Web site shows how anyone can break into your PC

If you are using a Windows PC and have access to the Internet, chances are your computer is wide open.

technofile
Al Fasoldt's reviews and commentaries, continuously available online since 1983

Web site shows how anyone can break into your PC

Oct. 24, 1999

By Al Fasoldt
Copyright ©1999, Al Fasoldt
Copyright ©1999, The Syracuse Newspapers

   How safe are you from prying eyes? You lock your doors at night, keep your blinds closed and your drapes pulled. But your Windows PC is doing everything it can to invite strangers into your personal files.
   Think I'm exaggerating? You're in for a surprise. If you are using a Windows PC and have access to the Internet, chances are your computer is wide open. Anyone who knows simple connection methods can get into your computer and read your files.
   For proof, go to the "Shields UP!" Web site maintained by longtime PC expert Steve Gibson. The address of the main site is http://grc.com/. Click the SpinRite 5 logo and then click the "Shields UP!" logo. Make a bookmark or Internet shortcut of that page when you get there. (The address is too crazy to print reliably, so I'm bringing you there through the front door.)
   You'll see a button labeled "Test My Shields" in the center of the page, down a ways from the top. Nothing bad will happen, so don't hesitate. Click the button and watch what happens.
   You probably will have the same reaction my wife, Nancy, and I had when we tried out this site. We were stunned. The Windows 98 PC we were using to access the "Shields UP!" site was sticking its tail out into the wind for all to see.
   Gibson's security check takes only a few seconds if the Internet is not very busy. When it's through, you'll see a report on what "Shields UP!" found wrong with the security precautions -- if any -- in place on your computer. You'll also be able to view a clever picture that shows how vulnerable your computer's hard drives are, and how your drives and even your printer could just as well be sitting out in the middle of the Information Superspyway. It's chilling.
   Gibson explains step by step what you can do to close off the gigantic hole in Windows security that his site exposes. You won't be able to make Windows secure enough for many critics of Microsoft's lax programming, but you'll be able to keep most of the Internet's wandering snoopers out of your computer. If Steve Gibson's test program can get into your PC and find out what's there, you can be sure that any kid or determined adult can, too.
   The "Shields UP!" site tests for security lapses only on Windows PCs. In their standard configurations, Apple Macintosh computers and PCs running the Linux operating system are not vulnerable the same way Windows PCs are. (Macs and Linux computers can be exposed in other ways, but none of the risks on Macs and Linux PCs come close to the dangers in Windows computers.)
   Oddly, at the same time that Gibson's security probe was showing how vulnerable my one remaining Windows PC is -- all my other computers run Linux -- I received a report from Windows expert Paul Thurrott, writing in his WinInfo newsletter, about a new "feature" in the about-to-be-released version of Windows NT called Windows 2000 Professional.
   This version is designed for top-level users, people who should value security and who should already know how important passwords are. Yet by default Windows 2000 Professional allows the person who sets up the software to boot up and use the computer without a logon name or password.
   This means, as anyone who has had to take care of Windows NT computers already knows, that Windows 2000 Professional won't have any security at all in many cases. Anyone who lets the installation program do its own thing will end up with a completely vulnerable computer.
   What's even more disturbing is that this initial user gets full administrative rights. In other words, anyone who walks over and turns on a Windows 2000 Professional PC will be able to cruise through any of the files at will, deleting or copying anything. Want more? Anyone on the Internet will be able to do the same thing.
   I find this almost beyond understanding. I already know that Microsoft can't build a secure version of Windows. The world beyond Microsoft knows this, too. (An Internet slogan says: "Invite everyone into your PC. Run Windows.") But to discover that Microsoft is stripping basic security from the Professional version of Windows is even harder to fathom. The company still has time to change Windows 2000 Professional before it's released later this year. Let's hope it gets the message soon.