Steve Gibson Interview
  > CATEGORIES
  LEAK TESTING
  KILL TESTING
  ADVICES
  DOCUMENTS
  REWARDS
  > IN THE WILD
  > LINKS
  > FAQ
  > TOOLS

     SCAN YOUR COMPUTER

     TEST YOUR BROWSER
Steve Gibson Interview, September 8 2004 :


Hi Steve, thank you for agreeing to participate in this interview. First, for those who do not know you, can you describe who you are and your background?

I have been directly involved in the personal computer industry from its start. I created several products for the first wave of home computers: high resolution light pen hardware and software for the the early Apple II, Atari and Commodore machines. Then several years later, as IBM-based personal computers finally began to take hold, I started creating commercial software products for them. My first was 'FlickerFree' (a Video BIOS enhancement for the original IBM PC), then SpinRite (for the past sixteen years the PC industry's leading hard disk data recovery software), and 'ChromaZone', a video palette animating screen saver for Windows.

During that time, for eight years at the start of the PC industry I wrote the industry's top-ranked weekly technology column 'TechTalk' for InfoWorld Magazine.

I have always loved technology, and I start playing with electricity when I was only four years old . so I have been at this for 45 years. Technology is a true passion for me, and it's what I always knew I wanted to spend my life working with.



You are the founder and owner of www.grc.com, when and why did you create it ?

The Internet is the best thing that every happened to me. With the early success of SpinRite back before the Internet existed, Gibson Research grew to a staff of 23 people doing marketing, sales, technical support, product development, bill paying and invoice collecting. I had many departments, and all sorts of things happening all the time. Running the company was fun for a while, but as the company's President I had become a 'manager' and was no longer a technologist. I was holding 'department meetings' all day, negotiating distribution contracts and health insurance plans. While other people were getting to play with computers and I 'manged' the whole thing. It wasn't long before I hated it.

So as the Internet started to happen, I realized that it would allow me to create a 'virtual' company where a web site could be accessible to anyone in the world for our sales and marketing. And customers could purchase software online, paying for and receiving it immediately. Technical support could be performed through eMail and newsgroups. This would eliminate twenty people who could be replaced by automated web site technology and who I would no longer need to 'manage' . so I could return to working with the computer technologies I love.



You have created various usefull utilities, one of them was 'Leaktest', a firewall tester tool. Can you tell us what it is exactly, why you did it, and the story behind it ?

Before talking about LeakTest, I should probably explain about 'ShieldsUP!'.

One day I realized that many Microsoft Windows machines connected to the Internet were completely 'wide open' due to having Windows file sharing running without any protection. Their users had no idea that the contents of the entire hard drives were exposed to the entire Internet. This was before personal NAT routers and personal firewalls existed. So I created the first ShieldsUP! system and web pages to educate people about the dangers of Windows file sharing and help them shut it down to protect themselves. The ShieldsUP! service has evolved since then to become the most popular remote Internet port testing service on the Internet.

I have always been a believer in the fundamental rights of the end-user. So I have been very annoyed by 'corporate' exploitation of people who don't understand how computers work. I have trademarked the phrase ' It's MY Computer! ' to be said as a battle-cry, telling everyone to keep their hands off. MY computer is not their marketing machine to be filled with their advertising software and spyware. I don't want to be tracked as I move around the Internet. MY computer is MY tool for MY use, it is not theirs. Period.

Not long after I installed the first version of ZoneLabs' ZoneAlarm personal firewall in my machine, it popped-up a notice saying that something called 'TSADBOT.EXE' wanted to use my Internet connection to 'phone home'. Yeah, like hell. I found it and removed it from my system, and I became a true believer in the need for personal firewall software to manage, watch and alert on all unexpected outbound Internet traffiic from personal computers.

But not long after that, there was news of another even worse spyware from a company called 'Aureate'. Because 'It's MY computer', I immediately wrote OptOut, the world's first spyware removal tool, and made it freely available on my web site. OptOut was downloaded my millions of people and found and removed the privacy threatening 'Aureate' advertising spyware from hundreds of thousands of computers.

As the idea of personal firewalls caught on, many other companies started making personal firewall products similar to ZoneAlarm. I thought that was great since competition is a good thing (especially these days now that ZoneAlarm has become a bloated feature-overloaded corporate monster compared to the many much smaller and leaner pure personal firewalls). But it turned out that all of the other personal firewalls (other than ZoneAlarm) were easily tricked into allowing malicious programs to run simply by renaming the malicious program to the name of a permitted program like Outlook Express or Netscape.

In other words, ZoneAlarm was using a true digital signature (a cryptographic hash or message digest) of the permitted programs. But all of the other outbound blocking personal firewalls were simply using the program's filename. That was so lame (and so easily bypassed) that I wrote the world's first personal firewall 'LeakTest' program to simply demonstrate to any personal firewall owner how insecure their so-called secure firewall was. The news of LeakTest spread quickly and users of other firewalls were quite upset with the 'lameness' of their firewalls. Within a few months, every single one of the personal firewalls which LeakTest was showing as insecure was upgraded by their publishers to employ much better cryptographic digital signature verification.

