Microsoft States Full TCP/IP Too Dangerous 575
daria42 writes "To fully implement the TCP/IP protocol in Windows XP would make creating denial of service attacks 'entirely too trivial', Microsoft has claimed. The company was responding to claims by Nmap author and well-known security expert Fyodor that by repeatedly disabling the ability to send TCP/IP packets via the 'raw sockets' avenue, Microsoft was asking the security community to 'pick their poison': either cripple their operating system or leave it open to hackers. Admitting that a recent security patch had intentionally disabled a community-developed workaround to Microsoft's TCP/IP changes - which were first implemented in Windows XP Service Pack 2 - the company claimed it had received little negative feedback on the issue."
News Flash: Butter is good on toast! (Score:3, Interesting)
From the Article:
Interesting that M$ sees fit to lecture us on the dangers of raw sockets now, given their prior stand on the issue. [grc.com]
Re:News Flash: Butter is good on toast! (Score:5, Insightful)
Re:News Flash: Butter is good on toast! (Score:3, Insightful)
What they should have done is make raw socket restrictions mandatory on Windows XP home and below (Media Center, Reduced Media and Starter edition) and allowed Windows XP professional and above to at least be able to run with full raw sockets if you turn on a setting in TCP/IP settings.
They have this new Security center thing running all the time warning you about your antivirus and firewall changes. It would ha
Re:News Flash: Butter is good on toast! (Score:3, Insightful)
Re:News Flash: Butter is good on toast! (Score:3, Interesting)
For example, you can make it an addon in "Add/remove Programs" like they do with UPNP. that way, in most cases you would need to put the Windows XP CD into the machine in order to install open Raw Sockets.
Yes the malware could include the files to install Unrestriced Raw sockets, but if the files to enable Raw Sockets are protected and restriced correctly it would be dfficult for any program other than Windows to modify them.
Steve "Ahab" Gibson (Score:3, Informative)
Dissecting Steve Gibson GRC DoS Page [grcsucks.com]
Raw Sockets are not a Security Risk [grcsucks.com]
Bloody, I know about too many old flamewars.
Re:Steve "Ahab" Gibson (Score:4, Insightful)
Funny...if Steve's views were so discredited, why does M$ agree with him now?
Re:Steve "Ahab" Gibson (Score:3, Funny)
"M$ agree[s] with him now" = egg
Re:Steve "Ahab" Gibson (Score:4, Interesting)
The real solution to the problem isn't breaking networking functionality depending on if you bought the cheap or expensive version of the OS.
The real solution would be to restrict raw sockets to require Administrator/root privileges, and make it harder for the averages Outlook attachment to get root privileges.
Microsoft, on the other hand, sees this as an excuse to not fix Outlook and Internet Explorer, and instead sell more of the expensive version.
Baby, meet bathwater. (Score:5, Informative)
This is because XP is not designed right, not because the TCP/IP protocol is wrong. (just to be clear)
The quote [seclists.org] from Fyodor is:
"Pick your poison: Install MS05-019 and cripple your OS, or ignore the hotfix and remain vulnerable to remote code execution and DoS."
It's like... we just... can't... win.
Fyodor goes on to say...
"Nmap has not supported dialup nor any other non-ethernet connections
on Windows since this silly limitation was added. The new TCP
connection limit also substantially degrades connect() scan. Nmap
users should avoid thinking that all platforms are supported equally.
If you have any choice, run Nmap on Linux, Mac OS X, Open/FreeBSD, or
Solaris rather than Windows. Nmap will run faster and more reliably.
Or you can try convincing MS to fix their TCP stack. Good luck with
that."
The answer, my friend, is to drop Microsoft.
Baby, meet bathwater.
Re:Baby, meet bathwater. (Score:5, Interesting)
The same can be said for any access to hardware that could be considered unnecessary for typical applications or 'harmful' to the hardware (harmful in the sense that it is 'harmful' to the network and your connection).
I think what MS has done is quite acceptable, given the number of trojans uot there that are DoS'ing and spamming like crazy. Trojans that are on the systems often because of user stupidity rather than an insecure OS. As long as it is possible to actually write such a 'driver' (I think there is a different name for it, but I can't remmeber).
