Of course, the beauty of the digital age is that skill can be transferred electronically. Not every script kiddie has to create a trojan installer capable of loading the correct network interface, just one of them. Once one good trojan comes out to do that (and probably already has), it just gets shared by all in the underground. Furthermore, once a trojan has control over a machine, it can be used to run or install whatever, whenever, without the user necessarily even knowing it. So, above trojan gets installed, connects home to ask what to do, and receives instructions to determine OS and install the proper libpcap style driver. Then, instead of rebooting the machine, it just sits and waits for some user activity to occur, forces a blue screen, and when the user reboots his/her machine, the trojan can know write raw packets. Gibson's concern over raw sockets is groundless, it seems to me. Randy Graham -- You're kind of trying to pick between "horible disaster" and "attrocious disaster" -- Paul D. Robertson (on VNC vs. PPTP) http://www.theregister.co.uk/content/2/19442.html - Mankind's greatest invention? > -----Original Message----- > From: Ari Weisz-Koves [mailto:ari@atwww.com] > Sent: Wednesday, June 06, 2001 10:01 PM > To: Firewalls@Lists.GNAC.NET > Subject: RE: This is a must read document. It will freak you out > > > Maybe he is grandstanding a tad, but I think the underlying > theme of his > argument is solid. The issue here isn't that you can't forge > packets from > Windows - he didn't explain that correctly, and that seems to > be the point > everyone is sticking on. > > The reason I see to be scared is that suddenly the mainstream > operating > system used by the least cautious people around, with the best > application/os integration providing the easiest trojan > methods will by > default be able to be used for packet forging attacks. > > Correct me if I'm wrong with the details, but with Windows > 95/98/NT/2000 > wouldn't the trojan would have to figure out the network > interfaces, install > a packet driver, reboot the system then run itself again to begin the > attack? Sure, someone out there is probably good enough to > write this, but > the majority of vicious virus-writing pranksters wouldn't > have the skills to > write one in a way that wouldn't suspiciously reboot the > system or show up > in some blaring obvious way to the end user. Isn't this just > above the skill > level of the majority of virus writers? If the interface is already > installed and easily usable through the standard APIs on the > os, isn't the > danger that it just makes it too accessible to those who > might want to cause > such damage? > > Ari. > > -----Original Message----- > From: firewalls-owner@Lists.GNAC.NET > [mailto:firewalls-owner@Lists.GNAC.NET]On Behalf Of Jose Nazario > Sent: Thursday, 7 June 2001 11:28 AM > To: Irony > Cc: Firewalls@Lists.GNAC.NET > Subject: Re: This is a must read document. It will freak you out > > > On Wed, 6 Jun 2001, Irony wrote: > > > http://grc.com/dos/grcdos.htm > > hype and hyperbole. please see today's issue of hackernews > (06 june 2001) > for some links to the discussion on this. > > in a nutshell, gibson, as usually, overstates things and enjoys the > press's attention and omission of understanding. :P using winpcap and > libnet, for instance, forged packets can be created already > on any Win32 > system, pre-XP. > > the internet is certainly in increasing dangers, but not from > XP any more > than from the latest release of slackware Linux, for example. *shrug* > > 'must read' and 'freak you out' .. heh. > > ____________________________ > jose nazario > jose@cwru.edu > PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD > 48 A0 07 80 > PGP key ID 0xFD37F4E5 > (pgp.mit.edu) > > - > [To unsubscribe, send mail to majordomo@lists.gnac.net with > "unsubscribe firewalls" in the body of the message.] > > - > [To unsubscribe, send mail to majordomo@lists.gnac.net with > "unsubscribe firewalls" in the body of the message.] > > > - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.]