of-service attacks to be carried out."

It also pointed out that "writing and installing kernel-mode code is vastly more complicated" than using an existing raw socket feature, and that if malware did make it into the kernel of a Windows machine, the user would have more serious concerns than just SYN attacks launched from their machines.

i guess the MS position on this is that installing a kernel-mode virus will require a reboot to load properly, and since longhorn will be ultra-super-stable (TM) this will not be an issue, since their new virus scanning/spam hunting "solutions" will catch such wild code before a pc is rebooted. in other words, move along folks, nothing to see here...

I Can't Believe It... (5, Funny)

cyngus (753668) | more than 8 years ago | (#12371195)

I am actually going to side with Microsoft on this one. It is not as if they removed raw sockets, but rather restricted access to them. Let's consider who needs raw sockets, mostly advanced users. Advanced users are going to have an Administrator or root account on the Windows machine and therefore should have access to raw sockets, no? There is almost no reason for the average user to have raw sockets. They do create a real risk of bad network behavior and I imagine if someone were to create TCP/IP today instead of 30 years ago when the Internet was a much smaller, nicer place, raw sockets would not be part of the spec.

As an aside, I think I'm going to take the rest of the day off, agreeing with Microsoft is mentally jarring. It has to make you question existence just a little and also make you a touch ill.

Raw sockets only enabled with Microsoft firewall.. (0)

Anonymous Coward | more than 8 years ago | (#12371201)

According to the related MS KB article:
http://support.microsoft.com/kb/897656/ [microsoft.com]

*snip*

CAUSE
This behavior occurs because security update MS05-019 changes the way raw sockets work when Internet Connection Firewall (ICF) is disabled. By default, ICF is disabled in Microsoft Windows XP with SP1.

WORKAROUND
To work around this behavior, enable ICF. After you start ICF, you can send TCP packets and UDP packets over raw sockets. To enable ICF in Windows XP with SP1, follow these steps:

*snip*

Sure sounds like a new monopoly in the firewall market is forming... now you need a Microsoft firewall before you can even send data :P

Let this be a lesson (1)

techguy911 (672069) | more than 8 years ago | (#12371203)

We have been saying for years that running all programs and services at the administrator level is a nightmare and they didn't listen to us. Now they just figured out that it's a problem? I just hope the new Longhorn security model is better.

To cripple or not to cripple (1)

DirtyFly (765689) | more than 8 years ago | (#12371218)

I believe this is a case of choosing the lesser evil, from my prespective I do believe that the full stack should be implemented but then again I do prefer a safer enviroment, remember most of windows users dont even know what TCP IP is, as long as it browses ... Jorge Canelhas Are you a Retro computing fan ??? http://www.retroreview.com/ [retroreview.com] http://www.retroreview.com/ [retroreview.com]

In Other News (1)

p0 (740290) | more than 8 years ago | (#12371226)

Microsoft has announced today that breathing oxygen can be dangerous for... ah what the hell. I need some sleep.

Easy to see why (2, Insightful)

Anonymous Coward | more than 8 years ago | (#12371273)

Thousands of people gripe about Windows having this "awful security hole" thanks to misinformation on GRC, and are generally so uptight about information they find on there that they'll cripple their internet connections, wreck the data on their harddrives, and so on...all in the name of being secure! (his entry on http://attrition.org/errata/charlatan.html [attrition.org] links to http://www.grcsucks.com/ [grcsucks.com] which describes some of the mania people will go through at Gibson's prompting)

So what happens if MS doesn't pander to them? They constantly get bad press from people who constantly spout off about "security" that they gleaned from the Gibber's site. What happens if MS does pander to them? A few people are upset, but most of the bad press on this issue goes away.

So what should they have done? Wait it out, and take the high road? They've tried that. Educate the users? We've tried that. What else?

batton-down the... industry standard protocols? (2, Insightful)

dionysian.mind (862531) | more than 8 years ago | (#12371274)

But why properly implement anything when you can just cripple it instead?

Seriously, this is the all-too-common fatal flaw that I have seen in *almost* every tech organization I have ever worked for, or with. It is always easier to throw crap together with no reguard for how it actually works. If it limps along, that is enough for some people (maybe because they were all raised on Windows?).

At this point, if M$ had any respect for itself or the tech industry they would liquidate their company and give all their capital to a more helpful and pertinent organization... dare I say, the OSDL?

... but then again, where would be the mafia-capitalism joy that can only come from making a 4th rate product and then strong-arming tech markets into using it...

Erm, cough, cough, excuse me... (5, Insightful)

pandrijeczko (588093) | more than 8 years ago | (#12371313)

I run Linux and UNIX with my "insecure" full TCP/IP stack. My UNIX-y machines have an IP address, subnet mask, gateway, etc. etc. These machines do not get worms or viruses.

I run Windows 2000 with my "secure" limited TCP/IP stack. My Windows machine has an IP address, subnet mask, gateway, etc. etc. This machine would get virii if I didn't run a virus checker, firewall, etc.

There is one difference between the two scenarios above - the operating system!

Yes, my UNIX-y boxes are subject to attacks from the Internet but not random attacks like viri and worms.

An attack on my UNIX-y boxes comes from a single, person or script trying to get into my box and trying to (probably) buffer overflow a specific application daemon like FTP, Telnet, etc (not that I run either of these on the Internet anyway!)

So let's not blame it on the "TCP/IP" stack because all attacks are as a result of attacking applications that use the stack, not the stack itself.

