WHISTLEBLOWER

The whistleblower in question is Steve Gibson of Gibson Research (www.grc.com). His original claims to fame were his breakthrough disk diagnostic and repair program, SpinRite, and the column he used to write for InfoWorld. More recently, he has become known for security programs such as ShieldsUP! and LeakTest, and especially for his outspoken manor, as he unhesitatingly reports the results of his security research, regardless of whose toes he steps on - hence the target on his back.

Gibson made an appearance at an APCU (Association of Personal Computer Users - www.apcu.org) at the Wilmette Public Library on Saturday, March 16, 2002. Luckily the APCU invited guests for the event, so I was privileged to be able to attend the meeting.

I first encountered Gibson years ago at a distributor's trade show in which he acted out the parts of the components of a disk drive in order to explain how SpinRite works. I'm not sure that even Russell Crowe could have presented it better, and I'm sure that Crowe couldn't have written his own script.

Revealing security weaknesses in software has made him an anathema to development companies, particularly Microsoft, which has attracted security-related complaints almost as if it was asking for them, as well as the makers of personal firewall software. The extreme negative response that he has received for his revelations seems to follow the old 80/20 rule, with 80% of the criticism coming from the point of view of vested interests - from the vendors involved - and 20% sprouting from what seems like nothing less than a massive attack of damaged egos - from various security analysts and experts.

The vendors want to destroy Gibson's reputation in order to diminish what they portray as his "attacks" on them. The analysts and experts don't like someone horning in on their field who, at least on the surface, lacks their "serious" credentials in security.

The news from the dark side is even worse, though it still follows the 80/20 rule. 80% of the hackers, crackers, or whatever you want to call them, are angry because Gibson is trying to get people to take security seriously, which would certainly reduce, if not eliminate their source of fun. The other 20% of them, in different type of ego hit, are greatly offended that he revealed that there are libraries of mix and match kits that allow them to create criminal programs (viruses, trojans, etc.) without any particular skill, thereby robbing them of the "glory" of their exploits. (He calls these "Drag and Drop Viruses.)

The result of these offenses against the criminal element is an ongoing series of DOS (Denial of Service) attacks on Gibson's Web site. Even as he began his speech for the APCU, he explained that word had gotten out that he would be out of town and that his site was currently under attack. Without easy access to his personal contacts within his ISP (Internet Service Provider), his staff back in the office couldn't effectively ward off the attack.

Gibson was gracious enough to start of the day by participating in the open forum that preceded his speech by supplying some of the answers to questions posed by the members. Naturally, some of the questions drifted toward things like SpinRite and security.

In his speech, Gibson first talked about his early academic and personal history with electronics and eventually, computers. Considering the high level of computer expertise among the APCU members, it was obvious that the audience could relate to his background.

He made his distaste for the old saw "all software has bugs" quite clear, backing it with examples of software that doesn't have bugs. Gibson obviously doesn't tolerate programming incompetence well.

He talked about his differentiation of the use of a PC as either toy or tool. As a toy, you could download and experiment with every untested and potentially buggy or dangerous program you could find. As a tool, you should lock down the PC as much as possible and only run software that you absolutely know is reliable. (The audience contributed several Microsoft jokes at this point.)

Gibson also spoke of his doubts about Microsoft's security proclamations. In particular he noted the declaration by a Microsoft representative that he knew that Windows XP was totally secure because they had run it through a very thorough automated security testing routine and that the testing program had certified the operating system as secure. This was shortly before the weekly (and seemingly unending) security hole announcements about XP started coming through. (Oops!)

He feels that Windows 95 and its descendants were explicitly designed to overwhelmingly favor ease of use (or at least Microsoft's definition of that term, which isn't necessarily what actual users think) over security. While the two characteristics aren't absolutely diametrically opposed, one often precludes the other.

Gibson's final comment was about Microsoft's misguided attempt to defray what amounts to invalid criticism about Windows lack of raw sockets capability (an obscure diagnostic tool that turns out to be absolutely heaven-sent for hackers). Microsoft was told that Windows was wimpy because "real" operating systems have that capability. That's nonsense! Microsoft reacted by adding raw sockets to Windows XP, effectively, just to look cool - only they added it unprotected, while other operating systems restrict access to administrators. We'll see how many millions of dollars companies and organizations lose over the next few years in nearly untraceable DOS attacks facilitated by this added feature.

After that, Gibson headed home so he could get his Web site back up. Such is the life of a whistleblower.