Unmasking Steve Gibson

For some time now Radsoft have had access to physical evidence of Steve Gibson's (lack of) Internet security expertise.

Preliminaries

Let's get one thing clear from the beginning: A self-proclaimed guru has no credentials.

Steve Gibson is known for one computer program and one computer program alone: a very old DOS-based disk repair utility called SpinRite last packaged on 1 April 1998 and finalised long before that. Aside from that single program, Steve Gibson has in essence written nothing.

SpinRite is a good program. It has a lot of typical GRC 'fluff' but it is a good program. It's not a gargantuan opus by any stretch of the imagination, but it does work, it does accomplish its intended purpose.

Still, one single program is not a lot to base an entire Internet career on. But Steve Gibson, master of the art of making something out of nothing, has done exactly that.

(Gibson has also tried to up his stock by waving his '100% Pure Assembly Language' banner and his 'Small is Beautiful' skeleton Windows application of 11KB, but radsoft.net's course in Windows GUI programming builds the same skeleton at only 4KB - without resorting to assembler.)

In knowledgeable circles Steve Gibson is actually more known for the programs he has not written than the one he did.

Hyper Speed Port Scanner
Never seen the light of day despite being announced a year ago.

Leaktest Version 2
With the ability to really frighten you with its ability to bypass all current firewalls. No sign of it.

Nanoprobes
His low level packet driver to do TCP SYN scans and such. Announced at the end of last year but no sign of it ever being incorporated into his Shields Up! service.

Netfilter
A kind of super privacy guard/firewall add-on thing - announced at the start of the year. No mention of it since.

Shields Up! Version 2
Supposed upgrade of this service to perform deeper and more thorough scanning using Nanoprobe technology. Hinted at for a year or so on the GRC Shields Up! pages but nothing ever delivered.

The Solution to DDoS Attacks
Despite the industry having the means to control such attacks for several years Gibson seemed to want to create his own 'invention' and solution (great PR). Of course, nothing forthcoming despite the announcement. (And now, in a radio interview, Gibson admits the industry had the solution all along.)

Spoofarino
The latest non-product. Gibson's product descriptions are amazing, as he makes up his terminology as he goes along and always claims he's discovered a new 'technology'. This gem is supposed to sport a 'Spoofing Characterization Packet Burst' (note the penchant for capitalizing everything as well) which is part of the as-yet 'developed-but-not-yet-deployed' new 'RSVP Technology'. And this time Gibson has already built in his own escape: 'it's still just a rough idea' and even better: 'I believe that we're all going to have a lot of fun with it here for several months before the rest of the world sees it', which should give the world enough time to forget it completely and move on to the next one.

Project X
Perhaps the biggest hype of them all, something destined to be so amazing and so awesome that no mere mortal would have ever considered such possibilities before, Project X has been used for years to lure people into signing up for the GRC newsletter, yet no newsletter has ever disclosed a single detail of this phantom application as promised.

(Amazingly enough, Gibson has news groups for all of the above non-products, where Gibson Groupies openly discuss software products that do not even exist.)

And the list goes on. When one compares the paltry product output with how long Gibson has been on the Internet, and flavours this with the multitude of false promises, one must wonder exactly what Gibson has been doing all this time - other than creating a lot of noise and flashy web pages that is.

The Corollary

The precise corollary of the above is: If the above products ostensibly do not exist, then the claims made in their promotion cannot be found to exist either. The whole thing devolves immediately to the level of a snake oil salesman.

And as none of the programs used in the hunt for Wicked have been released - despite earlier promises - we may not assume they exist either. Until he proves otherwise, all we can know is that Gibson used a number of tools - perhaps on a Unix box to boot.

In fact, many of Gibson's supposed 'inventions' are 'old hat' in the world of Unix white hats and black hats. The Gibson Groupies don't know this, because they invariably run Windows 9x, but the real security gurus do. And they've been complaining about Gibson's false claims all along.

A few choice examples:

Nanoprobes
Nanoprobes are just IP packets, such as ICMP packets with no data and TCP SYN packets. The kind of stuff nmap has done for years.

