I have always had this assumption that Microsoft wanted there own little backdoor for other purposes. Even though I use there OS, I dont trust them fully. There has always been news going "Fixed backdoor issue" but then theres another one well. Now i may not have all the facts but thats my opinion.

I understand SysInternals' Mark Russinovich is presently examining Gibson's source code,
samples, executables, and so forth. This is being done with Gibson's permission, according to Gibson's own web site comments. See the Discussions area on www.grc.com at:
http://www.grc.com/groups/news

Let us wait for the verdict, as to Gibson's correctness from this truly independent and fully neutral third party. At last report Gibson has noted on his web site that he has verified that the backdoor, or whatever we choose to gloss it over as, is in Windows 2000, and he was off now to investigate Windows 98 in detail.

I do not see much hostility to Gibson in his own public web site discussion area. Let's all vow to accept Russinovich's verdict as a neutral indication as to the facts. I for one shall do so. In the interim, if people have arguments that Gibson is wrong, why not make 'em direct to Steve on is own Web site. Then we can see what Steve has to say more directly. I'm all ears.

It appears that the supposed accidental WMF vulnerability is also in a beta of Windows Vista. See:
http://tinyurl.com/a5vhc

Microsoft is quite the incredible company. After all, what are the odds of accidentally packing this thing in a new OS that is claimed to be built on a lot of, if not entirely from, new code?

Microsoft should stop writing code and enter some lotteries; with such amazing luck at hand, software is a needlessly hard way to make money.

Of course we know they didn't build the WMF vulnerability into Windows Vista by design, don't we? It was just chance that it got there, of course, as even though the odds of that might be a billion to one, MS is one lucky firm.

hmm, I feel like writing a new program, in that program I need an array, instead of using the array I used last time, the one that up till last week had no problems, I will code it from scratch. I will then start coding database access, file writing and reading, displaying of buttons, text, and images all from scratch. I will then talk to my client and find out that I have been fired for being 2 years behind....Yay for me, I r teh win...

There are so many things wrong with your statement, its not even funny. First off, WMF is not part of the OS, its a supported file type writen outside of the core windows OS project. Kinda like waves, mp3, dd3, etc. Not only did the WMF problem arise after the 2nd beta of vista was released, up till that point there have been no problems with it and no reason to re-write the code. I would bet that most people up till recently thought WMF was for windows media file....

Second, thats not how the g** d*** software design cycle works. You don't ever re-code every thing from scratch, and anyone that claims to, is full of s***, be it apple, google, or MS. You only re-code the problem code, and then re-code whatever else needs to be done to meet the new business requirments.

In the case of Vista, they have re-done a great deal of code to meet those new business requirments, along with add new code for new features and such. There will still be legacy code from everything including early windows releases. Its that way for every new version of a peice of software, you look at your old code, look at whats wrong, what it will take to fix it, and what needs to be added to meet the requirements. Then you code that.

I am not a programmer, but you seemed to have not read the article. According to MS, the security landscape had changed and thus making the system vulnerable. However, the original OS's that it was designed for, does not have this threat as the code is handled differently. I really fail to see how this can be seen as intentional on their part. No one knows how code written today will be exploited some 6 years later.

is funny to see so many "experts" discuss a topic to which all they can relate to because of some guy's review ...... and not because a single one posseses actual PROGRAMMING knowledge ....

Steve Gibson has not to my knowledge said that this WMF backdoor was an evil act deliberately done by MS. The tone and tenor of the podcast suggest only that the "feature" is deliberate (and who knows who put it there--MS, a rogue programmer etc.) and moreover his argument does not rest solely on the claim that a "wrong" instruction lights up the feature, as MS has attempted to assert by implication.

Microsoft has itseelf has some obvious trouble in trying to front a reason as to why it need not fix Windows 98 and 95, and has claimed there is no need for a fix. Gibson himself has noted he wonders if a Win 98/95 fix is needed.

There is an old saying up here in Canada that what walks like a duck and quacks like a duck is in fact a duck. Whether it was an intentional backdoor or not, the WMD "feature" does resonably have numerous hallmarks that say it is still a duck, so to speak, whether accidental or not.

I am keeping an open mind here, as to whether Gibson is correct. But this "bug' seems different tham most other MS OS defects, in that as Gibdon noted the programmtic functionality has no relation to the WMF file.

I listened to Steve Gibson's Security Now Podcast on the "WMF Backdoor?" possibility (Gibson's own title uses the question mark, presumably to stress it LOOKS as though the WMF issue is less than accidental), and it seems logical there could be a contextual reason why "fixing" the WMF "bug" across platforms is not easy.

