Back to Top

Friday, January 09, 2009 revival - #1

After starting a one-man movement :-) to clarify the muddy waters created by Steve Gibson, I was relieved to find that I'm not alone in my opinion. The central site gathering all the information was, the domain registration of which expired somewhere around June 2007, and since than you can only find a domain parking page.

Fortunately, the Internet Archive has a copy of the site, and I will be republishing here parts of it (with added commentary where I feel that it is necessary) to make sure that it doesn't get lost. Enjoy!

The first one is rather long. The original text can be found at, which GRCSucks mirrored, and now I'm mirroring it. It clearly shows that while we would like to think that the Internet is the "ultimate meritocracy", marketing has the final word (or maybe it is a meritocracy, just that it uses other merits than knowledge and information :-().

It focuses a little too much on the nomenclature for my taste (it starts with the age-old hacker vs. cracker debate), it does point out many technical, objective errors in Steve Gibson's writeups. Unfortunately it is very rare (in fact I've never seen it, but maybe it exists just like the Lock Ness monster) for Steve Gibson to react to technical criticisms with coherent, technical arguments.

GRC dissected

David Ford <[email protected]>

I have extrapolated a number of statements and opinions that have been voiced and summarized or rewritten for clarity.  The meanings remain intact and some are purely mine.  The term *nix is used to generically represent operating systems such as UNIX, Solaris, Linux, OpenBSD, and the like.  The term m$ is generically used to represent operating systems provided by Microsoft Windows.  [(c) and (r) where appropriate]

In preliminary, some responses to statements made.

  • prove it or shut up.  It's already been done by numerous people
  • prove that you are not or shut up.  Read below.
  • sheep.  It entered your mind, not mine.

As to putting myself on display, such activities are silly.  I'm not a marketing droid with big buzz words and flashy lights.  There are numerous very good security related sites that I support, we don't need yet another web site trying to elbow it's way to the front.  As to GRC polarizing the world...ahh, oh-kay.  Laugh of the day?  If I had but a pinch of the derogatory diatribe said about me that is said about him, I would crawl under a rock and die.  He is likened to the blind leading the blind with plastic tools in an industrial plant.  I would dare you to stand up at a convention such as DefCon and say you support GRC.  Remind me to bring ear plugs to soften the laughter.

My ego is certainly not in front here.  It isn't hard for neophytes to compare to GRC.  His grandiose crys of Wolf! are for the media and...well, I'll sleep in while he claims the world is ending.

For those of you who are interested in learning the non-colored facts and getting the story straight I suggest visiting some websites like and  Another handy site that coders like to visit is packetstorm and securify.

One should also take note that even with no supporting clarification or facts backing up statements, the outpouring of laughter and derision alone should make you think twice.

As to supporting statements regarding bots being used for attacks and history, all one need do is a few quick clicks at their favorite search engine, perhaps browsing the eggdrop scripts archives, perhaps searching for IRC and bots and abuse...the number of hits should be quite a-plenty.

For the newbies, when there is such a negative aspersion cast, there is more than likely good reason for it.  The effort of making awareness is a great idea, but it'd sure be nice if the facts were right and there wasn't grandstanding with molehills and mountains.

P1. Why does it seem that all the people attacking GRC come from UNIX with hacker mentalities?

    Succintly in aside, hackers are not malicious, crackers are.  Your common *nix hacker knows a good deal about the inner workings of everything and deals in facts, not pandering.  He is often more interested in accuracy than social diplomacy and will be quick to make it known when there is inaccuracy.  A quote from GRC's Letter to the Internet's Hackers: 

It is my intention to carefully and completely explain, to the entire world, exactly why there is no defense against the sorts of clever Internet attacks you guys can create.

  • He should have correctly stated 'Crackers', not 'Hackers'.
  • There are numerous defenses
  • These attacks he has listed are no more clever than using his friends to egg your house until it's a huge puddle.  Indeed, in later words he turns completely around on this.

*nix users, often referred to as hackers tend to have a strong working knowledge if not in depth knowledge of how things work.  They also tend to possess skill which easily distinguish them from a neophyte.  m$ users are often cast in negative light because they rarely have dealt with the underlying structure of networking.  They understand buzz words and marketing hype but can't explain what an OSI layer really is or how data is classified in it.  Your m$ user typically will be completely lost looking at a stream of hex output when decoding a packet.  Your *nix hacker is likely to lose you with the fast flowing verbal notage as he jumps from number to number.

