In a recent podcast Steve Gibson of grc.com has drawn attention to a detailed report [.pdf] by engineers at Symantec who demonstrate that Windows Vista contains a completely virgin network stack that has been programmed from the ground up. The Symantec software engineers have monitored the behaviour of the new stack through a series of beta releases and have documented that it contains most of the basic bugs and security holes that have long since been fixed in other stacks – even the Windows 95 stack. Since it has not had a chance to mature and develop in the wild, the likelihood that it contains new, uncharted holes and errors is very high. Some have already been found. Gibson stresses that the ramifications for the security of the new stack are disastrous.
When this bug bites, it can only be good news for the competition.
I feel for the IT depertments and the users though.
so basicly, the almighty ping packet of death returns?
maybe…
“In build 5270, we observed that sending random data to the host over protocol 43 causes the host to become unresponsive for a long period of time and that sending random data over protocol 44 causes Vista to
crash with a blue screen. This is consistent with an
implementation that does not expect to receive these
protocol types over IPv4. This behavior has since been
resolved in build 5384.”
“This behavior has since been resolved in build 5384.”
It’s not going to be the known issues that have already been resolved in other stacks that are going to cause the problems — although it’s amazing that so many of them were still there so late in the day in Vista. Finding those is just a matter of checking for them systematically, because they’re known. The real mayhem will be caused by all the new, unknown errors that cannot be avoided in a completely new stack. There’s no way that it can really mature until its been out in real, broad use for quite a while. Until then, Vista networking is a potential time bomb.
I would agree that Symantec has a vested interest in spreading FUD, but the facts here seeem to be pretty clear. A brand-new network stack is at the very least something that shouldn’t be trusted immediately.
Edited 2006-08-06 10:03
“A brand-new network stack is at the very least something that shouldn’t be trusted immediately.”
Still using CP/M then đ
Seriously though I don’t trust ms’s previous, current or future security efforts, that’s why I only use osx and linux these days.
Welcome again, nukers This reminds me the times, when folks with Win95 searched for “nukes” and tried to nuke each other in IRC rooms..
Towards the end of the podcast Gibson suggests that if you must use Vista you should just install it as second OS and “only play with it on weekends”. I know that Gibson has something of a reputation for hype and slightly wild assertions but that one was priceless.
I agree. Installing Vista is a bad idea even if you only use it during the weekends. đ
I know that Gibson has something of a reputation for hype and slightly wild assertions but that one was priceless.
Sorry, but Gibson is an idiot; this is the same guy who came out of the woodworks 5 years ago, drumming up hype over the fact that Windows XP had raw sockets, and according to him, the world will come to an end due to the *possibility* of that *STANDARD* TCP/IP feature being exploited by malicious coders.
Here we are 5 years ago, after the doom and gloom scenario’s he painted for the IT world, and none has come to fruition.
Here is again, pulling the same publicity stunt to make his company high profile; its another example of grand standing in the worst possible way.
Windows Vista doesn’t have a ‘virgin stack’; it uses the same stack from Windows 2003, with problem and security prone parts completely replaced; I don’t know about you, but Microsoft seems damned if they do, damned if they don’t.
If they replace problem prone parts of their software with, what they consider, more secure, easier to maintain code, they’re blasted for introducing ‘virgin code’ and if they simply fix the code, they’re accused of ‘working around the issue rather than addressing the fundamental flaws’.
If these companies have an interested in promoting security, wouldn’t it be best to not only with the ‘blast’ include a solution, for example, “as I analysed the TCP/IP stack included with Windows Vista, I noticed several flaws in its implementation that could possible cause security issues at a later date, but suggested resolution would be…….”. But again, like I said, Gibson is more about hype and showmanship rather than actually anything that benefits the IT community overall.
If they replace problem prone parts of their software with, what they consider, more secure, easier to maintain code, they’re blasted for introducing ‘virgin code’ and if they simply fix the code, they’re accused of ‘working around the issue rather than addressing the fundamental flaws’.
When it’s closed source then it doesn’t matter, you’ll never know for sure how (in)secure it is.
Thank God Steve Gibson is out there with his patented GRC NanoProbes(tm) to protect us from all the bad stuff being pumped through the Internet Tubes.
We all know that Vista is missing virtually all it’s major features and is later than a fleet of no. 10 busses but come on people you seriously trust what Symantec have to say on the subject?
All Symantec do is spread fud. Fud about osx, fud about vista, hell even fud about linux…….. Why you ask. It’s in their best interests to scare people, it makes fools rush out and buy their latest products.