LeakTest did the job I designed it to do: To demonstrate this serious and easily exploited problem to end users and to induce the personal firewall industry to fix their dumb products - which they all quickly did.



One of your past warnings was about the Raw Socket support in Windows. Microsoft seems to have listened to you and has removed the Raw Socket support in Windows XP service pack 2, at least for TCP and ICMP. What do you think is the benefit ? Has Raw Sockets been used by malware?

What I predicted with Windows XP and raw sockets came true: Every new malicious DDoS attack tool created started taking advantage of WinXP's support for raw sockets. This allowed them to launch much more powerful, impossible to filter, and damaging DDoS attacks.

After the MSBLAST worm targeted Microsoft by launching a DDoS attack against them using Windows XP raw sockets, they finally understood what I had been trying to tell them, and took steps to remove raw socket support from Windows XP.

Unfortunately, Microsoft did this the lazy way by leaving raw sockets in the base operating system and attemped to block their use with the new Windows firewall service. So now, all any malicious software needs to do is simply stop the Windows firewall service (which anything malicious would probably want to do anyway) and full raw socket support returns.

So, while it appears that Microsoft did finally get the message I was trying to send them, they implemented the 'cure' not by removing the dangerous feature itself, but by covering it up in a way that's very easily uncovered. As a result, nothing was really helped in this regard by Service Pack 2 of Windows XP . although many of the other enhancements brought by SP2 are very terrific and quite welcome.



On this website, firewallleaktester, there is all of the known published leaktests which came after yours, what do you think of them? What are the benefits for the end user?

I think that your site is a terrific resource for end-user interested in true personal firewall security and that you are performing a real service for security-conscious end-users and for the personal firewall industry. Every time I am reminded that these MANY known and SERIOUS privacy leaks are still being ignored by the personal firewall industry, I think that I need to update my own old LeakTest to address some of these newer problems. With my high-traffic web site and history with LeakTest v1.0, I might be able to rekindle interest in the issue of personal firewall leaks and perhaps motivate the vendors to again fix their (very) broken products.

The tremendous value of your site for end users is to remind them - with clear and vivid demonstrations - that they can not count on their personal firewalls for total protection. All personal firewalls are useful for blocking incoming traffic, but most are, to varying degrees, not protecting them from the actions of malicious 'spyware' after it gets into their machines.



Do you think that the published leaktests represent all or almost all ways possible to bypass the firewalls, and so to be protected against all of them is to be safe, or do you think that they are more exploits possible ?

Although is is certainly theoretically possible to create a perfectly secure system, it is not actually possible in practice. And even if you were to start off with a 'perfect' and secure operating system, the instant any system is 'open' to running any additional software, that system's security is instantly compromised. 'Security' and 'openess' are mutually exclusive concepts with today's operating systems. It would be possible to create a truly secure operating system with absolute application and device driver isolation and protection, but no one has anything like that today. What we have today is a big security mess.

Windows was never truly designed to be secure. The NT family (NT/2000/XP/2003) has some structures of security, but far too many 'exceptions' are available to make them useful. (As many of the newer leaktest programs clearly demonstrate.) Over and over we see example after example of Microsoft always choosing and prefering user convenience over security. Truly secure systems are much less 'fun' and less convenient to use since people WANT to do insecure things - like download and run some cool extra utility software or click on the link their friend sent them in eMail. But in today's operating systems, that cannot be secure. The instant any software is run under Windows, the system's entire security is open to compromise by that software. Microsoft makes claims about how it's possible to secure user accounts, but that's not really true. Hackers know that all sorts of things - like device drivers - need to run in the system's security context, and it's easy to trick users into trusting some software . especially when they believe their system is safe and will protect them from such abuses - which it won't and can't.

So . no. For the present time, in the present climate of the way we use and interact with computers, and with our current operating systems, there is and can be no true security. These systems are just big fancy and complex toys. They are 'secure enough' for many and even most casual uses, but they are definitely not secure enough - and cannot be - to be trusted with anything truly important and crucial.



Currently, we see viruses and worms, Trojans and spyware, all of them spreading rather quickly trought unpatched Windows computers. Insufficiently protected , they are real threats, not theoric tools to inform the user like the leaktests. What kind of exploits are they generally using? To which leaktest method can they be compared most of the time?

This relates perfectly to what I wrote just above. Users don't understand the complex computers they are using, so their own behavior is not secure. They still click on links and programs they receive in eMail. Any time any software is 'invited' into a machine and allowed to run - even without 'administrative' permissions - that software can do pretty much anything it likes and it has the opportunity to take over the system . either just a little bit or completely.

Clever software is not in a hurry, so it will plant 'hooks' into the system that won't take hold under the next reboot, but at that time it can 'unhook' some of the system's protective systems and gain an advantage and foothold. There are always ways to get in.