A *nix hacker's perspective is to figure out why something is doing what it's doing and fix it often without interrupting anything else.  By far and large and with a ratio that towers over others, the most common first response on a m$ problem is to reboot and see if it does it again.  A joke that's gone around the world many times comparing your vehicle to m$, if it doesn't start, everyone get out of the car and get back in and try again.  Your *nix person will run a most likely checklist and be quick to point out that you're out of gas.

*nix people have given something to the world.  They just haven't wrapped it with a Marketing droid.  The differences between *nix and m$ are like a battleship that has been hardened over time and the fancy cruise 40ft'r that keeps breaking down with every bump, squall, and snaggle of seaweed simply because it wasn't designed for the environment it's in.  m$ has a long history of incredibly dumb bugs.  That's my opinion, but even GRC maintains the flaws of m$ and who might I be to argue with that...

There are a LOT of resources on the net, in print, etc.  *nix gurus don't need to hold your hand for you to take a step.

P2: Truth in advertising, misrepresentation of facts, and blatant media pandering.

    Read this letter, .  What can a person do about an attack?  First, analyze what kind of attack it is then the most blunt form of response is to filter that particular packet type by source, port, or type and if your link cannot handle it, make the request from your upstream.  Every respectable upstream provider will happily put up such a simple filter on their ingress ports because it is likely affecting them and/or their other customers.  There is nothing about these DoS attacks that are professional.  Such attacks are disgraceful and show a lack of maturity.

Let's take a look at another GRC page :

Notice carefully how GRC has constructed a pretty graphic with void definition and uses it to say how it obscures the mechanisms used by malicious hackers to evade responsibility and detection.  Does anyone not catch the media specific wording and the lack of attributed value?  Read on.  GRC inaccurately explains how a TTL is used with packets and routers. Routers do not make a supervisory packet when the TTL reaches 0 and the packet ICMP type that is returned is not "unreachable destination".  Routers utilize an Internet Control Message Protocol (ICMP) packet to notify the source IP that the TTL expired.  The ICMP code used is ICMP_TIME_EXCEEDED.  It is an altogether different response that indicates a destination is unreachable, some types are listed for your perusal.

#define ICMP_NET_UNREACH        0       /* Network Unreachable          */
#define ICMP_HOST_UNREACH       1       /* Host Unreachable             */
#define ICMP_PROT_UNREACH       2       /* Protocol Unreachable         */
#define ICMP_PORT_UNREACH       3       /* Port Unreachable             */

A few statements more we read the following:

Today, it is generally true that an Internet data packet may be generated by any computer connected to the Internet, may enter the network at any location, and will be immediately routed to any destination machine specified. Only the Destination IP address is examined — no concern is given to the packet's Source IP address — and no record of the packet's route of travel across the Internet is retained. The packet's Source IP is the only statement of the packet's origin.

If an Internet data packet were carrying an incorrect Source IP, no router or system on the Internet would know or care until the packet arrived at its destination.

Since the inception of the Smurf attack years ago, the ability to spoof source addresses in packets and insert them into the network from any point has become much harder.  It is very common these days to find that your upstream provider blocks any packets with a source IP that does not belong to their IP pool.

Let's cover a few random notes through GRC's various pages for the moment.  GRC makes a distinction between IP masquerading and NAT.  NAT is network address translation.  It comes in three forms.  1:1, 1:many, and many:many.  IP masquerading is most commonly associated with the 1:many form; there is no distinction.  MAC addresses according to GRC are absolutely unique and unchangeable.  Incorrect, every common PCI card on the market today allows you to set the MAC address in soft mode (it will be reset upon power restart) and many of them allow you to permanently change the MAC address.  

GRC is quick to say that
"but in this case every existing machine with a network adapter — regardless of processor — has already lost its anonymity!"  Which is quite misrepresenting the facts.  There is only one specific vendor's OS whose packet traffic 'normally' provides this information.  m$.

About bindings and network protocols.  GRC goes into great detail on how you can make your system incredibly more secure by arranging bindings in a particular structure.  Let me point out here that TCP/IP is the language spoken on the internet, NetBEUI and IPX/SPX cannot transit the internet without encapsulation.  In other words, much ado over with little to gain.

In his test of security by probing your machine, I'll drop my firewall and make all ports available; note that I have also enabled well known security weak services.

  Attempting connection to your computer. . .
Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet!
Please Note: On highly secure systems this may take up to one minute . . .
  Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
  Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.