Vista may well have a new network stack but for god’s sake don’t trust Symantec’s word on the subject, I’ll wait for impartial opinion and testing before laughing (again) as MS’s most recent botch job.
thingi
p.s. Steve Gibson ain’t much better than Symantec – second hand fud for god’s sake
Edited 2006-08-06 10:02
All Symantec do is spread fud. Fud about osx, fud about vista, hell even fud about linux……..
which of their products addresses a vulnerable network stack?With the intention of ductape:-)
Firewall?
SELECT * FROM users WHERE clue > 0
Not quite.
Yes, antivirus companies has been FUDing for time being, because it gives them profit. But this time I am tend to believe.
Disclaimer: I am Linux user, sysadmin and serious advocat, but have been supporting Windows – altough not using myself – for very long time
It is actually maches with details I have heard that lot of Vista code have been rewriten, BUT it was done by lot of crowd in India, there was no code security review done until the recent minutes, and all is done in so big rush that it is not funny anyumore.
Maybe Microsoft will fix it – they have lot to loose if this will turn to reality – but this kind of attitude doesn’t make me beleive that they think about competition seriously.
It is actually maches with details I have heard that lot of Vista code have been rewriten, BUT it was done by lot of crowd in India, there was no code security review done until the recent minutes, and all is done in so big rush that it is not funny anyumore.
Indeed. A TCP/IP stack isn’t something that you just replace.
It is actually maches with details I have heard that lot of Vista code have been rewriten, BUT it was done by lot of crowd in India, there was no code security review done until the recent minutes, and all is done in so big rush that it is not funny anyumore.
Ah, it was done in India, therefore it must be rubbish, everyone knows them Indians can’t code for s**t, I’ve seen studies that show the entire race has no problem-solving abilities, they learn by rote; frankly, they should just stick to making shoes in sweatshops, it’s what they’re good for.
Sheesh.
This anti-India thing is really annoying. While the country is not doing as well as it likes (or others fear for that matter) the amount of FUD propagated about them is repulsive. I don’t know if it was done in India or not, but that has almost nothing to do with the code quality. Re-writing a network stack is not something you do for s**ts and giggles, Microsoft clearly felt this was necessary, and I can’t imagine they’d therefore outsource it to the lowest possible bidder.
I would take anything Symantec (for whom MS is now a competitor thanks to OneCare) or Steve Gibson say with a grain of salt. It’s probably a reasonably competetent stack, but as with all code rewrites, may take time to settle down.
There’s nothing wrong in calling a spade a spade. It’s not necessarily racist to claim that American programmers are better than Indian ones. It’s just a product of the fact that the field of programming in the United States is much more mature than the one in India, and as such has superior education, practices, and a well-developed talent pool.
Some people are just better than other people at some things — that’s the nature of the world. It doesn’t need to be ascribed to some inherent racial property, but can simply be ascribed to practical factors. Most of the academic work originally done on computers and programming languages was done in the United States. Who invented FORTRAN? Lisp? C? Americans. Who derived lambda calculus? A pair of Americans. Why is it any surprise that Americans have a stronger pool of programming talent?
To use a less controversial example, would you say its racist to claim that German car engineering is superior to American car engineering? Of course not! Hell, in the US, Ford and Chrysler are running commercials that basically say “buy our product, we worked with these foreign companies to make them not suck.” So how is the programming issue different?
Sorry, but this is utter bullshit.
I’ve worked with many many programmers in my time, and the best ones were from India. Stop spreading such ingorant xenophobic drivel. Good grief, no wonder the red states in this country (the US) elected a total bufoon as president, with such ignorance rampant among the populace.
Were those Indian programmers educated in the United States, or in India? There is no doubt people of Indian descent contribute very greatly to the engineering fields here in the US. A double-digit percentage of the folks at Xerox, Microsoft, NASA, etc, are Indian, and I’m sure they’re very good.
However, that’s not what we’re talking about here. We’re talking about programmers in India. In other words, we’re not talking about race at all, but education systems and engineering communities. In my experience, the education systems and engineering communities in the United States are more established and more advanced. It’s really silly to argue otherwise.
In other words, we’re not talking about race at all, but education systems and engineering communities. In my experience, the education systems and engineering communities in the United States are more established and more advanced. It’s really silly to argue otherwise.
I don’t know if it’s silly. I prefer to look at the results before claiming who is the best programmer or the best at anything. Having a good eduction means little. Having spritit, common sense, creativity, and most of all, talent, is what makes a person excel at something. Education is important, but NOT as important as talent. Not at all, even.
