Microsoft States Full TCP/IP Too Dangerous

daria42 writes "To fully implement the TCP/IP protocol in Windows XP would make creating denial of service attacks 'entirely too trivial', Microsoft has claimed. The company was responding to claims by Nmap author and well-known security expert Fyodor that by repeatedly disabling the ability to send TCP/IP packets via the 'raw sockets' avenue, Microsoft was asking the security community to 'pick their poison': either cripple their operating system or leave it open to hackers. Admitting that a recent security patch had intentionally disabled a community-developed workaround to Microsoft's TCP/IP changes - which were first implemented in Windows XP Service Pack 2 - the company claimed it had received little negative feedback on the issue."

They picked C

[Nijika]

Cripple the OS, and leave it open to hackers!

In Redmond, this is what they call a win win.

//no Karma Bonus for that one... ;)

Core Routers

[republican gourd]

This is just part of the push to get the core internet routers cut over to NetBEUI well in advance of any ipV6 rollout. If Microsoft can manage that, the internet will be theirs again, just like when they initially built it between Steve, Bill and Woz's offices back in the early seventies.

Scary thing is, from what I've been reading Oracle will go along with this. And they can tell the future!!

Maybe Microsoft wants to

[Trigun]

rewrite TCP/IP? Embrace and extend it, so that we can have a safe, trusted internet?

My TCP/IP

[wombatmobile]

Maybe Microsoft is right. Protocols are dangerous.

Wouldn't it be safer if we all just had a My TCP/IP folder?

Another note from Bill Gates

[PenguinBoyDave]

Dear MS Employees, We have started the FUD about TCP/IP. Now press forward with MS/IP. Once we release it we'll charge everyone a fee to use it because we know it will be more secure than TCP/IP. After all, it comes from Microsoft. With Love, Bill

I Can't Believe It...

[cyngus]

I am actually going to side with Microsoft on this one. It is not as if they removed raw sockets, but rather restricted access to them. Let's consider who needs raw sockets, mostly advanced users. Advanced users are going to have an Administrator or root account on the Windows machine and therefore should have access to raw sockets, no? There is almost no reason for the average user to have raw sockets. They do create a real risk of bad network behavior and I imagine if someone were to create TCP/IP today instead of 30 years ago when the Internet was a much smaller, nicer place, raw sockets would not be part of the spec.

As an aside, I think I'm going to take the rest of the day off, agreeing with Microsoft is mentally jarring. It has to make you question existence just a little and also make you a touch ill.

Re:My TCP/IP

[tehshen]

If they implement the full protocols, everyone could have your TCP/IP folder :)

Microsoft's Real Plans

[PipianJ]

Why embrace and extend? All they really need to do is support the evil bit [rfc-editor.org].

But of course, being Microsoft, you're probably right. They'll make their own implementation of the evil bit, patent it, and charge royalties to others who want to support their new "EDDP" protocol (Evil Data Detection Protocol).

Not to mention that IIS, Exchange, IE, and Outlook will grow to require use of EDDP during transfers of data, locking Mozilla, Apple, Linux, and others from accessing much of the internet.

Finally, John C. Dvorak [dvorak.org] will boldly claim that EDDP is the wave of the future, and Apple, Linux, and Mozilla are clearly inferior for not supporting what is clearly a web standard, because if Microsoft says it is, it MUST be.

Hammer, meet nail.

[lheal]

This is because XP is not designed right, not because the TCP/IP protocol is wrong. (just to be clear)

You nailed it.

Microsoft is clearly trying to shift the blame from their dain-bramaged design to TCP/IP. How many other operating systems are there that do (more or less) fully implement TCP/IP, including raw sockets? It's almost universal.

Oh well. I guess Microsoft knows the neighborhood is safer with a crippled lunatic than healthy one.

Translation

[nuintari]

Translation: Our OS is a dog and we need to neuter it to keep it under control.

Not that this will solve anything, no raw sockets? I don't need no raw sockets, I have 48 billion bogus dns lookups!

Re:They picked C

[Temporal]

For a minute there, when you said "They picked C", I thought you meant as in the programming language. Ironically, your post makes almost as much sense with this interpretation. /me runs away.

Re:Core Routers

[drinkypoo]

Steve, Bill and Woz's offices back in the early seventies.

OMGWTFBBQ you noob! You forgot Al Gore's node.

Re:Something is wrong, alright

[Master of Transhuman]

Windows was never a bathtub - it was a sewer.

Re:A wise decision

[nusuth]

runas /user:Administrator@domain "C:\program files\internet explorer\iexplore.exe"

So you run internet explorer to add a printer. And I thought adding a printer to OS/2 was unintuitive...

Re:Steve "Ahab" Gibson

[nsayer]

"Steve's views were so discredited" = chicken
"M$ agree[s] with him now" = egg

Re:Baby, meet bathwater.

[dan_the_heretic]

"Our only hope is to fix it."

Help us Billy Gates, you are our only hope!

If the virus gets into the kernel...

[argent]

It also pointed out that "writing and installing kernel-mode code is vastly more complicated" than using an existing raw socket feature,

Yeh, that's why the majority of people doing this use an widely available rootkit or equivalent to do it for them.

and that if malware did make it into the kernel of a Windows machine, the user would have more serious concerns than just SYN attacks launched from their machines.

"If malware can execute code on a Windows machine, the user has more serious concerns than just SYN attacks launched from their machines. That's why Windows doesn't bother trying to close local exploits."

Re:Erm, cough, cough, excuse me...

[Anonymous Coward]

...while unix is only used by people who are smart enough to know basic security practices.

You haven't browsed the Gentoo forums, have you?

Windows is much more secure

[Perl-Pusher]

With any TCP/IP, I've found that by just unplugging the ethernet cable, a windows desktop can be just as secure as an OpenBSD Server.

so, put an ACL on it?

[multi io]

...and disable the feature by default for all accounts, including admin.

I mean, on other occasions you hear them blather about Windows' totally stellar, fine-grained security architecture, and now they want to prevent Joe Average user from accidentally using raw sockets by, uh, removing the feature altogether?