The Genesis Stack
Despite Gibson's claims, this is not his either. See here for a mention of SYN cookies, a nearly identical technique to help alleviate problems associated with SYN attacks which has been available on Linux for several years.

Gibson used to run IIS on his website, blissfully oblivious to the hazards involved. People spent months showing him all the holes in IIS, trying to get him to plug up. He said he was grateful Windows boxes could not spoof IPs - then was corrected again. He later tried to save face by claiming he'd known it all along, and claimed the code given him by others to prove the spoof had been stolen from hacker sites.

When people on his IP list contacted him he summarily gave them a clean bill of health, unaware that their systems were still grievously infected. Evidently he wouldn't know a rootkit such as Backgate if it came out and hit him in the face, for in at least one case it really tried, but he missed it. And he ostensibly could not find a double decode bug either.

Gibson is just winging it. He whips up a bit of frenzy and plays the rest by ear, even going so far as to encourage hackers to write new trojans for XP for the additional frenzy value.

Subtotals

What emerges is a picture of an individual who has not, as The Register would have it, gone round the bend, but a cold calculating schemer deliberately exploiting the media for personal gain. 'Gibson whimpers and the reporters come running' was how one very well known e-zine personality put it.

But what's in it for Gibson? Is he simply suffering from a messiah complex as Rob Rosenberger now believes? Or does he just love having all those groupies congregating in his news groups? Whatever - but the verdict in this case does not hinge on ferreting out the motivation for the crime: The deeds themselves speak their own clear language.

It's easy to find out what the public at large thinks of Steve Gibson: just Google around a while at Usenet. Opinions found there generally fall into two categories: Those who admit he is given to gross exaggeration, false claims and hyperbole, but think he is still doing the Internet a service with his 'Sesame Street' site; and those who simply can't stand him.

It is true that Steve Gibson has heightened awareness to basic Internet security risks. His online Shields Up! application was eminently accessible to all; all you had to do was surf on over and in a few seconds you could assess how secure your machine was (true, almost any of the alternative sites in this category have much more sophisticated services available).

And his tutorials on closing NetBIOS ports were extensive and rather good (that you don't actually need to do this at all, but merely click a check box in Control Panel is obviously not just a moot point).

But anyone with a minimum interest in the subject could have written both the Shields Up! application (an hour's work at best) and the follow-up tutorials. Their existence do not a guru make, nor would they add any credentials to the resume of a real one (which is why no one has taken the time to duplicate the effort).

Physical Evidence

But the current debacle overshadows all that has gone before. Through it all Gibson has called himself a security expert, a security guru. Yet radsoft.net has been shown hard physical evidence that would indicate nothing could be further from the truth.

Gibson the security guru, it would be assumed, has control over at least his computers if not his access to the Internet; he would see what goes in and out; he would be aware of potential security holes and have long since plugged them; and he would not permit unlimited unauthorised access to his machines.

If he was indeed a security guru he would have done that, he would be capable of that. It sounds almost ridiculously simple. And it is.

radsoft.net has received incontrovertible proof that Steve Gibson's computers are even today not only open to attack, but to blatant exploits. This means that hackers can (and perhaps still do), on a daily basis, log onto Steve Gibson's computers and browse around and alter and take any files they wish.

Steve Gibson Self-Proclaimed Security Guru has up to now been blissfully unaware of this.

They have even ferreted out his commercial software and begun downloading and distributing it.

The question therefore begs itself: Steve Gibson a security expert? How? Where? When?

Under the Mask

It has been radsoft.net's policy to avoid this debacle at all costs, despite the flood of email on the subject, despite the slanted complaints about the person of Steve Gibson, despite the speculation into his private life, despite the very justified technical objections, etc. It is still a good policy.

But there is another issue that can and must be addressed: Truth is important and should never be corrupted for personal gain. For that is demagoguery, and it is wrong.

Sesame Street is a cute kiddie TV show, but it is not The Learning Channel. If you want substantiated truth, look to the accredited sources on the subject. You get a bit of singsong and mirth on Sesame Street, but you can't carry that far.

The one thing Sesame Street teaches well, namely how to get along with others, seems to have been deliberately ignored in the aftermath of the Reichstag fire at GRC.com.