I have had the privilidge to enjoy one of the finest high schools in my country, which teaches our highest form of education possible in my country (our education system is leveled, I did Latin/Greek school) to a mere 700 students. I am now attending a well-established university in Amsterdam.
Now, I speak and write close to fluent English, and my German is pretty good too. Now, where did I learn that? At that school? Reading books?
Of course not. I learnt my languages because I have a talent for linguistics, and because I had the right friends (German and English friends) at the right times (during the period in which children acquire language and their synapses are at its most plastic). Education has ment fairly little.
The same goes for the programming stuff. You don’t learn to write code at school. You learn some basic rules, just like with languages, but the rest is up to your own talents. And the talent for mathematics (which lie at the core of programming) is just as much available in India as it is in the US, or in Rwanda for that matter.
The talent versus education debate is one that’s highly dependent on context. Engineering and science are intensely social fields. A scientist or engineer feeds off the thinking of the community around him. As a result, its very rare to see self-taught engineers. It’s just the nature of the field that innate talent has to be nurtured in order to provide fruitful results. It is the infrastructure for nurturing that talent that is sorely lacking in India.
Ultimately, the proof is in the pudding. India graduates far more programmers than does t he United States. If innate talent was really what mattered, and that talent is evenly distributed among countries, than India should be a powerhouse in computer science. But its not. Indeed, European countries a lot smaller than India contribute a lot more to the international body of work in the field. Why is that? Surely, it’s not the lack of resources, because unlike other fields, computer science is not resource-intensive. So what’s the explanation? Lack of support and education for potential talent is the most likely one, perhaps in conjunction with cultral tendencies that discourage creative thinking.
I agree with some of what you are saying but to say US education is better? That is utter bullshit. Look at the kids from IIT and so on. They are getting offers from MIT and Harvard and all the other Ivy Leagues but they turn them down. Not all Indian education is bad just like saying all US education is good because it aint. How many programmers in the US are US citizens or US people by blood anyway? Most of them are expatriates!
US higher education is objectively better than Indian higher education. There have been lots of studies into defining the measures that produce rankings of universities, and most such studies put American universities near the top. If you look at Time’s (a British company, btw) list of top 200 universities, 7 of the top 10 are American. IIT is ranked 84, which is very good (any university in the top 200 is a good one), but in a different class than MIT or Harvard.
Of course, that’s really not surprising. Harvard makes more money in one year from interest on its endowment than all the IITs put together receive in a decade. Money is a decisive advantage from a first-order perspective, and has numerous second-order effects, such as enabling US universities to cherry-pick the best and the brightest from other countries.
US higher education is objectively better than Indian higher education.
By what definition? When is a university better than another? Number of publications (I wouldn’t be all too confident in saying US universities publish more than those in India)? Number of students (no, the US won’t win that one)? Historical factors (India and the US are both new countries, so that factor is mostly even; of course Europe is ‘better’ by this definition)? Amount of money in the bank (ok, you’d ‘win’ this one)?
I’d say that the US higher education system is anything but ‘objectively better’ than any other nation’s, seeing the amount of money people in the US need to be even allowed to go to a university. Universities in the US and then especially the big names like Princeton, Harvard, and MIT, are only accessible to people with talent/intellect AND money, while in my country, ANY university is accessible to ANYONE with JUST talent/intellect. The state takes care of most of the money part.
So, Rayiner, that “objectively better” completely depends on what you define as “bad” or “good”. I define a good university as one that is open to anyone with talent and persistence, not just the rich happy few.
I think it was pretty clear from Rayiner’s posts that by “better” he meant “quality of education”, not its accessibility. And I agree with him, even though I favor public financing of universities (like we have here in Canada).
There is no question that the quality of tuition is better in reputed US colleges such as MIT, Caltech and other US schools, even if marginally so. Whether that’s “better” from a social standpoint is debatable (like you, I don’t think it is), but that wasn’t the point Rayiner was trying to make.
If Indian or American programmer must write a bunch of code in a extreme rush, knowing that he/she can be fired, even education or talent won’t help.
Most of the academic work originally done on computers and programming languages was done in the United States. Who invented FORTRAN? Lisp? C? Americans. Who derived lambda calculus? A pair of Americans. Why is it any surprise that Americans have a stronger pool of programming talent?
Are you from Texas? đ
http://developers.slashdot.org/article.pl?sid=06/05/10/0418218
Yes, because a participation in a programming contest really means something.
I don’t see why this is so hard for people to accept. America is the center of the programming world. That doesn’t mean that other people don’t do anything, or that we have to be snooty about it, it just means what it means. If you take a look at the advancements that have taken place in the world of computers, most of it happened in the United States. Furthermore, America is still at the forefront of academic research into computer science. There is a reason why so many talented people from India, China, and Russia come to the United States to attend university.
