Bill Cheswick's Screensavers notes

On 15 March they aired an interview I had with Leo on The Screen Savers during RSA week. I've received a lot of email about a couple of things I mentioned on the show. Here's a FAQ.

  • What was that program you used to sniff Leo's network?

    I used Dug Song's program dsniff, which is in the FreeBSD ports collection, and widely available on the Internet. Use google to hunt it down. One person claimed that the Windows XP version was broken. I wouldn't know: I run most of my stuff from Unix.

  • Did you crack Leo's passwords?

    No, dsniff just listens for passwords on local networks that are transmitted in the clear. It knows about a lot of different unsafe protocols.

  • Is it legal?

    It is my belief that its legality (in the US) depends on how you use it. If you are using it for normal network administration purposes, like making sure that your encryption tunnels are working, that's OK. If you are trying to use it for evil, it is illegal. I use it for teaching and auditing, and I am willing to look a prosecutor or judge in the eye and justify it.

  • How exactly did you display the network services on an XP host?

    Go into Accessories and open the "command window". Type

           netstat -an
    It will list all of your current TCP/IP sessions, and all of your UDP and TCP listeners. These listeners have programs behind them in your computer. Security flaws in these programs can give outsiders unauthorized access into your computer. Certain famous worms have exploited such holes in the past.
  • How do I interpret the netstat output?

    I am not going to go into all of the details here: they are involved, and require an intimate knowledge of TCP/IP. Anything that is in a LISTENING state is an incoming TCP service. There may be several associated local addresses. Among other things, the local computer is known as address 0.0.0.0. ESTABLISHED lines are current connections, incoming or outgoing. TIME_WAIT connections are shut down sessions that are timing out. UDP listeners are listed at the bottom.

  • I want to close up these services. How do I do it?

    It's hard. There are configuration settings all over the place in Windows that need to be changed. You can dive in and start turning things off, which watching your netstat to see if they go away. There are web pages out on the Net that discuss this process. You may end up turning off some service that you want. I am hoping that XP service pack 2 will simplify this.

    Also, you can install and/or activate a firewall on the host. This doesn't turn off the services, but it does block access to them.

  • What can I read to learn more about TCP/IP?

    There are several good books on TCP/IP. The Stevens three-book set will tell you more than you want to know about it. I co-authored a book, Firewalls and Internet Security; Repelling the Wily Hacker, that examines the security aspects of various common Internet services. You can also find a lot of documentation about all this on the Internet.

  • Are you planning to be on Screensavers again?

    Yes, I try to drop by whenever I am in town. I have a blast with Leo and Patrick. They taped a second interview about my computerized home, and specifically how I use two sound cards connected to the house. That interview is "in the can", and they said they would air it when they needed to fill a slot. Also, I am planning to appear live on 27 April to talk about some interactive exhibits I am writing for science centers.

  • Links

  • http://www.blackviper.com/WinXP/servicecfg.htm was suggested by Perry Brigner. It details a lot of XP services, though I couldn't find a list of the TCP ports they use.
  • If any readers have other links that should be included in this FAQ, I would be happy to add them.