Hmm. Dare I say that until I put my firewall back up and shut down the hazardous services, I am certainly not highly secure nor do I have any advanced computer port stealthing capabilities.  Port 139 packets simply got a reset packet in response to the probe.  Nothing is firewalled and there are no stealhing capabilities engaged.  I continue with a standard GRC port probe.  Again I am not very surprised when the response is inaccurate.  I don't have any stealth ports as is reported to me and the recommendation that I shut down

About the nanoprobes :

Our NanoProbes are tiny, hand crafted, intention-directed packets consisting of just 224, 320 or 352 binary bits:

A Typical NanoProbe

This is a schematic of a functional 224-bit NanoProbe. If this particular probe were
to be dropped into the Internet, it would route itself to the machine at IP address
[ ] which is the United States NSA (National Security Agency). This
NanoProbe asks the machine to verify its existence on the Internet. Interestingly,
although we know a machine exists there, no response has ever been received....

How does one assign intention in a packet?  If anyone has taken the time to take this apart, it doesn't match up.  Possibly this is only data from the packet body. More interestingly, a response is received.  ICMP message of 'destination unreachable'.  Probably firewalled is my guess, wouldn't you?

P3: Naivety

    Let's take this statement from GRC and reflect on it.  " ... I was walking back to my office with a fresh cup of coffee, thinking about the immensity of this Windows security problem. That's when it hit me: I could determine the IP address of someone browsing the pages of my web server ..."  Hmmm.  I'll skip the retort but suffice to say, if your server doesn't know the IP address of the requestor, how could it return the requested data.

" A firewall ABSOLUTELY ISOLATES your computer from the Internet using a "wall of code" that inspects each individual "packet" of data as it arrives at either side of the firewall — inbound to or outbound from your computer — to determine whether it should be allowed to pass or be blocked. "

A firewall does nothing without having been properly configured.  He goes on to say that someday firewalls will be standard equipment on all {PCs}.  Note that I make editorial corrections.  Firewalls have been available on personal computers for over ten years.

Later in this discussion about firewalls, GRC muddles the definitions what bits are associated with what types of packets.  He appears to only be aware of TCP packets and not aware that UDP is stateless, not requiring acknoledgement packets or session setup.  There is nothing wrong about being naive, only that you misrepresent yourself as an expert and pander to the media as such.

  I think my system is already infected by a Trojan horse program.
Will a firewall help me?
  Sure, absolutely. Since a firewall checks, scans, and blocks traffic flowing both ways through it, both into and out of your computer, you should be able to easily prevent unauthorized communication by a Trojan horse program. Note, though, that you should also really consider removing that suspected Trojan from your machine. It's just not safe having a bad program running inside your machine. You can never know for sure what it might do!

Again he postures that a firewall is an absolute help.  A firewall is useless without being properly configured, even worse a misconfigured firewall can represent a greater security risk.

  Is a software firewall running on a machine less secure than a completely separate hardware firewall peripheral?
  In an "absolute" sense I suppose that no software solution could be as safe as having a separate "appliance" acting only as a firewall. However the least expensive of those costs about $350 US, whereas there are extremely effective software firewalls that are completely free.

If you're asking whether software firewalls can be in some fashion "penetrated" or compromised by external software, the answer is absolutely not. Due to the way these packages operate they are invulnerable to external attack and they are more easily updated as new types of attacks are discovered.

Sadly he again perpetuates absolutes where he is "absolutely" wrong.  All firewall devices that I'm aware of use software...and I've seen far too many security updates on firewall products to allow for any accuracy in his statement.

  I'm using NAT (Network Address Translation). Doesn't this means that I'm pretty safe?
  Yes. Network Address Translation such as the Internet Connection Sharing (ICS) built into the second edition of Windows 98, allows multiple computers to share a single Internet connection. This is accomplished by assigning "private" IP addresses to the sharing machines. Since the external Internet sees only the single IP address of the NAT translating computer, there's absolutely no way for external Internet scanners to reach past the translating computer. This creates a high degree of security for the machines "behind" the main NAT computer.

Apparently he is not aware of methods some of the smarter hackers can use to blindly sleuth out routing and get seemingly insipid data past a NAT device.  NAT may hide things very well but it is not a perfect solution.

I again believe that I'm writing about and discussing something that's in the very early stages of BECOMING A HUGE PROBLEM for all Internet-connected Windows users. The following pages describe highly effective proactive measures that anyone can take to "raise their shields" against the forthcoming onslaught. But first, you need to know about the "Password Crackers" so please read on . . .

If anyone cares to enlighten Mr. Gibson, we need to step back many years to point out the beginnings of security problems.

Let's talk about the DoS page he put up :

It is impossible for an application running under
any version of Windows 3.x/95/98/ME or NT
to "spoof" its source IP or generate malicious
TCP packets such as SYN or ACK floods.