So what? Is it wrong to acknowledge that the United States is better at some things than other countries? Does anybody get hissy when somebody says that Japan is at the forefront of consumer electronics? Or that the Europeans are at the forefront of particle physics? Do people get angry when somebody lauds Germany’s or Britain’s philosophical traditions, France’s culinary tradition, or pre-communist Russia’s literary tradition? So why is it so hard to believe that the US hasn’t completely squandered its immense wealth, but has invested at least some small portion of it becoming the best in some specific things?
C was based/inspired by BCPL that was created at Cambridge
you still think this is about quality? it’s all economics baby!
the monthly incomme of and american programmer is the incomme of 15 indian programmers. they too have higher education, they have experience and they are really glad to work for that heafty wage.
it’s all about the numbers, not quality. 1 programmer isn’t more productive then 20 programmers. you can embelish and romantisize things as much as you’d like, but a bigger work force is a bigger work force. ask the chinese.
as to the geographic qualities of programmers I’m not commenting on that.
Oh, I absolutely agree with you. I think its perfectly rational for companies to do work in India, I’m just saying is inaccurate to say that there is no quality trade-off involved.
To use a less controversial example, would you say its racist to claim that German car engineering is superior to American car engineering? Of course not! Hell, in the US, Ford and Chrysler are running commercials that basically say “buy our product, we worked with these foreign companies to make them not suck.” So how is the programming issue different?
Most “German” cars are not built in Germany, and they tend to have multinational design teams. Further, I wouldn’t be surprised if a lot of the textbooks studied by people in India are the same as those studied in America.
I was surprised to see you hear that America has “superior … practices” than India. I presume you are referring to engineering practices: again where do you get the evidence for this, most evidence shows that Indian companies are set up by locals who worked for multinationals (usually American) then set up their own companies with practices tailored better to the local situation.
Your believe that Americans invented computer science is also a bit excessive: most of the theory was laid down in other countries (Turing, Boole, etc.); seveeral languages (Pascal, Delphi) were developed outside of America; more recently the latest set of Intel CPUs were designed by Israeli’s after the Netburst architecture (an American invention) bombed.
India has it’s problems: 40% of women are illiterate; 25% of the population are “malnourished” (a nice way of saying starving); infrastructure is dire, to the extent that a lot of companies have their own electric generators; and the political situation is complex and violent. However saying someone is worse at a task than someone else simply by virtue of their nationality is just silly. It is entirely possible that a core of well-paid and well-motiviated programmers at an Indian startup could do a better job then unmotivated programmers in a US company (certainly in one as poorly structured and directed as Microsoft).
The joy of computer science is that it is such a light industry. It takes very little material to start up a business, and there is a wealth of information, including free information on the web. While I certainly don’t think you’re racist, I think you are deluded in your assumption that experience makes one country automatically superior to another, or even that the average performance of a country as a whole is indicative of a what a subset of its population is capable of.
After all, Britain’s software and computing industry is far more mature and established then that in the US (who only really got going after the second world war): would you accept therefore that Microsoft UK is capable of better things than Microsoft, Seattle?
I’d say India’s programming problems stem from the fact that their American involved projects are done by one company to build in-house software for another company by programmers who rarely talk to the customer no less see what they do with the software.
All software projects fail when they miss step number one: Collect your customers requirements.
Of course, yes, many are setup by Americans. Others aren’t, but run into the problems because American management (like virtually all business management) has absolutely no clue what they’re doing when it comes to anything technical, and they refuse to listen to their engineers.
I doubt there are many programmers at Microsoft UK. Micrsosoft prides itself on importing programmers into Redmond.
Further, I wouldn’t be surprised if a lot of the textbooks studied by people in India are the same as those studied in America.
You don’t learn engineering from textbooks. The textbooks teach theory, but theory isn’t everything. Theory underscores engineering, but there is a great deal of intuition and heuristic involved. That intuition cannot be conveyed via books. It’s something passed on from teachers to students, and learned via experience.
India’s educational infrastructure is just not set up to generate the same quality of engineers as the United States. First of all is the lack of good schools. India graduated 200,000 engineers in 2004. Just a couple of percent of those went to a school like IIT, which can stand toe-to-toe against very good (but not the best) American schools. Where did the rest go, and how good are they? Well, if money is any indication (and it usually is), its interesting to note that each IIT gets about 10x the funding of a regular Indian university.
