Tales from the Crypto : Bad names

“Fully Stealthed” means fully spoofable

Alun Jones — Wed, 21 Jan 2009 00:50:19 GMT

Every so often, someone on one of the security mailing lists to which I subscribe will post a frothing rant from someone who has discovered their own personal “magic bullet” which solves all their security woes. This time, it’s a guy who was convinced that Microsoft’s recent out-of-band Internet Explorer patch MS08-078 is actually a conspiracy by Microsoft (and the government, of course) to invade your computer.

Okay, now aside from the point that, technically, Microsoft “pwns” your computer if you run their OS, and they don’t need to install patches to continue to do so; aside from the Ballmer defence (“If we were actually evil, don’t you think we’d be doing a better job at it?”; aside from that and many other considerations, what evidence did this guy have that the patch is a conspiracy?

Gibson Research’s ShieldsUp site reported that his system was “Fully Stealthed”.

[For those of you non-geeks reading the blog, that means that his firewall was closed up so tight that his system was not responding to any attempt to connect.]

Many other people have made, or will make, the obvious note that the patch is for a browser client bug, whereas the firewall ignoring all incoming requests only protects against server-related bugs, so I’ll leave it to those people to discuss that.

My concern is that Gibson is still pitching the idea that “Fully Stealthed” is a good idea.

TCP/IP, the network protocol on which much of the Internet is currently based, is designed around certain error reporting mechanisms that keep the system able to route around trouble.

One of these mechanisms is the TCP RST (reset) flag. The reset flag a great tool, as it says in a single bit “I received this packet, but I can completely guarantee that it’s not meant for me”. Another similar mechanism is the “ICMP Host Unreachable” response, which says “You appear to be trying to send a packet through me to another machine, but although I’m not a bad place to send that packet through, I can’t seem to reach that machine just now”.

When you’re “Fully Stealthed” (or completely non-responsive, if you prefer), it’s like you’re a black hole, and neither the TCP RST flag nor the ICMP Host Unreachable errors are returned from your system.

That’s great, right, because it means that your attackers can’t tell you’re there? It’s like you’re a black hole, no one can see you, right?

That sounds good in theory, except that even black holes can be seen, because they don’t act like the empty space that might otherwise be there.

Similarly, a “Fully Stealthed” machine gives away its presence by occupying an IP address that will not respond at all when you try to contact it. Very much like a black hole, it’s clear that it’s there, because if there was nothing there, the upstream routers would be passing back ICMP Unreachable messages.

OK, so maybe they know that I’ve got a machine here, at this IP address, but it’s safe, because it’s Fully Stealthed – Stealth just sounds so cool, especially since it’s a verbed noun! It’s alright that I look like a hole to the rest of the Internet, because nobody can do anything to me!

Wrong again.

The attacker can pretend to be you, because there’s nothing you’re going to say about it.

Let me qualify that – of course, the attacker can’t use your password if he doesn’t know it, nor can he use your private keys. But he can use another thing that some sites use as part of the proof that you are who you claim to be.

He can use your IP address.

A few things prevent this normally:

The attacker never gets to see responses to his traffic – but for the most part, he may be able to guess these, and perhaps he can see those responses, if he’s sniffing your line, for example.
You get to see the responses to the attacker – this allows your computer to say “I received this packet, but I can completely guarantee that it’s not meant for me” – in other words, to send a RST back.
If the attacker can’t see his responses, he needs to guess the random sequence number that is supplied in the SYN-ACK packet. Again, this isn’t a problem for the attacker if he’s sniffing your line, but it’s also not a problem for the attacker if he can guess the sequence number somewhat reliably. This happens every now and again, as network stack developers fail to predict ways in which their own randomness can be predicted.

So, number 1 and 3 aren’t always a barrier – number 2 is definitely a barrier if the attacker needs to maintain the connection for more than a few fractions of a second, as the RST from the spoofed IP address will cause the server to drop the connection and ignore what the attacker is trying to do.

So, this is a valuable protection that a “fully-stealthed” firewall is going to throw away for you – the ability to spot when someone is spoofing your IP address, and to respond back to say “uh, that isn’t me – stop talking to him”.