Re:Baby, meet bathwater. (Score:3)
Mind you, I'm not talking about our 3Mb link to the internet. I'm talking about our 100Mb switch in the basement.
Whatever Microsoft thinks they are doing, it isn't helping in the areas that count.
Re:Baby, meet bathwater. (Score:3, Interesting)
Re:Baby, meet bathwater. (Score:5, Informative)
Quoted from there is basically. If you want to use hand-crafted TCP/UDP packets over a raw IP connection, you must enable the Internet Connection Firewall.
At least, this is for SP1, I don't know if you can get away with this in SP2.
Re:Baby, meet bathwater. (Score:4, Interesting)
I was about to reply pointing out that you had obviously meant to say, "disable the Firewall".
Then I read the Knowledgebase article.
God, that's retarded. The firewall doesn't do jack shit to block outgoing traffic anyway. Why the hell should it be safer to allow raw sockets when it's on?
Re:Baby, meet bathwater. (Score:3, Insightful)
Which, if you are right, is what the DDoS malware will now start to do.
Justin.
Hammer, meet nail. (Score:4, Funny)
You nailed it.
Microsoft is clearly trying to shift the blame from their dain-bramaged design to TCP/IP. How many other operating systems are there that do (more or less) fully implement TCP/IP, including raw sockets? It's almost universal.
Oh well. I guess Microsoft knows the neighborhood is safer with a crippled lunatic than healthy one.
Re:Hammer, meet nail. (Score:5, Interesting)
The brain damaged part has nothing to do with TCP/IP, because their implementation has nothing to do with security.
Seriously? You really think it's their brain damaged TCP/IP implementation that's at fault? Think again. It may be bad, but giving every program access to raw sockets is a bit silly considering how easy it is to get programs into Windows. But this is a good move, a better one would to have been to make it so it's not as simple to get untrusted programs running in Windows but I digress.
Re:Hammer, meet nail. (Score:4, Interesting)
Microsoft is trying to blame the design of TCP/IP instead of the design of Windows. Everybody else makes it work; why can't they?
Re:Baby, meet bathwater. (Score:5, Insightful)
While this is correct, providing such justification would be like providing justification for a claim that Pintos weren't designed right and had a tendency to blow up.
There might be some who have missed that, but it's still common knowledge that doesn't bear repeating every damned time the issue comes up. I suppose we could all attach standard disclaimer files to all of our posts, but they would take up two or three library of congresses to only cover the most common of the bases.
Follow one of the links provided in subsequent posts to Steve "Foaming at the Mouth" Gibson's site to get a rundown on the issues. Note that Steve will cheer this move by MS because flaws in the OS design make it necessary.
The core issue being that XP Home Edition runs apps in administrator mode, giving all apps, like a trojan, full access to raw sockets. Most home users that use Pro are still silly enough to run in admin mode as well. But hey, at least it's hardened against trojans, eh?
Easy to infect with malicious code, malicious code runs with full privileges. That's bad design.
. .
A patch to restore what a patch took out. That alone should clue you in that something braindead is going on.
Please note that only "desktop" versions of XP are affected, so all you have to do is buy a server product from MS.
Or install BSD for free.
KFG
Re:Baby, meet bathwater. (Score:3, Interesting)
Re:Baby, meet bathwater. (Score:5, Insightful)
Which could be all but eliminated if ISPs would implement access lists in their routers to drop packets with source addresses other than those assigned to the downstream networks.
Problem solved without relying on OS vendors or end users to implement anything at all.
Re:Baby, meet bathwater. tsarkon reports (Score:3, Interesting)
Because it doesn't really help them except for helping them be a good Internet member.
When you set up proper egress filtering on your network, you make it harder for your network to be used to attack other networks -- at the very least, they can't forge their addresses to appear to come from other ISPs anymore. But it doesn't make your network any less vulnerable to attacks.
Yes, everybody should do it. But since there's no real benefit to doing it beyond
Ulterior motives (Score:5, Interesting)
Of course, there's always the possibility of ignorance...