Second is the impact of brain-drain. The top professors and students don’t stay in India. They attend universities in the United States, Canada, and Britain. If you look at the history of computer science advancements, they generally occur in two places. In top universities (Princeton, MIT, etc), or large R&D companies (IBM, HP, Xerox, etc). India’s best don’t stay and work in India’s counterparts to these places, to the extent that these counterparts even exist.
Third is the educational model itself. That India’s system of education is mechanistic is not news to anybody familiar with the country. Mechanistic teaching has its uses, but engineering really is too fluid a field to be suitable for highly mechanical thinkers. The best engineers I know can immediately ballpark the result of a complex calculation and give feedback on an idea out of hand. Mechanical thinking isn’t amenable to that sort of thing.
Your believe that Americans invented computer science is also a bit excessive: most of the theory was laid down in other countries (Turing, Boole, etc.); seveeral languages (Pascal, Delphi) were developed outside of America;
I never said the US invented computer science. It’s true that the formal theoretical foundation of computer science, lambda calculus, was laid down by a pair of Americans, but as you rightly point out, the work of people like Turing was also instrumental. However, its unfair to characterize the American contribution to computer science as just one fish in sea of others. Yes, there are other fish in the sea, but the American computer science tradition is undoubtedly the blue whale among them.
more recently the latest set of Intel CPUs were designed by Israeli’s after the Netburst architecture (an American invention) bombed.
Of course, Core 2 is a direct descendent of an old American design, the P6 core. Meanwhile, all three of the projects that hold the claim to being the first microprocessor were designed in the US, as was RISC in general, PowerPC, MIPS, SPARC, and Alpha. Moreover, the US still leads the world in microprocessor fabrication technology, courtesy of Intel.
Of course, all that is a pissing contest I don’t think is necessary. My desire is not to claim that the US is the only player in the world of computers, but merely to ask that it be given the respect due to it. Because America’s foreign policy aside, computer science without American would be like philosophy without Germany, geometry without Greece, or art without Italy.
>Of course, all that is a pissing contest I don’t think is necessary.
Indeed.
Just a short note concerning the different approaches to education since this is really off topic:
Given the financial situation of both countries it is reasonable to suppose that American education is superior.
Comparing American to German education I’d say they’re on the same level but very different. Judging from the books I’ve read (I’m studying physics) I would say that the American ones are a lot easier to read and give more practical knowledge and advice but in some places don’t seem to have the strong theoretical roots.
Regarding the network stack:
I really hope they have rewritten or at least greatly improved it. Last time I checked I could not even download a few GB at 2-3MB/s without near 100% CPU-utilisation. 10% on linux and I did check this with different browsers before you start b*tching around
I really hope they have rewritten or at least greatly improved it. Last time I checked I could not even download a few GB at 2-3MB/s without near 100% CPU-utilisation. 10% on linux and I did check this with different browsers before you start b*tching around
This is likely a driver issue, not a stack issue.
Ah, thanks for the info!
I assumed this was a common usage pattern so they should have tested it thoroughly but you might be right.
Concerning the education stuff:
Well, say the USA had the worst education, they would nevertheless attract the brightest minds from all over the world if they payed more. And I’d guess it’s safe to say you earn more in the US than in a country like India.
You get what you pay for.
Ok, maybe good programmers are a _bit_ cheaper in India because living is less expensive down there.
Edited 2006-08-06 23:47
A spade is the same in any country, yet you are stating that one human in one country is not the same as another human in another country.
You are so wrong it hurts. I’m a total fool for even replying to you.
America may have a higher GDP than India, but that is no basis for going around and declaring yourself superior to other races, you’ve never met. One person that did that was Hitler.
“Most of the academic work originally done on computers and programming languages was done in the United States.”
Think Charles Babbage, Turing, Boole. America helped, invent the computer, nothing more than anyone else. Get off your high horse.
Disclaimer: I am Linux user, sysadmin and serious advocat
Meow?
not only that, any big corp that states that will be a topic of most techie websites out there, that’s very effective passive publicity for them.
people love to bash microsoft, and they love to see microsoft beeing bashed. this is guarateed free publicity.
Let alone when they claim something as dubious as a TCP/IP stack problem… as if that stack was something static.
you are totally right, it’s FUD. and two weeks later after vista does go public there will be patches, surely then will be a new topic in an cynical tone about those patches. this tone is used for two company’s products: microsoft and apple. everything else is above that sort of judgement.