If Gibson is correct, fixing the WMF bug across platforms to Win 98 and earlier would be tricky precisely because the WMF bug is a deliberate "feature"--a deliberately added in back door that appears to ride on some kind of printer-related process in Windows. The backdoor part of the "WMF bug" appears to have been added relatively recently, Gibson suggests, which is why it may not be fixable in most earlier Windows versions. That is, the code it piggybacks on is there in older versions, although evidently not in exactly the same form, but not the backdoor add-on to the code.

So you cannot fix cross-platform with respect to 98 and 95 easily, as the backdoor itself may not be 98 and 95.

I personally am keeping an open mind on this issue, as to whether Gibson is correct. In fairness my sense is that he is saying more that it LOOKS like a deliberate backdoor, not that it absolutely is deliberate on MS's part.

I wonder if the WMF "feature" is not simply a DRM entranceway that MS feels it needed. After all, some recent MS EULAs mention disabling unlicensed uses that MS or its partners conclude are unlicensed. MS would surely need a mechanism to ensure that MS and the "partners" referred to in its EULAs really could get by firewalls or pirate-written hacks designed to prevent a disable order from being given to the rogue PC.

Interesting question here: Do the MS EULA's (Media Player etc.) that talk about disabling PC features provide enough of a contractual heads-up that a stealth DRM entranceway is essentially, or has been essentially, already consented to by inference by millions of Windows users?

huh ???

Not as an insult, but you seem to be going in circles and have lost your steam. Simplify what your points are, so I can understand your post.

I concur with the other two replies . What exactly is it you're trying to say?

I have found Gibson's alerts useful, and his programs helpful too. They are neat and elegant, and they don't take up any memory.

Why, for instance, should raw sockets be left open by default? If anyone needs them, they can be opened. Otherwise, it only makes sense to keep them closed.

The same with Windows Messenger. If you don't use it, disable it.

And the same with his other useful little programs, such as DComBobulator. Knowledgeable users can go in and turn off these MS defaults by hand, but for most users having a little program to turn them off and on is very useful. And the more people who protect their computers against hacker entry, the better off the rest of us are.

Indeed, I agree that his site provides some excellent network security info, especially all that you've mentioned, as well as his advice to disable NetBIOS on a machine not intended for file and print sharing. Regarding my comments below on his Shields Up scan being lame, I want to clarify that I simply feel that too many using it and scoring a perfect "Stealthed" score could be too easily misled into believing that their system is perfectly secure, just as I was when I first used it three years ago. At that time I did not know about or understand the dangers of malware that can "call home" from an infected machine. In other words, how important it was for a good firewall to filter outbound traffic, as well as the more obvious (to me at that time) inbound filtering. The Shields Up scan is simply not a thorough and complete enough test for a pc firewall's capabilities. He does provide an outbound test with his "Leaktest" download, but that is not enough either. I don't know all the threats, but there is malware that can hijack apps, inject malicious code into an app, launch apps without user consent, and disguise itself as a known DLL, and create threads in apps like IE and Windows Explorer. These are just some of the methods malware can use to exploit firewalls, and there others as well. Thorough reviewing and testing is critical for a reasonably secure system.

Steve Gibson did not say that it was definitely an intentional back door. He said that he didn't see any other reason for it. Also that he was waiting for Microsoft to clarify the situation. Steve went on to say that all his information was very preliminary and that we may hear him coming back with his head hanging low stating that he was completely wrong.

I do give him credit for looking farther into the issue and trying to inform the public.

I guess I liken this to someone leaving the doors to their car unlocked. Was it an accident or done on purpose... only asking the owner will answer it for certain, and I don't need in-depth analysis from a 3rd party to tell me- through speculation- why it was done.

Okay, guys - I am no IT professional, only get some experiences out of one of my sons, who is. He told me about a guy, programming kernels for corporate net OSses, who did this for the last 15 years in Assembler only - a specialist. This man said exactly what I wrote: that the modern higher languages have gained that much speed that he experienced a neglectigeable amount of speed over them with his Assembler code.

As for Steve Gibson - - well, as not being a professional, maybe I am blinded by his in depth "analysis". Anyway, thanx for giving me theses information.

And don't be sorry for giving information! It is by information alone that one can judge.
-------------------
Edited later

Well thanx again, folks for helping me with all this input.

Actually that is true. The problem of course, is that "modern" programmers are lazy and do not optimize their code as much as assembly programs require. Which is one of the reasons actual assembly programming has been coming around again in CS curriculum lately.