Never attribute to malice that which is adequately explained by
stupidity.
but I really have to doubt that Microsoft is quite this dumb. They've got a lot of really tallented people working there so you have to think that someone would have thought about this. Then again, they have demonstrated a supreme lack of understanding when it comes to security so who knows.
Re:Ulterior motives (Score:5, Interesting)
Actually, I think we're seeing the maturation of a "corral the wagons" paranoia in Microsoft's culture. Lacking the ability to push any serious innovation internally (let's be serious, most of Microsoft's innovations during the past 20 years were brought in through acquisitions or copycat development ala VMS for NT, liberal borrowing from OS/2, Apple and Mach, etc). Now that antitrust severely limits acquisition growth, Microsoft is facing the same threat that broke Worldcom. Unable to make significant acquisitions, unable to meet growth internally, and now unable to cook the books like Worldcom, Microsoft's certain to get very defensive as the pressures heat up.
I thought I saw the beginnings of this phenomenon in 1998 at the IPv6 summit, where Microsoft's techs at the conference were explaining their implementation at first with great pride, only to be somewhat ashamed at how much they hadn't followed the specification very well, had numerous bugs and compatibility issues, and were clearly well behind everyone else. Nearly every other operating system had a much more mature implementation. (How long did that IPv6 stack remain a beta too?)
Amazingly, Microsoft is now attempting to patent IPv6 [zdnet.com] through a copy-cat specification (as was discussed on slashdot [slashdot.org]). Somehow it's not amusing when the kid who was not very successful in his participation in the group assignment decides to take exclusive credit for the group's effort.
So now Microsoft is blaming IPv4's engineering (when just like IPv6, everyone else seemed to understand and master the assignment EXCEPT Microsoft)?
As a teacher of mine once said to perpetual underachievers in class: Perhaps you might consider a career in food service instead?
Re:Ulterior motives (Score:3, Insightful)
Some people are too arrogant for words. People learn differently and are motivated by different things. That teacher has clearly not studied learning in any meaningful way.
Re:Ulterior motives (Score:3, Insightful)
Everyone has limitations, but it's not for the teacher to judge who has them and who doesn't, because he can't. That fucker should be fired, if not put in jail. I wonder how many kids he screwed up with his smack down comments.
I also wonder how many kids would have done well with a more positive teacher, but now think they
Re:Ulterior motives (Score:5, Informative)
Gibson points out that other operating systems do this, while Windows doesn't. The problem lies there, not in the inclusion of raw sockets API.
Re:Ulterior motives (Score:5, Insightful)
Re:Ulterior motives (Score:3, Insightful)
THIS is the problem that needs to be solved. Otherwise you are treating the symptoms and not the disease.
Maybe a desktop OS for the masses *should* be crippled in some ways, to protect people from themselves
Or maybe users shouldn't be given admin access by default. That way you can restrict the user without crippling the operating system. OS X does this. Users are by default are put
Re:Ulterior motives (Score:3, Insightful)
That won't fly in homespace. It won't even walk. It'll work in the workplace and nowhere else.
Home users ARE their own admins, and they need to be able to install software, develop programs, and do other "insecure activities" as a matter of course.
The best you can do for a home operati
Re:Ulterior motives (Score:3, Insightful)
I refuse to believe that it is difficult or impossible to write an app for MS OSs that does not require the app to be run as admin. This is more often than not the fault of application programmers who are too damn lazy to write user specific data to the user's home directory instead of to either the system or the app's installation directory thus requiring
Re:Ulterior motives (Score:3, Insightful)
The only problem to that argument is that a good number of people who bother to create separate accounts apart from administrator don't bother to (at least in the xp pro version I use) unclick the checkbox that by default gives them administrator privileges.
If microsoft did do this AND changed their security policy so additional users by DEFAULT DON'T have administrator rights, it would ce
Correct URL (Score:4, Insightful)
For the truth about Mr Gibson, look here [grcsucks.com]
Re:Ulterior motives (Score:3, Insightful)
You can make any system insecure if you are dumb enough. Put a Linux box on the net running every servers known to man, no firewall, and the root password set to root. It will be owned in a second.