So maybe, some of you say this is FUD from symmantic, but after reading the whole 48 pages, you gotta admit that it’s pretty well documented. And it’s a pleasure to read too. So even if it were to spread fear for upcomming vista users, i would say it’s OK. There is no reason to hide people from the truth about their operating system security. If i were to by vista (which i’m not), i wanted to know as much as possible about the system as i could. Reminding people of the increased possibility of security flaws is by my opinion a good thing…
Seems like Symantec is really afraid of losing security software market with Vista…
So afraid that they run these stupid false reports
And *nix users are happy, because it gives them something to eat
You must have some deep knowledge of the new Vista network stack, because you claim that you know this report is false!?
What can they benefit from this? They don’t produce “replacement networking stacks”.
What they are doing is pointing out something that is going to make *their* job harder.
Enduser on Vista that just bluescreened “But I had Symantec Protect My PC From the Badguys ™ running… why did that happen? Stupid Symantec…”
What can they benefit from this? They don’t produce “replacement networking stacks”.
They do produce firewalls, and other network protections. In case you haven’t noticed it, Symantec has even sued Microsoft (http://news.com.com/Collision+course+for+Symantec+and+Microsoft/210…).
Symantec is just trying to harm Microsoft. Notice how Solaris rewrote its networking stack in solaris 10 and how the linux network stack has significative changes in every release, and nobody has still released documents saying that they’re insecure. To start with, Vista’s network stack may be in fact MORE secure, since they’ve had the opportunity to look seriously at security, something that they didn’t so hard with the old networking stack and that they’re doing these days with all the new code they write.
They do produce firewalls, and other network protections.
Tell me how does a firewall aid a vulnerable network stack?
To start with, Vista’s network stack may be in fact MORE secure, since they’ve had the opportunity to look seriously at security
Not only MS looks at their source code.A lot other vendors do the same.Yet still an abundance of flaws,bugs and vulnerabilities are discovered despite thorough code analysis.Or is MS the only company in your opinion that checks their code?
I don’t say i believe the report not do i reject it.It’s interesting nonetheless and as allways time will tell:-)
Edited 2006-08-06 11:57
Tell me how does a firewall aid a vulnerable network stack?
*sight*
Vista’s network stack includes a much-improved firewall. This makes Symantec’s firewall much less neccesary.
*a firewall* not necessarily one of symantec.
You have to open some ports otherwise it’s quite pointless of having a connection.As far as i know the firewall in Vista doesn’t have an attack signature database,feel free to correct me though.
So my question is what’s the use of a firewall if a website you visit exploits your network stack?I’m afraid hardly any firewall can help to prevent it from happening.A firewall is in my opinion the last brace in a long security chain.
Edited 2006-08-06 14:06
Personally, I would trust Symantecs firewall to protect my computer just as much as I would MS’s. đ
Which is to say I would not use either.
One thing is for sure, if you could kill a Solaris 10 or a Linux box with just sending random data on a specific layer3 protocol, it would be heard all ower the news as well.
I have read the whole report into details, admitted i didn’t try out the various exploits yet, this report documents major bugs in vistas network stack, which i’m sure you would agree on. Symmantec has done alot of work in helping them finding the bugs. In fact if it’s a nice thing to publish this report into the public. They could have just kept the secrets to themselves, and then developed proprietary software to solve the problems (like they do at the moment).
The fact that more people are testing the code results in more problems solved. Compare this to the strength of the open source community. How many people do you think has ever looked upen the BSD/Unix networking stack? I can’t tell you the number, but it’s a hell of a lot more than Microsoft has “Looking out”.
A Microsoft OS with serious flaws???? Surely you jest.
A Microsoft OS with serious flaws???? Surely you jest.
I don’t jest.
And stop calling me Shirley.
Just go to the following site and click some links
Warning it might crash your *windows* computer.
http://ha.ckers.org/weird/
On linux (FC5) the firefox browser crashes but that’s pretty much it.A box with XP SP2 installed happily opens multiple thunderbird/outlook windows until your PC crashes out of memory starvation.
Haven’t tried it yet with Vista though:-)
Ya know, I seem to remember …
http://www.grc.com/dos/winxp.htm
Ok, sure .. WinXP was bad on security, but was it any worse than Win2k? I remember one article on PBS (which I can’t find anymore) talking something about how XP was going to be the destruction of the universe.
why should you? and why should symantec? just for the sake of stating “this beta release is buggy”?
and thaks for that link…like I hadn’t enough problems with porn sites.
Just kidding, I’m using MacOS & Camino, it handled it gracefully. But thunderbird requiered a forced quit.
Requiring a force-quit is graceful?
I think this attack is possible because, if you obey the standards, you’ll have to open all those mailto: links and you’re “attacked”. I think the solution to this particular problem is on the mail-client side: use a semaphore to ensure that no more than X number of compositions windows can be opened in a given time period.