Do I need to point to the numerous emails that have already proven how easy it is to roll your own and go?  Again, naivety is ok but making bold statements purporting fact such as this is more damaging than supportive.  His next statement clarifies this slightly but he again takes the stage saying that modified operating systems are irrelevant.  I'm sorry to say that the typical windows user has had more than one virus infection which has modified system files.  This is certainly a relevant factor.

Why Windows XP will be the
Denial of Service
Exploitation Tool of Choice
for Internet Hackers Everywhere

Any credible cracker or hacker has long since recognized that he has much more power and capability in *nix systems.  *nix gives you the ability to do nearly anything you can dream up in bit land.  Even that may be an understatement.

Spoofarino, a grandios name with much hoopla.  Hundreds of programs have been written for years that forge spoofed packets.  'tis like getting excited over color TV. His page  has numerous comments about how difficult it is to properly filter.  This filtering and ability to locate bad traffic at an ISP should be very easy...frankly, if you don't know how to do this, you shouldn't be wearing the Network Engineer hat.  Your journeyman apprentice should have learned how to do these things his first year.

As to raw socket support, the operating system itself certainly does have the support.  The API layers in between the wire and the userland program may not be fully connected but that doesn't mean it doesn't exist.  Think about it for a moment and you'll realize that somewhere "deep in the kernel", a socket is created out of nothingness and values are filled in.  All network devices must be capable of this support.  Accessing this support is a matter of choosing your tool.

Note: I am FULLY aware that full raw socket-style access can be created by modifying any standard Windows operating systems through the addition of third-party device drivers. I have been a user of such tools for years. However, as I demonstrate below, aftermarket operating system modifications have proven to be irrelevant to the purposes of malicious hackers.

Hmm.  Why does he ramble on for (long) page after page about the incredible and amazing dangers of raw socket support in XP AND goes on and on about how insecure m$ is and that files can be accessed and replaced with the utmost of ease.....and he turns right around and says that it is irrelevant?

Are there two kinds of crackers here, one puts trojans on your system but he refuses to install support for raw sockets, and one who installs support for the raw sockets but only on his personal machine?  GRC panders to the media with flashy graphics and show business words.  His content is often refuting itself and often misleading altogether.

If "Junior" and his XP gang (also taken from the winxp page) wanted to spoof packets without much skill in stack support, I'm quite sure they would have acquired a form of *nix long before this future dramatical story of WinXP will take place.

His calculations for a SYN packet size are incorrect and can certainly be different.  Depending on the target system it will react very different from a SYN flood.  I can sit and watch a *nix server handle a syn flood with deference.  All this noise about raw sockets in XP is like making a big fuss that you're getting wet from a drizzle when the dam just broke five miles up from you.

The huge number of Windows XP machines will motivate
hackers to find new ways into those machines — AND
THEY WILL.   Then users of Windows XP machines will
become the most sought-after target for penetration.

Here he calls this a corollary.  Part of this is certinaly true.  Along with the plethura of any new toy comes the desire to play with it.  However I fully disagree with the last sentence, I do not doubt that *nix systems are a much more appetizing treat due to their powerful abilities.

When those insecure and maliciously potent Windows XP
machines are mated to high-bandwidth Internet connections,
we are going to experience an escalation of Internet
terrorism the likes of which has never been seen before.

Hmm, my adrenaline hasn't jumped.  Actually this is getting boring.  Rarely do I like taking m$'s side but here I must.  m$ has been doing an admirable job cleaning up their code.  Unfortunately they started repairing and redesigning the house long after the house was built.  They have a long ways to go.  I sincerely believe that XP will not be the horror that GRC is grandstanding about.

Continuing on...

From Jargon File (4.2.3, 23 NOV 2000) :
  zombie n. [Unix] A process that has died but has not yet
  relinquished its process table slot (because the parent process hasn't
  executed a `wait(2)' for it yet).  These can be seen in `ps(1)' listings
  occasionally.  Compare orphan.

Having misrepresented the proper names again, GRC calls the DoS bots Zombies.  Background processes are more commonly referred to as daemons or...background processes!  There is no relation to a zombie process for m$ in the available dictionaries.

However, the hackers were apparently watching our success at blocking their attacks. So two hours later the attack resumed, this time aimed at one of the two T1 interfaces of our Cisco router. This again knocked us off the Internet because malicious traffic was again crossing our bandwidth-limited T1's to our local router. Back on the phone to Verio, we decided to completely shut down that T1. GRC.COM limped back onto the Internet running on a single T1.

Here I feel the need to point out that it's a simple and wise consideration that many network engineers take; use unnumbered interfaces or use private IP space numbering when connecting interlink devices.  Had the routers been properly configured with 10.0.0.x/24 for example, the attack could never have happened in the first place unless the attack originated within Verio's network space.  And if that happened, there are much more alarming things to worry about.