This does not mean that we should all just give up. That's not the way security works. It is still useful to be using the most secure personal firewall possible, and any known problems should be removed from it. But the end user should never make the mistake of thinking that they are perfectly safe. So long as they install ANY third-party software in their machines, they are opening the door to giving that software free reign over their system.



About the leaktests precisely, who do you think should work against them, the firewalls vendors or other security products such as security suites or sandboxes which are already pretty efficient against them ? Is there a radical 'leaktest solution'?

I don't believe there is an overall 'leaktest solution', just as their is no single universal 'virus solution'. What one person can design someone else can find a way around. The most practical working approach is to have and use all the security that's available, but never make the mistake of believing that it is perfect.



On this site I try to give advice to help users to secure their computers. What would be your advice to fight common threats such as spywares/trojans and worms ? What are the common mistakes from the users infected ?

There are dangers both from the outside and from the inside. Any inexpensive NAT router - with its UPnP support disabled! - acts as an extremely good hardware firewall to protect against 'external intrusion'. The problem with trusting any personal software firewall for protecting against 'external intrusion' is that since it is running in the same computer as it is trying to protect, it is subject to be turned off or shut down - leaving that machine potentially wide open to any packets coming in from over the Internet. Today, any unprotected and unpatched Windows machine is infected within about 30 seconds of being connected to the Internet. This is much more quickly than in previous years. It is just not safe to be unprotected on the Internet. So using any inexpensive $49 NAT router, even if you only have a single computer behind it, is really terrific protection - much better than relying only upon a personal software-only firewall.

Note that the NAT router's support for 'UPnP' should always be disabled immediately since UPnP allows malicious software in the user's computer to reprogram the NAT router to open holes into the computer(s) behind it!

Dealing with 'external intrusion' handles external malicious Internet traffic, but it doesn't help with 'internal extrusion' - where some malicious software has already managed to crawl into the user's computer, is 'spying' and potentially using the user's Internet connection to 'phone home' and send personal, private, and confidential information to outside parties. Since Windows is not truly a secure system it should never be trusted completely. So the problem of 'internal extrusion' should never be dismissed completely. All the user can do is practice safe computing (don't open programs sent by anyone, even people you know and trust and don't run 'questionable' software from unknown sources), use the best personal firewalls to guard against and detect anything which is trying to spy on them and 'phone home', and periodically scan their computers for the presence of Trojans and other malware.



As you have warned many times, Microsoft Windows is the most common source of vulnerabilities, packaged with many features enabled by default, and giving an incredible power to every application, even the power to inject code into others, Windows provides the functions to do that. What do you think of Windows XP SP2 and what from you Microsoft should do to secure more their OS ?

We have already seen the great many complaints Microsoft has received for 'breaking' many applications and Windows features with the release of Service Pack 2. Unfortunately, trying to secure a super-complex and insecure system is probably not possible. And even tightening the security a little results in screams of pain from vendors and users whose favorite programs no longer work.

Nevertheless, Service Pack 2 is a HUGE step forward for Windows security. It obsoletes all of the other freeware I have written over the past few years (DCOMbobulator, Shoot The Messenger, Unplug n'Pray, Xpdite, etc.) to lock down and disable many unnecessary and insecure services that should never have been running in the first place. So SP2 is a terrific improvement in XP's overall security. And having the Windows firewall running by default is long overdue and very welcome. But Microsoft is still running about five years behind and programs running inside the system can still do pretty much anything they want without raising any alarm from Windows - as the various leaktesting tools on this site conclusively demonstrate.

I doubt there's anything Microsoft can do to improve upon the current situation without breaking too many additional applications. The lesson is this: Programs running inside a Windows system can do pretty much anything they want. Period. And that's not going to be changing for the foreseeable future.



Before to leave us Steve, do you want to speak about something, or to tell us something in particular ?

My main advice to parents of younger Internet-using kids is never to try sharing a computer with their children. There is no safe way to share a computer with someone who will opens eMail attachments, downloads software and 'gizmos' from the Internet, shares unknown software with their school friends and uses peer-to-peer file sharing programs. In any household with kids, the parents should have a computer that is permanently and forever off-limits to the children, and the children should have their own machine(s). Computers are inexpensive enough now that 'giving the kids their own' is definitely the best security policy.

Then the parents can have some reasonable chance of using their own computer safely and reliably. And when the kids' machine collapses under the weight of hundreds of viruses and Trojans and spyware fighting each other for control of the machine, as will certainly result from the kids' inherently unsafe use of the Internet, their machine(s) can be reformatted from scratch, be setup fresh, and then repeat the process of dying from unsafe exposure to the Internet.



Thanks you very much Steve for your precious time spent with us, we know you are someone busy, thank you. We whish you all the best in the future.

Thank you for the opportunity to address your web site's visitors and readers. I hope this wasn't too long, and that your users may have found something useful in my replies to your questions.

Best regards,

Steve Gibson, President

Gibson Research Corporation


Home      News      Contact      Online form      Mailing list