Don’t know why on Earth they’ve done this. Th existing stack took years to mature through Windows 95, 98, NT 4 and to 2000 (which is where it only became moderately good). Everyone else has been using the tried BSD stack for years.
The TCP/IP stack in windows up to XP is initially based on BSD too, though a lot if it has probably been rewritten by Microsoft.
Actually, no.
NT hasn’t had the BSD stack since NT4.
It neer shipped with a BSD stack. A BSD stack was used pre NT 3.1, while the OS was in development, but NT 3.1+ shipped with a Microsoft stack.
It neer shipped with a BSD stack. A BSD stack was used pre NT 3.1, while the OS was in development, but NT 3.1+ shipped with a Microsoft stack.
Microsoft (legally!) used the BSD source code to write their own tcp/ip stack. You can verify this by looking at the executables on Windows 2000 (grep for Berkeley). Berkeley and the BSD license are also mentioned in the Windows 200 copyright notice.
There won’t be much BSD code left in Windows XP, but it surely is based on the BSD tcp/ip stack!
The BSD code is from the FTP client.
http://www.kuro5hin.org/?op=displaystory;sid=2001/6/19/05641/7357
When you grep for it you’ll find some odd commandline utilities (ftp.exe for example) using the BSD copyright notice but not for tcpip.sys
As Larry Osterman (MS employee) sais – they written an TCP/IP stack from scratch after NT 3.1 (see http://blogs.msdn.com/larryosterman/archive/2006/04/05/569099.aspx#… and http://blogs.msdn.com/larryosterman/archive/2005/11/17/494007.aspx ).
About the original report (i posted this before, btw) – you might want to read this reply from a guy at Microsoft: http://blogs.technet.com/security/archive/2006/07/18/442368.aspx which gives at least another insight into this whole debate from people who do know about the innerds of the new TCP/IP stack.
Now, for those wondering why they had to replace the networking stack with something new you might want to watch this video: http://channel9.msdn.com/Showpost.aspx?postid=116349 it answers (among other things) this question.
Erm, I was under the impression that NT always had its own TCP/IP stack, and the BSD stack was used in Windows 9x; what remains of the stack in Windows NT are merely the CLI tools like ping, arp, etc.
With that being said, the BSD stack has several; the partially fine grained one in FreeBSD? the ĂŒber speedster from NetBSD? the secure but unscalable one from OpenBSD?
The TCP/IP stack in windows up to XP is initially based on BSD too, though a lot if it has probably been rewritten by Microsoft.
This stack was not based on BSD. The only BSD-based stack MS has used was in the initial version of NT, where they licensed a BSD-derivative stack from Spider Systems. They replaced this stack with their own in NT 3.5.
Don’t know why on Earth they’ve done this. Th existing stack took years to mature through Windows 95, 98, NT 4 and to 2000 (which is where it only became moderately good). Everyone else has been using the tried BSD stack for years.
The stack was rewritten for Windows 2000 and NT 3.5 or 4.0 as well. MS has written/used several networking stacks over the years.
Remember Gibson back when XP was released hyping how BAD raw sockets would be in XP since every joe blow user would have them?
Remember how he litterally said it would be the destruction of the internet?
Coming from Symantec this really means sweetFA. Their software is the biggest POS out there. I work in tech support and the amount of times their shitty software has taken over PC’s and caused other problems… *sigh* Other tech support ppl understand
I’ve got a mixed reaction to this news. One one hand, if the TCP stack really was that badly broken, then it should be fixed. Even Sun shipped a completely new TCP/IP stack in Solaris 10 (though for performane rather than security reasons), so replacing the thing isn’t an inherently bad idea.
On the other hand, I can’t help but wonder if its a misdirected effort. The TCP/IP stack in 2K and XP was reasonably good. It wasn’t the source fo most of the security flaws in the OS, it was all the higher level stuff like IE, COM, DCOM, RPC, ActiveX, etc. Replacing the TCP stack seems like fixing the wrong problem.
It has a tendency to get corrupted.
“MS Vista to host made-in-India features”:
http://timesofindia.indiatimes.com/articleshow/1390856.cms
Caveat: The article has some english translation problems, (the “out of india” comment on page 1 makes unless it means, “[coming] out of india”)
Note: I am not anti-Indian, just pointing out that people are not “crazy” or “racists” or “[insert insult here]” because they mention that Microsoft is using India extensively. It is a known fact, so please dont ignore it or pretend its some urban legend.