The trick is to make the defaults safe. So put in an option.
Of course the problem is that most windows users run as admin so IF a malware program is run it will have the ability to change it
A wise decision (Score:5, Insightful)
No, Microsoft... none of those support raw sockets. Oh, wait... they all do. The problem is not raw sockets, the problem are the holes in the OS in the first place. If your OS doesn't run services that can be hacked, or if the applications don't allow to execute untrusted code there is no problem. Avoiding raw sockets is treating the symptoms, not the cause.
Re:A wise decision (Score:5, Informative)
Re:A wise decision (Score:5, Informative)
runas
How do you add printers to the machine without logging out the user?
runas
Click View, Explorer Bar, go to printers control panel, add printer...
Yes, you're right, there are some things you still can't do using runas, but not many. Be creative.
Re:A wise decision (Score:5, Interesting)
What I really need, is a firefox theme that looks like IE, and a desktop theme that looks like XP. She'd never know the difference. (and when wine fails to run the dumb shareware games she tries to install, I'd be like "They must not have programmed them very well, I can't make them work!".)
Re:A wise decision (Score:5, Funny)
So you run internet explorer to add a printer. And I thought adding a printer to OS/2 was unintuitive...
Re:A wise decision (Score:3, Insightful)
I can write a unix installer that requires root but will fail if your uid 0 isn't named root, or you merely used su instead of "su -". I've even *seen* installers that do idiotic things like if [ `w
Ha! (Score:2)
Sounds like a fair trade to me! [/sarcasm]
Re:Ha! (Score:5, Insightful)
Ordinary users on Unix are subject to even worse limitations (which is, in fact, why ping among other utilities runs setuid root).
Has anyone found that this makes Unix unusable for them? For that matter, outside of DDoS, connection hijacking, and abusing smtp servers to cover your tracks when spamming, is there ever any need for an application programmer to falsify a source address? Doing so means you won't get a reply from whatever you're trying to do.
All that said, I imagine if MS actually put some effort into fixing the security issues with their flagship product in the first place, so it didn't get hacked (hint: disable activex by default, along with integrated vb scripting in outlook), then there'd be no hacked machines to be used in attacks.
Re:Ha! (Score:3, Insightful)
Recap, almost all Win users run as Admin. Mostly because that is the default, everything they use works, and some things that shouldn't require admin privledges do.
Microsoft's solution then is to cripple Admin so that "bad things" can't be done in that mode.
This will inevitably lead to Admin on Win being reduced to an equivalent of user mode in *nix. Eventually we will see a new Super Admin that can be entered to do the things that MS takes away from Admin. As long as we can keep developers from wri
They picked C (Score:5, Funny)
In Redmond, this is what they call a win win.
Re:They picked C (Score:3, Funny)
Core Routers (Score:4, Funny)
Scary thing is, from what I've been reading Oracle will go along with this. And they can tell the future!!
Re:Core Routers (Score:3, Funny)
OMGWTFBBQ you noob! You forgot Al Gore's node.
Maybe Microsoft wants to (Score:2, Funny)
Microsoft's Real Plans (Score:4, Funny)
But of course, being Microsoft, you're probably right. They'll make their own implementation of the evil bit, patent it, and charge royalties to others who want to support their new "EDDP" protocol (Evil Data Detection Protocol).
Not to mention that IIS, Exchange, IE, and Outlook will grow to require use of EDDP during transfers of data, locking Mozilla, Apple, Linux, and others from accessing much of the internet.
Finally, John C. Dvorak [dvorak.org] will boldly claim that EDDP is the wave of the future, and Apple, Linux, and Mozilla are clearly inferior for not supporting what is clearly a web standard, because if Microsoft says it is, it MUST be.
Going back on their word (Score:2, Interesting)
Re:Going back on their word (Score:5, Insightful)
He then proposes a secure ID system. Gee. Maybe if every connection to the network had a unique 32-bit number that could be traced somehow? Maybe there could be a world-wide database connecting names and administrative information to these numbers? If only that were possible. Thanks, Bob.
Responding to Steve Gibson (Score:5, Interesting)
Re:Responding to Steve Gibson (Score:3, Interesting)
And he is wrong.