Then that guy is a lame programmer. Period. He doesn't know what he is talking about. Telling people that using in-line assembly in your C++ code gives no performance boost, that Assembly programming it's no longer needed because compilers can automatically build up faster code it's not true. Not even the Intel compiler, which is the best one around, can give you a perfectly optimized assembly code. If you know what you are doing you can improve algorithms performance a lot by fine tuning critical parts in assembly. Obviously if you write assembly code that's worse than what the compiler can automatically build up for you then that's obvious that higher level languages are better in such a case... An OS Kernel programmer telling people what this guy told your son it's not a good programmer, it's like a programmer of DSP code telling you that he uses C/C++ only because DSP code optimization with in-line assembly it's not useful and the compiler is much better... Yeah, sure.. geez!

Actually, the argument is whether or not assembler is faster than C++, VB, or some other high level language. The argument is true, in that assembler is faster, however, many new high level language, compile fully to assembler code. In fact, many new high level languages, are indistinguisable from assembler or other languages.

I work in a programming shop, and I asked this question, and they told me, that many people don't realize that in the early days of code, the compilers were built for specific languages. Now high level code are basically calls to libraries, and they actually compile at the machine code level, so assembler is actually the result, regardless of where you start.

So, putting code that is assembler will not produce any faster code, if you know the proper way to code C++ or VB in the first place, there are routines that are faster than others. A good programmer knows his language, and with the proper compiler, you can't tell if its native machine code or not.

He would be correct. Some people are "old school". They haven't used the new languages, because they "prefer" their tried and true methods.

Much like a web developer would rather use notepad to create html than to use a front end like front page. It doesn't matter HOW you start, its where you end up that's the key.

If a program runs as fast as another program on your computer, would it really matter one is assembler and one is C+? Of course not.

And its true, they have gained in experience.

Everyone ALSO forgets that assembler is used in compilers, so if you make a routine and compile it against good assembler, as long the library calls understands the language, its the same output.

Ask this question, where do compilers come from? Programmers want speed and efficiency. Would it make sense to keep writing routines from scratch every time? OR used can code from high level languages that take the drudgery of doing the same old code over and over? That routine code has been optimized, and it works just as well.

If you want to write long hand, be my guest, me I use high level language and let the compiler do the work.

It's quite easy to create a reusable code library in assembler -- one doesn't have to use a high level language in order to follow good development practices.

Also, most modern assemblers are macro-assemblers, allowing one to create reusable high-level contructs (code macros or PROCs or whatever) to simplify much of the dirty work while retaining the high level of control present in an assembler language.

Don't assume that all assembly programmers are still living in the stone ages. Things have come a long way over the past 40 years...

You are quite confused on the argument, indeed. You claim to work in what ? "a programming shop" .. which should be what, exactly ? Do you mean you sell SDKs and Frameworks to create applications or what ?
Your answers and statements have no meaning, really. I don't know if you really believe what you wrote there but if you do just let me tell you that you clearly don't know what you are talking about and you should study a bit or at least read something about it before trying to comment on things.

You claim that in early days compilers were built for specific languages and now they are supposed to be calls to assembly libraries of code and everything is already optimized... Well, that's not true. First of all, even the early days even the most stupid linkers and compilers had to be developed to reach the same goal, build up binary code for the hardware, no more than that. It's not that in the past compilers were doing something different about that, it's just that the algorithms and techniques to reach that goal weren't as good as the newer ones which are able to produce faster assembly/binary code to exploit hardware capabilities better.
However, as I said before, automatic optimizations are far from perfect and so if you spend time on optimizing algorithms by hand and using in-line assembly in your code you will get much better results than having to rely on any libraries out there.

Really smart and very good programmers are able to build up algorithms without using any generic libraries or buying others' libraries. The fact that building from scratch requires much more time, effort and knowledge means that only some projects and only some programmers will feature by-hand optimized code.
I know that more and more programmers nowadays keep using what they can find on libraries and aren't even able to start building up their own library using a mixture of high level and low level code.
But, if you think that no one is doing that anymore then you are wrong. Not only there still are programmers writing in-line assembly in their programs and creating their own libraries instead of using what others have produced for them to use, but they know that they have to do that in order to exploit hardware capabilities that no given API could allow them to fully utilize. Also, there are those programmers paid to write APIs, compilers, linkers and so on in the first place that obviously have to write in assembly too.

Frontpage had this habit of automatically "correcting" your code. Speaking as a webdeveloper and webmaster since the middle of 1995, I want an editor that doesn't transform my XHTML into obsfucated and bloated code. Nowdays, I use Dreamweaver and HTML-Kit, but I used to use Pico and Notepad most of the time. As a side note, HTML Tidy is an awesome program.