We'll also remind ourselves here that UNIX was built around TCP/IP 25 years ago whereas MS refused to believe TCP/IP existed until 15 years ago after Windows 3.11 came out and they had to write a limited stack to install into Windows.

Re:Erm, cough, cough, excuse me... (0)

Anonymous Coward | more than 8 years ago | (#12371422)

It's viruses [ofb.net].

Translation (2, Funny)

nuintari (47926) | more than 8 years ago | (#12371339)

Translation: Our OS is a dog and we need to neuter it to keep it under control.

Not that this will solve anything, no raw sockets? I don't need no raw sockets, I have 48 billion bogus dns lookups!

Don't Worry (1)

Virtucon (127420) | more than 8 years ago | (#12371383)

Don't worry, we know what we're doing remember? We're Microsoft and you're not, yes we told you back in the 90s that TCP/IP was a doomed protocol, we told you that NETBIOS and NETBUI were the wave of the future. We know what we're doing and we got here without your help. So, be good little kids and move along, nothing to see here.

As long as we keep buying into this bullshit the community is going to be treated like kids. Enough already, vote with your wallet.

No negative feedback?? Here's why. (1)

Weaselmancer (533834) | more than 8 years ago | (#12371396)

...the company claimed it had received little negative feedback on the issue.

...because they've disabled port 110.

Ba dump bump! Thanks, I'll be here all week.

another example (1)

suezz (804747) | more than 8 years ago | (#12371397)

of companies and the government trying to control what they think we should or shouldn't have/or do.

somewhere, somehow our society got this attitude that because we think the public shouldn't have or need this we can disable it. never mind open standard open protocols - we know what is best for you.

or is it their software is so crappy they have to start to disable open standards open protocols to make it at least somewhat usable and secure.

In other news (1)

Anonymous Cowpat (788193) | more than 8 years ago | (#12371413)

Microsoft says a lot of things. In a related development 99.9% of the population of the planet think everything Microsoft says is twaddle.
Film at 11.

Firewalls or Filtering? (1)

digitaldc (879047) | more than 8 years ago | (#12371427)

Should firewalls/filtering at the access layer or upstream providers be mandatory for all networks? It is costly, but in comparison how much does result of the attack cost?
Somehow they need to determine how to detect a spoofed packet/phony TCPIP headers, maybe they need to hire some of these hackers to work for MS?
Also, reduce the amount of information stored for each in-progress connection? Or use something like RealSecure to reset queues when they are overloaded?

OS For Dummies (1)

Andr0s (824479) | more than 8 years ago | (#12371428)

Well, I guess this is in line with Microsoft's approach to and attitude towards the users. For decades now, Windows products, in great majority of their incarnations, are perhaps quite 'dummy user friendly' but certainly not very 'power user friendly' - your average MSWin doesn't give you all that many choices and options - especially compared to AppleOSes, 'Nixes etc. MS wanted an OS that can be deployed out of box by a 12 year old, and that's what we got. What's vastly amusing in the whole idea is that a) MS then tries to market 12-y-o-safe OS as 'Professional' and b) MS doesn't even try to set up tiered configuration sets which would allow the user to either configure their OS on a lvl of 12-y-o by choosing wallpapers, mouse pointers and event sounds, or on a level of a computer-savy professional who, for reasons of his own, might or might not need raw sockets. The whole incident is not completely without resemblance to (fictional) situation where Home Depot takes saws and carpet knives out of their inventory because customers might injure themselves while using those tools.

Raw sockets... (0)

Anonymous Coward | more than 8 years ago | (#12371429)

All our sockets are going to feel a bit raw after MS gets done with 'em...

Problem sending feedback (0)

Anonymous Coward | more than 8 years ago | (#12371448)

"the company claimed it had received little negative feedback on the issue."
Subject: Delivery Status Notification (Failure)
Date: Tue, 28 Apr 2005 11:52:05 -0700 (PDT)

Failed sending message. Unable to connect... to anything

----- Original message -----

Subject: You bastards. You screwed my TCP/IP stack!
Mime-Version: 1.0
Content-Type: text/plain

MS Windows Server 2003 also has buggy TCP/IP (5, Interesting)

spadadot (879731) | more than 8 years ago | (#12371479)

I wrote an article about a very serious problem related to Windows Server 2003 TCP/IP.

Here's a quote : "Trying to set up a Windows Media streaming server to stream high-quality videos, I came across what I can now call a TCP/IP bug in Windows Server 2003 (Standard Edition). In some (not unusual) situations, the server simply cannot use all available bandwidth between itself and the client.
[...]
Eventually, I came to accept the idea that Windows Server 2003, an OS designed for server tasks, is not able to fill a 2Mbit/s ADSL connection. Yes I know it sounds incredible but I've been looking without success for another conclusion for the past 3 months."

Read the full technical explanation and see what Microsoft has to say about it : Microsoft Windows Server 2003 Buggy TCP/IP ? [dariospagnolo.org]

If this is the solution.. (1)

TheNinjaroach (878876) | more than 8 years ago | (#12371499)

I have a big problem with this solution. They shut off these features that have good and legitimate use - but if somebody were to really spend the time they could get around it. So now all we're doing is asking for the virus writers of the world to buckle down and make better code. We didn't really secure the OS against DOS attacks because we limited the functionality to create them - but now that somebody hacked the OS at a lower level we have bigger problems than ever. Keep applying those bandaids!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...