To be clear: The security problem is that the net routs any
packets it can, and some TCP/IP stacks will choke upon
*receiving* (a flood of) bad packets. Trying to make it
difficult to *send* those packets from Windows is essentially
useless.
Removing raw socket support from an operation system is a
trivial, bogus attempt to hide the problem without fixing it. A
root-compromised system can send raw packets no matter what the
vendor implements.
There are two reasonable places at which to resist thes
Re:Responding to Steve Gibson (Score:4, Informative)
I remember... (Score:3, Informative)
raw sockets+MS?! (Score:3, Interesting)
if you are mucking with protocols by using raw sockets, are you really going to be coding it on a windows platform? i can imagine a worm or trojan doing it perhaps - in a ddos scenario - but since when has raw sockets become the red-headed stepchild implicated in this?
Re:raw sockets+MS?! (Score:2, Insightful)
My TCP/IP (Score:5, Funny)
Maybe Microsoft is right. Protocols are dangerous.
Wouldn't it be safer if we all just had a My TCP/IP folder?
Re:My TCP/IP (Score:5, Funny)
Privileges anyone? (Score:5, Insightful)
It's because so many people are used to doing this by default, and so many third party apps demand Admin privileges, that Windows security is a nightmare.
There's more to the Windows security picture of course (insecure services as well) but you can prevent so many problems just by avoiding that Admin account. It's quite normal to have raw sockets via root/Administrator privileges. The problem is that all windows users (and any software they download) are Admins.
Re:Privileges anyone? (Score:3, Insightful)
It's because so many people are used to doing this by default, and so many third party apps demand Admin privileges, that Windows security is a nightmare. ...,
I find the problem to be the insidious architecture of XP specifically the lack of clear demarcation between a priveleged user and an admin. I consult in both unix and Windows worlds for a living, so I'm on a Windows box a lot! (way more than I like) And I pretty much al
Re:Privileges anyone? (Score:3, Informative)
Power Users is kinda in the middle. I guess the idea is that you can assign permissions and privileges to users as needed.
Re:Privileges anyone? (Score:4, Insightful)
FMEA (Score:5, Interesting)
Not disabled in Windows Server (Score:2, Interesting)
Under Windows 2003, programs with admin privleges can use Raw sockets.
Another note from Bill Gates (Score:4, Funny)
So when... (Score:5, Interesting)
Try it yourself - see if you can receive more than 8K in a recv() call in Windows XP SP2. You can't.
If you do the same on Linux or OS X, you can. On Windows XP SP1, you can.
Thanks, Microsoft.
Re:So when... (Score:5, Insightful)
Re:So when... (Score:5, Informative)
Every OS has a size for those buffers, you have just discovered the XPSP2 size, congratulations.
Every other OS has a limit on that buffer, and I guess for every OS it is configurable in some way (in Windows there is some remote key in the registry).
Re:So when... (Score:3, Informative)
With Windows sockets, it is imperative to look at the error returned by send() if it fails. If the error is WSAENOBUFS, then it means that the packet you are trying to send is too large and must therefore be reduced. It is possible that the Java implementation doesn't do this.
Here is a snippet of code that is NECESSARY to be able to transfer data reliably on Windows. Please note that while just a single send() will work most of the time, there is no garantee that it will. Try, for example, sending
Re:So when... (Score:3, Insightful)
You are correct. The default window size, btw, is 32K, if memory serves me correctly. Grandparent is a troll.
this wont make a bit of difference... (Score:3, Interesting)
I agree... (Score:3, Insightful)
Replacement (Score:5, Interesting)
From it:
Food for thought.The Metro of netoworking protocols (Score:5, Interesting)
Abandon the industry standard for VMs (Java) and roll your own (.Net).
Abandon the industry standard for portable documents (PDF) and roll your own (Metro).
Abandon the industry standard for networking (TCP/IP) and roll your own (???).
Each sounds more improbable than the last. Yet the first one has happened, the second is going to happen, and thus the third seems much less improbable than it would have otherwise.