A firewall should behave as if the machine is present but disinterested, and should actively refuse misguided connection attempts and responses, not merely ignore them. There’s a big difference between the two behaviours. Don’t use the sensationalist terminology of a poor substitute for an expert as a replacement for understanding of your risks and threats.

Windows 7 officially has a name

Alun Jones — Tue, 14 Oct 2008 17:41:39 GMT

So, what’s the scoop?

It’s going to be called “Windows 7”, according to Mike Nash posting at the Windows Vista Blog.

[Is it just me, or does Mike Nash look a little like the chef who got into trouble for inflating his resume in the opening credits to “Dinner: Impossible”? ]

How sneaky of Microsoft, to fool us into thinking that “Windows 7” was just the code name, when in fact it was also the release name!

Me, I think it’s because there was just no good way to include hints of the code-name in the final release name, like Microsoft have done in the past.

Think about it – “Cairo” spawned “Windows XP” – the Greek letters chi and rho are written: “ΧΡ” (lower-case is “χρ”) (if you don’t have the Greek font, that looks almost indistinguishable from “XP”). I’ll always think of it as “Windows No Parking”.

Windows 6 became Windows Vista – get it, six is “vi” in roman numerals?

So, Windows 7 should have been Windows Viista. Or maybe the name could have made obscure art-house movie references, and been called “A Vee and two ones”. Ah, but anything with VII in it might be perilously close to Intel’s VIIV product (currently residing in our “where are they now” file).

Perhaps this should make us think back to the last time a Windows client operating system was referred to by the word “Windows” followed by its version number – yes, “Windows 7” is designed to hearken back to “Windows 3.11”. Ah, yes, those were the days, indeed.

I can’t wait to see what’s coming in Windows 7, particularly things like Multi-touch support (though I have yet to purchase a system that has even single touch support).

Seven also marks Windows’ transition from an acid into a base.

Linux - unbreakable until when?

Alun Jones — Fri, 27 Oct 2006 21:17:00 GMT

Man, if I were dumb enough to claim anything as "unbreakable", I'd probably want to claim that you have a little bit more than two months of unbreakability (and yes, that is an unretouched graphic from Oracle's site).

Cousin Jeff notes that Mary Ann Davidson, head honcho of Security at Oracle, previously remarked on the previous "Unbreakable" campaign "What idiot dreamed this up?"

I think it's the same "idiot" that came up with the original version of this campaign. Marketing geniuses, all of them.

Internet Explorer 7 will be called ... Internet Explorer 7.

Alun Jones — Sun, 06 Aug 2006 15:07:00 GMT

Thank goodness Microsoft saw sense.

I can't imagine how many people would have asked me "where do I download the Plus pack for IE7?"

For once, this is a tale about a name I would have chosen.

BluRay - a bad name for high-definition?

Alun Jones — Mon, 26 Jun 2006 15:39:00 GMT

My attention was drawn to a graphic this morning that seemed to read "BLURRY"

Turns out, it's just a slightly out-of-focus and small picture of a logo for "Blu-Ray", one of two competing standards for high definition DVDs.

Seems like a bad idea to make its logo so easily misreadable as something that is the antithesis of its design.

But it's fun to point and laugh at.

Vista Bitlocker

Alun Jones — Fri, 10 Mar 2006 23:37:00 GMT

A while back, I said that my dream job at Microsoft would be to refuse dumb product names.

"WindowsCE?" I would say, "You do realise everyone will call that 'WinCE', which is something you do when you're in pain, yes?"

".NET Server? What does the OS have to do with .NET? Is it based on .NET? Do you have to run only .NET apps on it? Is its primary purpose to run .NET apps? Then it's not a '.NET Server' - go rename it." Okay, so someone else already fought that battle and won.

Today's example of "I wouldn't have called it that" is Vista's whole-drive encryption scheme, "Bitlocker". The most polite spoonerism of the word is "Bootlicker".

Don't ever name a product so that it can be accidentally mispronounced in a funny or rude way.

Which brings me to the name "Vista" itself...