[Dshield] XP and security

Quibell, Marc mquibell at icn.state.ia.us
Thu Nov 29 15:07:18 GMT 2001

More of the same I've been saying from Chris below. Good points.

However, ISP are limitedly responsible for their customers' networks. The
customers should be responsible for egress filtering, which also has a
limitation of being local domain only. THis means that egress is limited in
that one can still spoof an unused IP address from the same subnet. For an
ISP to filter, yes that is a tough issue. Right now, we could not do it.

Marc Quibell
ICN Network Operations Center
Data Operations Group
noc at icn.state.ia.us

-----Original Message-----
From: Chris Newton [mailto:newton at unb.ca]
Sent: Wednesday, November 28, 2001 9:03 AM
To: dshield at dshield.org
Subject: RE: [Dshield] XP and security

Not directed at David, just the list.

  I think everyone is missing the point about the 'easily accessed raw 
sockets'.  The people who can boot a floppy into linux and run the hacks are

not the problem.   What people are trying to explain... is that millions of
boxes with this ability, sitting on the desktops of complete
is a problem.  Up until now, its been unix boxes that had this ability 
(primarily), _usually_ sitting on the desks/racks of slightly more
orientated users (ie: they just _might_ notice something weird going on, or 
acutally secure the box, or give a damn)... and we still have a big 
spoofing/DDoS problem (and there are DAMN few unix boxes compared to Windows


  _now_ we will have millions of boxes sitting in homes, schools, wherever, 
that will have this ability, controlled by users who dont care, dont know,
wont notice a problem if/when they get hacked.

  I've heard the explanations too... but...

1) Noc operators shouldnt be letting spoofed addresses through...it's their 
problem....  guess what, they still do, they always will...  CodeRed/Nimda 
should have taught people that no amount of preaching will reach those who 
dont care/dont listen to fix things they dont understand.

2) You could always do the raw socket-like thing on windows, by (re)writing
driver, and installing that...  Weeeeee... when was the last time you saw a 
trojan install network drivers?  This features makes it simple, and easy.  
Writing drivers is not easy.

>===== Original Message From "David Sentelle" <David.Sentelle at cnbcbank.com> 
>Lotsa people seem concerned about XP's security and easily accessed raw 
sockets.  Would a raw socket-less WinXP keep a user from booting from a
disk into a linux partition and running their hacks?  Would requiring 'root'

privledges for raw sockets actually insure that only responsible people had 
'root' access?
>Would raw sockets be that much of a problem if ISPs just checked the
to make sure that the address sending the traffic was the same that was 
declared inside the packets?
>I'm much more concerned with the lack of accountability that software 
developers have, as well as the lack of definition as to where an OS should 
stop and applications should start.  Microsoft has been 'developing' the 
windows platform for a LONG time now, and I STILL see applications
files to the OS's core directories.  If they're not going to tell consumers,

shouldn't Microsoft at LEAST tell developers where the OS stops and their 
Application starts?  (Sorry for the tangent, but I've been working for 2
trying to figure out how to allow users to 'cut' a block of text from 
MS-Word2k without crashing)

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list