CYBERPUNK: Socket Man

I dig Steve Gibson. Not only is this renegade computer security consultant a great storyteller but he's one of the best Net advocates out there, a regular Abbie Hoffman of the binary age. Still, his latest crusade has me wondering if he isn't starting to value Microsoft-bashing over basic honesty.

On May 4, the Web site for Gibson's company, Gibson Research Corp. (www.grc.com), suddenly dropped off the Internet. It was being subjected to a distributed denial of service (DDoS) attack -- the same kind that temporarily crippled Yahoo! and CNN.com early last year -- in which a site's server is crushed by a huge number of phony requests coming from all over the Net. Fortunately for GRC, this kind of attack can easily be thwarted with a bit of smarts. Gibson knew that all his service provider had to do was have its routers read the packet headers of the phony requests to identify the return addresses, then filter out everything arriving with those addresses. Once he got the right engineer on the phone, GRC.com was back in business.

Gibson didn't stop there, though. Examining the packets, he found that his site had been bombed by 474 computers, all running Windows, and all unwitting slaves to a remotely installed "zombie" program, unbeknownst to the PCs' owners. GRC.com suffered from five more attacks that month, and Gibson eventually tracked down the vandal (by getting a copy of the zombie program from one of the folks whose computer had been enslaved).

Gibson wrote up his adventures in the adolescent-hacker underground in an essay, "The Strange Tale of Denial of Service Attacks Against GRC.Com" (www.grc.com/dos/grcdos.htm). It's one of those irresistible, take-an-afternoon-off-to-read essays on computer culture that appear on the Web from time to time, in the same league as Eric Raymond's "The Cathedral & the Bazaar" (www.tuxedo.org/~esr/writings/cathedral-bazaar/), Neal Stephenson's "In the Beginning There Was the Command Line" (www.cryptonomicon.com/beginning.html), and the Son of Gomez's "The Xenix Chainsaw Massacre" (www.technopagan.org/politics/xenix/xenbody.html).

But if Gibson initially shared his ordeal for entertainments sake, he has since directed his energies into a tirade against Microsoft's new operating system, Windows XP, which won't even be out until the fall. In a subsequent essay, "Why Windows XP Will Be the Denial of Service Exploitation Tool of Choice for Internet Hackers Everywhere" (grc.com/winxp.htm), Gibson asserts that once XP hits the streets, it'll be even easier for hackers to wreak serious havoc.

"Windows XP is the malicious hacker's dream come true," Gibson writes. He was only able to tell where his attacks were coming from because, with current Windows systems, it is impossible to forge a computer's Internet address, making it easy to filter out packets with those addresses. XP, however, will come with "raw sockets" support, which can be used to forge phony Internet addresses. Once XP is in widespread use, Gibson predicts, the zombie programs hackers plant via the Internet -- the kind that attacked his company -- won't be as easily identified, and thus will be nearly impossible to filter out. Without that filtering capability, the victim site can't start heading off the attacks as they're occurring; it's out of commission for the duration of the bombardment.

Or so Gibson argues. Microsoft itself posted a rebuttal, pointing out a few pretty good reasons why XP may not be the risk Gibson claims ("Hostile Code, Not the Windows XP Socket Implementation, Is the Real Security Threat": www.microsoft.com/technet/security/raw_sockets.asp). For one, if hackers really want Internet-address-spoofing machines, they don't have to wait for XP; Unix and Linux and the new Mac OS X already offer such raw-socket capability. Gibson counters that the sheer number of XP machines that will be out there will provide far more firepower for hackers. Gibson is correct and Microsoft is indeed offering a bit of a red herring, but Microsoft also rebuts that XP machines will have far stronger security features than earlier versions of Windows. XP will be better equipped for broadband use, meaning it will be harder for hackers to break into.