I'm sorry, but this has to be said... Steve Gibson is a complete moron. I can't count the number of times that he's posted some big issue like this only to be entirely wrong about it, or else trying to create a false sense of insecurity in people. I can't even count the number of times I've had people use his ShieldsUp test and thought they were "safe" only to discover that they'd been hacked by some worm/spyware bug. I remember his site being shutdown by a DoS site a few years ago and him writing this big giant analysis about how he figured out how it happened and prevented it... then it happened again for a day or two, and the attackers moved on. Sorry to disappoint readers, but DoS is about the only thing you can't guarantee a guard against right now... look what happens when sites are "slashdotted", lol. Anyway, the point is that those who depend on his security analysis are going nowhere in PC security.

The NIST link that's posted is also dooms-dayish as well... Corporations that aren't updating their clients to the latest service packs aren't doing it because their company software is incompatible any more... for security reasons, they all know better. The ones not upgrading are the ones whose IT department is underfunded and understaffed. (I am reluctant to exclude the possibility that there are still some IT departments that are underfunded, understaffed, and undercompetent.)

Well said regarding the false sense of security Gibson's Shields Up site so often gives to people. This is a pretty good article on how lame his tests really are: http://blog.netwarriors....1/11/shieldsup-analyzed

Shields Up really only performs a "peripheral" analysis of a system's security; it is far from in-depth and does nothing to analyze internally a system's vulnerabilities.

Thank you, too for this info. °_°

I appreciate everybody's help here VERY MUCH!

I have to say that I have heard of his name, but not really paid much attention to it - until this post. I went to his site and did some reading and here as well. He seems a bit more paranoid than really helpful. Though some of his questions are valid, because he lacks the required information, he tends to think the worst case scenario. Though I am not really thinking that it is all bad, but he is too dramatic about it all.

To add to the mix then, his programs(which he claims will help) only add to the confusion as they are not giving the correct information in their results. Now, we seem to have come full circle again, but only he secretly claims MS is pulling something over the consumers eyes - and has no real proof whether pro or con.

I prefer not to listen to people like this, or taken with a large "dose" of salt. Now, we have hundreds/thousands of people downloading his programs(and anyone else for that matter) with the belief that if they run/use it, they will be protected. I see this way too often in my business.

Big brother is watching.

This site will explain a lot about Steve Gibson. http://www.grcsucks.com/

Some soul weakly opined that "Shields Up really only performs a 'peripheral' analysis of a system's security; it is far from in-depth and does nothing to analyze internally a system's vulnerabilities"

This misses the point, old boy, that the test is only meant to do that. His test is simply in terms of the Internet connectivity in terms of whether remote systems can see a PC. We all know that we must rely on MS for timely OS defect corrections (wink, wink, nod, nod, L.O.L. etc).

"His test is simply in terms of the Internet connectivity in terms of whether remote systems can see a PC. We all know that we must rely on MS for timely OS defect corrections (wink, wink, nod, nod, L.O.L. etc)."

No, NOT EVERYONE knows that we must rely on MS for timely OS defect corrections. Most do, yes, but not all. Believe it or not, there are droves of Windows users out there completely in the dark about what MS patches are, what they do, and how they are applied. Furthermore, MS patches are only one required component for properly securing a Windows box. You may call my opinion on the Shields Up test weak, but it is simply the truth. That is all.

Lots of uninformed "experts" just like Steve Gibson who smokes crack. Have a look @ http://grcsucks.com

I read from the point you gave me up to "securityfocus" and thank you very much for giving me this info. °_° and apologize for being stupid and arrogant.

There can actually be more stuff of this kind in any software.

If you really read what Gibson has to say, you'll notice the level on which all this is happening: Byte-level.

As nowadays programming tends to become off-Assembler because of the speed that is available in higher code: who then will ever have the intellectual information - as Gibson still has, using Assembler as his basic coding - for such Byte-level backdooring. Maybe some core hackers . . .

Keep in mind, many schools still teach assembler, some in great detail. There are still alot of people out there that are able to understand that level of thinking. Hell, all of my teachers that were teaching IT related classes, ie programming, OS structure, system design, etc. All know assembler in great detail across many different platforms.

And to that NIST link, half of that is end of the world ranting. dispatch computers, verification systems, monitoring systems, these are not the type of computers to head out onto the net to sites with effected files. They are strictly monitored, with a single purpose, they are not used to surf the net for fun. Windows 98 is running at maybe 5% on average, not 10%. Plus the people using these computers are not going to be visiting questionable sites anyways, they are the old or young, granted email is still a big risk, but not as big as he thinks.

edit: I don't disagree with the topic of the link so much as the fact the author thinks its the end of the world and his rants go above and beyond the problem

Gibson = OWNED?

You are un-informed.

Read this:

http://www.nist.org/news.php?extend.55

I dont think i quite follow what that dude is trying to say...
If you cant install a service pack which contains hundreds of fixes for various exploits why would you be able to install just a single fix?