TCP/IP Sequence Number Analysis 229
johnwbyrd writes "Upon connection via TCP/IP to a host, the host generates an Initial Sequence Number (ISN). It's important to design ISN generation sequences so remote attackers can't predict an ISN (this is called a "blind spoofing" attack). Using phase space analysis you can check the quality of ISNs generated on various OSes. Windows 98's graph is quite pretty."
Comment removed (Score:5, Insightful)
That's strange (Score:2, Insightful)
I wonder how it came to be that you didn't publish the only meaningful indications of Microsoft's security? Oh, I know. It's because they are about 1/6th as bad as the outdated versions you impartially decided to cite.
Re:Hmm. (Score:3, Insightful)
Food for thought.
The BSD's (Score:3, Insightful)
What really suprised me in this article is that some of the commercial unices were so poor in their implementation. Solaris was only secured after tweaking, Mac OS X, while not 100% attackable, still wasn't much better. Same for IRIX and AIX. I didn't notice version numbers however, does anyone know if the state has changed for newer version of IRIX? It was also disappointing the the 2.2 series kernel was used - have things changed in 2.4? If not, is there work being done in 2.5/6 ?
And if anyone has ANY insight as to why Window98 is much worse than windows95 I'd love to hear it.
Re:Hit them. Hard. (Score:3, Insightful)
But I am a statistician, and about the "vague pseudomathematical babble":
Sometimes, when you're presenting stuff to nonspecialists, you need to be a little more vague and pseudomathematical for people to understand. Sometimes it's more important for 100% of the people to get a 80% valid understanding of something than 20% to get a 100% valid understanding. I think it's more accurate in this regard to describe many vague mathematical generalizations as "quasimathematical".
Just being a little vague is ok or even necessary sometimes. The problem with always using "well-agreed mathematical definitions" is that not everybody understands them. There are, however, some who might understand the gist of the argument, and sometimes it's more important to get that across.
Maybe you're of the opinion that we shouldn't explain math to people who don't understand every bit of it known to mankind. I don't believe, though, that people who try to make math a bit more accessible should be "hit hard". On the contrary--they should be encouraged. People pursue things, after all, because they're interested in it, and often, we're interested in the things that are novel to us.
Again, I don't really know enough about it. Maybe this guy was completely incorrect. But quasimathematical babble isn't always bad.
It Is Called Research, and it Takes Time (Score:5, Insightful)
That may be, but probably isn't, true.
If you read the article carefully you'll notice that the versions of *BSD and the Linux kernel (2.2.x) are also outdated. This isn't some neferious plot to diss Microsoft (hell, that isn't all that hard to do with cold, hard, factual data in the first place, so there is no need for anyone to cook the data, least of all this study), it is a result of the fact that research and study take time.
I'm sure if the author had looked at Linux 2.4.x and current versions of the BSDs the results would have been significantly better (Mac OS X as well, being a BSD derivative).
As for whether or not the various Windows versions would have been better, that is an assumption we really cannot make. Not for any prejudicial reasons, but because historically they generally haven't always improved, and indeed on at least one occasion (95->98) got considerably worse. We can hope that the security of Windows 2k has improved since then, but there is no real historical precendence to support that hope, in contrast with most other competitors products including the BSDs and Linux products cited here.
The comparison was fair: it was a snapshot of the state of the art taken a couple of years ago, then studied and analized in detail over those past two years. This is how every study that bases itself on factual research works, as opposed to corporate marketing drivel purchased to look like research, as has come from the Microsoft camp on numerous occasions in the last couple of years, and has in every case been thoroughly, and utterly obliterated in public rebuttal.
Re:For those wondering how insecure Microsoft is . (Score:5, Insightful)
The data that was studied for the last two or three years was collected prior to the study commencing, i.e. at least two or three years ago. If you'd bothered to read the paper, you would have noticed that the versions of *BSD and Linux being compared are equally as old (kernel 2.2.x of Linux, for example).
When you conduct a scientific study (not to be confused with the marketing drivel often sold as science and frequently purchased by the likes of Microsoft, and just as frequently disgraced and utterly rebutted a few days later by the scientific community) you collect the data, then you analize the data and draw conclusions from that data. All of that takes time, so any rigorous study conducted is going to be working with data collected at some time in the past.
[opinion]
I'm sure a study will come out showing the appalling weaknesses of Windows XP, but such a study will likely be reviled by Microsoft enthusiasts because, by the time the rigorous work is done, there will be some newer, even more invasive and buggy release of Windows out. That will not, however, make the study any less valid or accurate, any more than it would the study conducted here.
[/opinion]
Re:TCP/IP Sequence Number Analysis (Score:3, Insightful)
Of course, in general, SSL should prevent these sorts of attacks because the incoming payload would be expected to be encrypted and so it would be non-trivial to input packets into the stream and have them do anything other than DoS. Still a problem but not as much as other issues.
Again, I see this as an issue where competent attackers may be heavily targetting a given system, but it is unlikely to be used by the casual crowd. So the Win 95 and 98 crowd should be relatively safe, while the DoD NEEDS additional protection. Corporate infrastructures are in the middle, and it is probably a good idea to protect them against this sort of attack.
However, it is also a pretty serious refutation of "open source is insecure."
Not recently rewritten. (Score:3, Insightful)
Didn't you question anything when they said 2.2.1x, or OpenBSD 2.8 was "recent"? No? OpenBSD 3.1 is the most recently released one. They've had this for quite a few releases now (didn't you also notice that OpenSSH's default root problem affected OpenBSD 2.9-3.1?). They also had *no* data for Linux 2.4, or Windows XP.
Don't believe me? Scroll down to the bottom of the page where it mentions it was last updated in April 2001.
Re:For those wondering how insecure Microsoft is . (Score:4, Insightful)
Maybe because lots of people are still using Win98 - for economic reasons, because of a need to support old software needed to access critical data, or because considering microsoft's track record so far we tend to assume that in a few years it will be discovered that XP has even worse holes... Or people just don't like WPA, and assume that it's a future revenue enhancement tool - in a few years when MS has a replacement for XP on the market, their site for XP WPA might suddenly have all sorts of problems until people start giving up and buying a new OS when their systems crash and have to be reloaded.
I agree, comparing Win98 to server OS's like BSD isn't fair - there should be two separate comparisons, desktop to desktop and server to server. I gather that in server software, Win2K isn't bad in comparison to other commercial server products, but the OSS products (Linux and BSD) are far better. So Microsoft's bellyaching about OSS being insecure is proven wrong. (And if Linux has improved that much in the last 4 years, it's another indication that when security becomes important, open source can improve much faster than closed.)
As for comparing desktop to desktop, it's hard to arrange a comparison that everyone would agree is fair. First off, you don't exactly have competing desktop OS's - you have MS which writes desktop OS's and tries to upgrade them to run servers later, and you've got everything else (since Mac OS 9), which are *nix server OS's downgraded to run a desktop. It's something for MS to whine about when they lose. Anyhow, MS's latest desktop (XP Home) might have acquired a good sequence randomizer to plug this one hole, but the default installation apparently opens up a lot of others. I wonder how many other utterly brain-dead decisions like allowing Plug-n-Play to work across the network are not yet revealed...
Comment removed (Score:3, Insightful)
Re:Hmm. (Score:1, Insightful)
Am I missing something?
How is echoing text a security risk?
Surely one would be better off doing something more creative like writing to /etc/passwd?