I Can't Believe It... (Score:5, Funny)
As an aside, I think I'm going to take the rest of the day off, agreeing with Microsoft is mentally jarring. It has to make you question existence just a little and also make you a touch ill.
Microsoft is making it easy... (Score:2)
Comment removed (Score:5, Insightful)
Comment removed (Score:5, Insightful)
Translation (Score:3, Funny)
Not that this will solve anything, no raw sockets? I don't need no raw sockets, I have 48 billion bogus dns lookups!
Consider the Source (Score:3, Insightful)
To quote Ted Kennedy, "Hello? Hello?!!"
Some days, life is just a little too weird to take.
MS Windows Server 2003 also has buggy TCP/IP (Score:5, Interesting)
I wrote an article about a very serious problem related to Windows Server 2003 TCP/IP.
Here's a quote : "Trying to set up a Windows Media streaming server to stream high-quality videos, I came across what I can now call a TCP/IP bug in Windows Server 2003 (Standard Edition). In some (not unusual) situations, the server simply cannot use all available bandwidth between itself and the client.
[...]
Eventually, I came to accept the idea that Windows Server 2003, an OS designed for server tasks, is not able to fill a 2Mbit/s ADSL connection. Yes I know it sounds incredible but I've been looking without success for another conclusion for the past 3 months."
Read the full technical explanation and see what Microsoft has to say about it : Microsoft Windows Server 2003 Buggy TCP/IP ? [dariospagnolo.org]
Bad Logic (Score:3, Interesting)
People who are saying the "average" user doesn't "need" raw sockets while saying that the hacker who does will use another OS ANYWAY are obviously missing the point.
Why bother disabling something that's part of a standard when it will have no effect on either the average user or the hacker?
MS is saying here that if the "average" user had raw sockets, they could program DoS code? I don't think that's gonna happen.
All disabling sockets has done is inconvenience nmap users - who just happen to be sys admins running security scans on their networks from their workstations.
Maybe MS doesn't want them to be able to run nmap? Like maybe they might find out how insecure their systems are?
responding to an A.C... (Score:3, Interesting)
Sure. Average home users do nothing but write their own protocols using raw sockets.
If i suggested or said that nobody has a use for raw sockets, i misspoke or you misunderstood. The _average_ user only suffers from raw socket support, because it makes thier machine a more desirable target for 0wnage.
for the people that legimately need raw sockets, they're smart enough to figure out how to get them.
"we don't want to
really? (Score:3, Informative)
In any case, it's funny that you chose linux - arguably the least secure of the modern unixes. I'd have entertained a suggestion of Theo, but he'd fail because im sure his approach would be "the requirements don't ma
Something is wrong, alright (Score:5, Interesting)
The difference with the Unix-like systems is that ordinary users don't get to poke about with dangerous stuff.
The real point is that Windows software has for too long depended on the assumption that the user has full unfettered access to every resource on the computer -- an assumption which had to cease to be true when Windows became network-aware, because in a networked environment some things are properly restricted. Yet for the best part of ten years, Windows continued to run without privilege separation; and application programmers took advantage of that, creating code which turned out to be fundamentally broken.
Face it, the bathwater is minging and the baby is dead -- there is nothing worth saving in the whole sorry mess. Whether bad water killed the baby, the dead baby made the water worse, or the two are unconnected, isn't really important right now. What is important is to get rid of them both, scrub out the bathtub and start again.
Of course, if you're going to switch to a new version of Windows -- which would have to be totally incompatible with all that sloppily-written software needing root access for no good reason -- then that would be about as big a change as switching to some other operating system. That must worry Microsoft
Re:Something is wrong, alright (Score:3, Funny)
Windows was never a bathtub - it was a sewer.
Security is an Illusion (and a bolt-on hack) (Score:3, Interesting)
MS is just temporarily making exploiting a machine harder, but it will ultimately be futile and lead to even more nefarious and hostile virus/worm/spyware applications. This is a bandaid at best.
Windows is architected so poorly from a security standpoint, that it's probably time to just start over. Security in Windows has always been a "bolt-on" hack. And just remember, no matter what you do, Security is an Illusion.
