Friday, July 13th, 2001 — In a rare Las Vegas interview during the Blackhat and DEFCON hacker conferences, Microsoft's Security Program Manager Scott Culp granted The Register's reporter Thomas Greene an exclusive and private interview regarding my concerns about Windows XP's inclusion of full raw sockets. Thomas Greene had heard that Scott Culp has become a "fan" of The Register's coverage of this subject. Since Scott Culp apparently spent most of the interview (as you will see from their coverage) laughing about these important issues, The Register offered the interview as "light refreshment" . . .

I am troubled by Scott Culp's — and presumably Microsoft's — laughter, because its purpose appears to be a deliberate effort to obscure the truth from the press and user communities. Given Microsoft's incorrect and indefensible position, I understand why they now need a "spin campaign."

In counterpoint to Scott Culp's misleading statements as reported by The Register, I have prepared the following analysis of Microsoft's present (and ever changing) position. For brevity, I have excerpted from Scott's statements during the interview. Please see the interview link above for a complete and original transcript.

Scott Culp:	" [Gibson's] argument has been that the inclusion of raw sockets is both necessary and sufficient for distributed denial of service attacks; and there are actually two parts to the answer. The first one is, 'are DDoS attacks going to happen?' Yes. They will happen; and they will happen on Windows XP. That's not an argument; you're going to see them. What we're saying is, you're going to see them regardless — raw sockets are utterly irrelevant to the question of DDoS attacks on Windows XP, because if someone can compromise a machine....they'll have every ability they want. Control of the machine is the hurdle; the availability of raw sockets is not the hurdle. Once you've got control of the machine, if you don't have the raw [socket functionality] there you can add it. "
Reality:	I have never stated that the inclusion of raw sockets is either necessary or sufficient for distributed denial of service (DoS) attacks. Raw sockets were fortunately not used in the attacks against me because they were not available in existing consumer versions of Windows. (That's what Windows XP will unfortunately be providing.) Rather, I have stated that the inclusion of full raw socket support will empower malicious software to launch attacks which are dramatically more potent, impossible to block, and next to impossible to trace. Scott said: "They [DDoS Attacks] will happen; and they will happen on Windows XP. That's not an argument;" So Scott is now asserting that Windows XP will be a source of DoS attacks. He has smoothly co-opted this aspect of my argument, while at the same time saying that the "real issue" is keeping malicious software out of the user's machine. But he states that Microsoft will not be able to achieve that goal: "What we're saying is, you're going to see them [DDoS attacks] regardless." Scott asserts over and over that "Control of the machine is the hurdle;" but it is such a small hurdle on Microsoft software that hackers gracefully jump it without a second thought — and Scott assures us that this will be the case in the future. Therefore, I can not understand how Scott and Microsoft can defend the decision to give malicious hackers more potent tools in Windows XP with which to perpetrate Internet attacks.
Scott Culp:	" It [full raw sockets] may be a convenience, but it can't be too much of a convenience, because Gibson himself was attacked by people who had to install WinPcap or something like that on the machines. "
Reality:	The WinPcap to which Scott refers is a well known, high-quality, third-party system-level device-driver/library that installs low-level network features into any Windows system. (Different from and incompatible with raw sockets.) But as I have clearly articulated, "WinPcap or something like it" had nothing to do with the attacks launched against us. They used large fragmented ICMP and UDP packets, both which can be — and were — generated without any special networking support added to Windows. I would hope that Microsoft's "Security Program Manager" would be qualified to knowledgeably discuss these important issues, but his statements belie any such depth of understanding.
Scott Culp:	" But the second part is, OK, so if it's not going to cause DDoS attacks, could we remove it without any loss of functionality? And guess what: raw sockets are used for a whole bunch of security functionality in Windows XP. Internet connection firewall is one. IPsec [IP security protocol] is another one. It's used by network diagnostic tools. It's also used by games. "
Reality:	Non-privileged users presumably have restricted access to full raw sockets under WinXP as they do with Win2000. But certainly these users have the protection of WinXP's firewall, access to IPSec security, network utilities, and network games. So Scott seems to be confused about this. All that's necessary for Microsoft to fix this problem would be to impose the same raw socket restriction upon administrators that it already imposes upon non-privileged users. Then this whole problem would go away. Despite Scott's spin to the contrary, since non-privileged users can use the system without having full raw sockets, it is clear that full raw sockets are not needed by users in the way Scott is claiming.
Scott Culp:	" It [raw sockets] is just a networking function. All it is is a full implementation of the sockets protocol. And we've been lambasted, rightly, over the years about following the standards and implementing them fully, and if one vendor isn't fully implementing the standards then that [breaks] interoperability "
Reality:	It seems unlikely that the addition of full raw sockets had anything to do with Microsoft being lambasted by a few users. For example, Microsoft has been lambasted far more for the integration of Internet Explorer with Windows. Many States Attorneys General and the United States government have sued them over it . . . all of which Microsoft has simply ignored. It seems far more likely, as the persistent rumors suggest, that Microsoft lifted the complete TCP/IP stack from version 4.3 of the Open Source FreeBSD UNIX system and received a full raw sockets implementation as part of the deal. As for interoperability, Microsoft has never desired interoperability of their systems with others. Their efforts to deliberately thwart interoperability are legendary. And in any event, Microsoft's Windows Sockets API has been so deliberately loaded with non-portable "extensions" that interoperability is impossible by design.
Scott Culp:	" It [raw sockets] is a service that it makes sense to provide at the OS level. From a rationality point of view, what's the sense of providing a ninety-percent implementation of commonly-used networking functions? The only thing you do is force people to write the last ten percent themselves or go out and buy a piece of third-party software that implements the last ten percent. "
Reality:	Scott says: "It [raw sockets] is a service that it makes sense to provide at the OS level. No it doesn't. Not at all. This is why every other operating system protects access to full raw sockets by requiring maximum "root" privileges for its use. These other operating systems deliberately restrict its access — which Microsoft does not under the Home Edition of XP — specifically because IT DOES NOT MAKE SENSE, nor is it necessary, to provide this dangerous networking functionality "at the OS level." Microsoft apparently thinks so little of their listeners that they believe that just saying something like this makes it so. But it doesn't. Scott says: "From a rationality point of view, what's the sense of providing a ninety-percent implementation of commonly-used networking functions?" It should be clear to everyone that this last 10 percent is NOT "commonly used" since it has never before been available in other consumer Windows systems. Rationally, if the last 10 percent of the networking functions have no practical purpose, and are demonstrably dangerous, any security-conscious vendor WOULD deliberately exclude them.

As Thomas Greene said to Scott Culp during the interview, there are people (many people actually) who believe Microsoft has some nefarious and diabolical purpose behind the inclusion of unprotected, unnecessary, and dangerous networking features in Windows XP. I don't believe that.

But neither do I buy what Scott and Microsoft are selling about raw sockets in Windows XP. The facts demonstrate that it's nothing more than spin.

This is not a laughing matter. It is a serious and unnecessary mistake. If you feel as I do, you might express your feelings in a note to Scott and Company:

Click the button above to tell Microsoft what you think.

Thank you for your attention, your concern, and your help.