Software development/design in general has been going down the tubes for a long time. There have been many articles and papers written on the subject in the US. Dont blame Indians, this is a Microsoft created firm in india, probably micrsoft training, microsoft managers, etc. The blame is all Microsofts.
This article doesn’t say much about what was developed in india, specifically… there are a lot of digital imaging features in Windows and I can’t tell which one he’s talking about (and it’s not like digital imaging is a huge and crucial “OS” level feature). It has security implications though (cf. th WMF flaw).
I can definitively say that all of the recent Windows features for running UNIX applications (Services for Unix and SUA) were developed in india and this is a “OS”-level subsystem. It’s no crucial to the Windows Client though. I can guarantee that the networking stack was written in Redmond because as far as I can tell Windows Kernel is a small team and they wouldn’t spread it out too much.
Vista has problems now, “It’s a beta!”
Vista has problems when it comes out, “It’s still new!”
Vista has problems a few years down the line, “Hey, they’re fixing it! Would you rather they didn’t?”
And the cycle continues right on through the next Microsoft OS. For once, let’s stop pretending that a multibillion dollar company that’s been falling up since its inception is just a tragic victim of circumstance.
that Gibson predicted that XP would end the internet as we know it…
hasn’t happened….
You know people are just too damn gullible when hearing these reports. Wait for independant security analysis ,with no financial stake or incentive to claim Vista is insecure, make their reports. Until then Symantec is not credible, and even more Gibson Research? Come one people, look at the SOURCES before blowin air out of your @sses. I would value GRC about as much as I value a Republican on FOX news to analyse a Democrat.
…all the bugs will be fixed by the time Vista is released… 10 years from now. SORRY! I couldn’t resist. Seriously tho’… this is still a beta version of a complete rewrite of the network stack. Surely Symantic realizes that MS has to go through many cycles of testing/bugfixes/testing before this thing is nailed down.
If they want to look for holes now they should be passing the data quietly back to MS to make sure they are aware of them. Then, during the final Beta releases they can start blabbing about holes if any still exist at that point. Not that I have any say in how they should behave.
This is such a load of nonsense. Gibson isnât even promoting his own research!
Did anyone here bother to READ the Symantec report? All it does is highlight issues that were discovered in early builds and then proceeds to state that the problems are fixed in 5384 but that further investigation will âlikely prove fruitfulâ.
Blatant intellectual dishonesty on the part of both Symantec and Gibson.
Sun writes a new network stack and “the new TCP/IP stack increases network performance for Web-based workloads by 40 to 45 percent on both SPARC and x86 platforms, and by 20 to 40 percent for bulk data transfers”.
Microsoft writes a new stack and it’s full of bugs.
Sun writes a new network stack and “the new TCP/IP stack increases network performance for Web-based workloads by 40 to 45 percent on both SPARC and x86 platforms, and by 20 to 40 percent for bulk data transfers”.
Microsoft writes a new stack and it’s full of bugs.
You’re comparing released code with beta code, plus the build Symantec used in their report was several months old and the issues in question had already been fixed in builds that were currently available at the time with no help from Symantec. So the assertion that MS’ stack is full of bugs based on the Symantec report isn’t true.
for linking to Gibson/GRC, I needed a good laugh to start off the week.
“It’s time to talk security with our maven of security, the man who coined the term âspyware”
Just like how he “invented” syncookies..err.. i mean NanoProbes.
“The problem with doing that is that it means itâs trivial to probe the stack to find out what protocols it does support.”
Uhm, just a wild guess but maybe that’s IP, TCP and UDP? Probably AH and ESP too.
Come on, there’s NOTHING bad about this behaviour.
“And they found a bunch of interesting unknown protocols. So they sent some random data to one. Boom. Blue Screen of Death.”
Good thing you cant send random data to a machine unless you’ve found out all the protocols first. Oh wait….
“So listeners of Security Now!, who are obviously on the security awareness leading edge”
Heh, now THAT is comedy gold.
Two morons gibbering at a microphone without anything worthwhile or cluefull to say. The Internet sure do enrich our lives.
Even windows XP wasnt worth it intil SP1 or 2.
The only difference between sun’s new stack and microsofts is
SUN had all the time in the world to develop a new stack
Microsoft didnt listen long enough ago to networking experts and start development on a more efficent stack.
Most of micosofts products seem to run on the age old marketting deployment. VISTA is a step in a more serious direction and the new direction requires that old legacy stuff should be droped. Microsoft have to say anything not .Net is obsolete and drop all the legacy stuff so they can concentrate on the future.
Also microsoft should have a legacy line XP.
I must admit microsofts legacy portablility has been outstanding. Emulation or virtualisation is now a new way to provide these services.