The attacking Windows machines generate maximum-size 64k byte UDP packets, but only the first 1500 byte "fragment" of each packet carries the packet's port "666" destination. Therefore, for every identified "666" packet blocked, approximately 43 additional maximum-size "packet fragments" were also blocked. We therefore estimate that our filters running in Verio's router blocked at least 538,916,268 malicious packets that night.

Hmmm.  Let's do the math again.  Cisco's don't magically record the first frag packet and invisibly drop the rest.  Either it was all counted or the majority of the attack got through and seeing how he states that GRC was still online, I'll take the first.

I wanted these attacks to stop, but I was certainly in no position to make any "parental" demands of "Wicked". While we were essentially functional, hiding behind our router filters, we could not remain behind them forever. We were unable to send and receive "ping", "trace route" and UDP fragments — all crucial requirements for full Internet function. In the long term this would pose serious problems for the delivery of GRC's Internet security testing services.

It's very easy to selectively grant packet travel and also easy to allow traffic based on given rules, session establishments, and a variety of methodologies.  A cisco router is nothing but a computer specifically designed to route packets.  You can use a variety of firewalls such as those that exist on Linux and *BSD that have a fast path design to handle the load and you can weather a heavy packet storm without worry.  A heavy use router shouldn't be acting as a firewall in the first place.  Firewalls are firewalls and routers are routers.

On an off note here, I'll comment that GRC goes to length to say how @home is a haven for abuse.  I'd like to point out that in my neck of the woods, is both knowledgable and responsive regarding security.  I'll also say with a bit of a dour note that my professional experience with the FBI has led me to "wince and bear it" while doing a job.  Sometimes you can get an agent that has a clue but it isn't often.

This next section made me smile, I'll post it then comment :

While I was watching this sad drama, suddenly and with no warning everything went crazy: The packet sniffer's packet display became a blur as its scrollbar "thumb" rapidly shrunk to its minimum size. Thousands of packets were being logged per second! Since I was nervous during this first incursion into hacker territory, my first thought was that I had somehow already been discovered, and my little "Sitting Duck" laptop was under attack.

But the cable-modem I was using to guarantee my anonymity revealed the truth: The RECEIVE light was dark, but the TRANSMIT light was ON SOLID!

I immediately shut down the Zombie-infected PC and scrolled the packet log back before the beginning of the attack. I found the command that the Zombie running in my laptop had received just before all hell broke loose . . .

My laptop had participated in an all-out Denial
of Service attack against a machine in Finland!

Yikes! This was unacceptable. I wanted to keep active Zombies running here so that I could study their behavior, but I could not have them participating in Internet Denial of Service attacks. So I hacked the Zombie to kill its ability to send damaging packets.

>From that point on I ran only
"Attack-Neutered Mutant Zombies"

Woah.  The light dawns on the era of bots. (Actually it's been on for years.) A cable modem guarantees anonymity.  That's a new one.  Any responsible investigator would have placed a firewall in the middle and logically decoded the program before running it.

Pulling the plug on your machine simply because you find that port 113 is being listened to is..well, humorous.  Please, know more about what you're doing and why and how you are reacting.

To anyone who is still stubborn enough to insist that BlackICE Defender is actually good for something: PLEASE do not write to me. I don't want to hear it. I'm a scientist who will not find your mystic beliefs to be compelling. I respect your right to your own opinions, no matter how blatantly they fly in the face of logic and reality. That is, after all, the nature of faith. Happy computing. I suggest prayer.

Hmm.  Might I suggest he entertain his own self with prayers.  We have now some examples where his logic refutes itself within his own website.  He writes letters to the internet's hackers soothing their egos about their cleverness then turns around and state the attacks had no finesse, no cleverness.  He uses terminology in mixed ways, calling a widget X at one time and Y at another time.  He has pulled "hacker words" and used grandiose highlighting to bring attention to statements that have no sharpness to them.

In short, this attack can be summarized into the following: was hit by several DoS attacks on <dates> using icmp and udp floods.  these floods are typical of the particular irc flood bot <insert short description blurb>.

The summary can be fleshed out with facts but it is hardly worth the huge media hyping and pandering.  If an omniscient being could tally up for us on a web page the number of DoS attacks related to IRC alone, I'm sure you'd lose interest after the first dozen lines.  IRC related DoS attacks are frequent and if we were to count EFNet alone, we would measure thousands per day. All one need do is find a source of information and keep their mouth shut and they'll soon realize that it's a nasty world out on the internet.

Now you've had a long read with no shouting matches going on.  Go forth and learn.



Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.