Is it time for developers at SlashDot provide an interface similar to GMAIL so that I don't have to put HTML tags in my comments?
Oh my god, this has been debated since 2000 (Score:5, Informative)
There is a short audio file from Rob Rosenberg from where he repeadingly laughs at his claims.
By the way, wasn't Gibsons site defaced today by Fluffy Bunny?
http://www.farook.org/arc20010701.htm [farook.org]
http://www.vmyths.com/rant.cfm?id=335&page=4 [vmyths.com]
http://www.theregister.co.uk/2001/06/12/security_
and so on. Is there anything new that has happened in the last 4 years?
The problem lies somewhere else (Score:4, Interesting)
Pushing more people towards Linux (Score:5, Interesting)
Their response is: buy Windows Server 2003 if you want raw sockets. We asked them if there was any guarantee that they would not break the raw sockets feature in 2003, and they would not give us that guarantee. Besides, Windows Server 2003 ships with a lot of stuff we would have to disable to make the box even remotely secure.
Our CEO even registered a complaint with Microsoft, saying "We pay to use your software and you are hurting our business and hurting our customers and costing us money with this change. And you have heard our complaints and you are ignoring them." Microsoft responded that they would pass our criticism up the chain, and that's the last we heard.
That's why it irritates me to read in the article that Microsoft has had "little negative feedback" on this issue. I'm sure we're not the only paying customer of Microsoft that has been affected. And they are not telling the truth when they say that "the only thing affected by this change is fingerprinting software": port scanning is affected too.
So we have started recommending that our customers use the Linux version of our product. Now Microsoft is losing hundreds of thousands of dollars of revenue per quarter just from our company.
If the virus gets into the kernel... (Score:3, Funny)
Yeh, that's why the majority of people doing this use an widely available rootkit or equivalent to do it for them.
and that if malware did make it into the kernel of a Windows machine, the user would have more serious concerns than just SYN attacks launched from their machines.
"If malware can execute code on a Windows machine, the user has more serious concerns than just SYN attacks launched from their machines. That's why Windows doesn't bother trying to close local exploits."
Re:If the virus gets into the kernel... (Score:3, Insightful)
Yeh, that's why the majority of people doing this use an widely available rootkit or equivalent to do it for them.
Exactly. All it takes is one person to do it. Once the cat is out of the bag, malware authors can just all copy that one.
It might not even be a black hat that does it. It wouldn't surprise me if the open source pcap driver for windows could be used to sen
Windows is much more secure (Score:3, Funny)
Lack of negative feedback != no problems (Score:5, Insightful)
In other news, a noted chemical manufacturer was found to have been dumping toxic waste products into a nearby water supply for years. In their defense, company spokesmen claims they had received little negative on the issue.
Local police have been caught on camera beating up suspected felons. When cornered on the issue, they responded by saying that there had been little negative feedback on the issue -- at least, from anyone who mattered.
In a press conference today, Bush defended his administration's handling of the war on terrorism by saying that they had little negative feedback on the issue. (Possibly because they had suppressed their own report on the issue; outside sources indicate that terrorist activity around the world is four times worse than in the previous year.)
There, three possible responses to the negative feedback defense. Pick your favorite, I need a drink after this.
so, put an ACL on it? (Score:3, Funny)
I mean, on other occasions you hear them blather about Windows' totally stellar, fine-grained security architecture, and now they want to prevent Joe Average user from accidentally using raw sockets by, uh, removing the feature altogether?
Re:So now (Score:4, Insightful)
Microsoft is not deciding what you can do on your computer. They are deciding what you can do with a product they sell. It's a free market - if their product doesn't do what you want, buy (or download for free in many cases) a product that does.
Re:MS innovates counter arguments shock!! (Score:3, Informative)
It's also not "vastly more complicated", it's a different interface and *gasp* requires correct code to not blue screen.
Re:For a bunch of you who dismiss MS as crap (Score:3, Insightful)
Microsoft has a monopoloy in a lot of different areas, so regardless of whether or not a Slashdot reader personally uses their software it still permeates everyday computer life - like it or not. If someone does have strong feelings against the software giant then they would be guilty of complacency for not following it's actions.
I do