eMail: NO. Newsgroups: YES!
I very much wish I had the time to communicate with people individually. But, as you will see on this page, time is my most precious and limited asset. I have committed myself to accomplishing so much that I am left with no time to respond to individual eMail notes and questions.
The only way I can be effective is through
Internet publishing and broadcasting.
I have resigned myself to being unable to reply with individual answers to the huge volume of eMail I receive everyday. I must make progress on the projects I have in front of me. The solution is:
But there is a solution:
Since I need to stay in touch with the world, I try to hang out in some of the many active security and privacy newsgroups we host at "news.grc.com." Even there, my level of participation varies depending upon how absorbed I am in current development projects. (I sometimes disappear for days at a time when I'm in "full project mode".) But I always return to the groups to find out what's been going on in the world. I also use the groups for pre-release "beta" testing of our new goodies. So if you want to be on the inner track of what's happening, the newsgroups at news.grc.com are the place to be.
Getting more involved: If you would like to be more involved in issues of Internet security and privacy, in what's going on here at GRC.COM, and with what I'm up to from day to day, participating in our newsgroups is the best way to do that. The Discussions page on our site (see the icon at the bottom of this page) provides an introduction to Internet newsgroups and provides all of the details for viewing our groups with any web browser, and for participating by using Outlook, Netscape, or any standard Internet news reader.|
I hope you will accept my implicit apology and understand if you have sent eMail and I have not replied, or if one of my terrific staff replied for me. I almost certainly read your note and was thankful for receiving it, even if I was unable to say so personally.
Plans and projects fill and define my life. They consume my waking time and attention literally seven days a week and usually 16 hours per day. There is nothing I love more than developing solutions to important problems, and having those solutions used. It's what I love, and what I do.
What has Been Done . . .
and what is still to be Done?
I know exactly what's going on here at grc.com. (Though it is subject to change as events present themselves, and it is inherently research oriented.) I have a clear picture of where I'm going, what lies ahead, and what needs to be done to get there. The vertical time line below is probably the best way to communicate this. It stretches from "the beginning" into the future. You will see where I came from, what I have done recently, where I am today, and where I think we are headed . . .
What Have I Accomplished?
| ||Before Gibson Research|
As you'll see from my resumé, I began working on "projects" shortly after I learned to walk. My parents say I spent most of my time walking around and disassembling everything within reach. I have always been insatiably curious, so my explanation is that I was just working to understand how to put things together. That's pretty much what I have been doing ever since.
| ||SpinRite the PC industry's ultimate data recovery|
Most people take their computer's hard disk drives for granted . . . right up to the moment they start acting funny, generating errors, making bad noises, and perhaps "crash" altogether. SpinRite can often help and sometimes save the day. SpinRite is, without a doubt, my MS-DOS programming masterpiece. See the SpinRite link above for the whole story.
| ||ChromaZone how I taught myself to program Windows in asm|
If SpinRite is my MS-DOS masterpiece, ChromaZone is probably the equivalent for Windows. I learned how to make Windows do my bidding by creating this program in assembly language, and working to invent and implement ChromaZone's many unique special effects. For users of Windows 3.1 through WinME, ChromaZone is an amazing toy.
| ||GRC eMail our unique user-managed eMail system|
794,019 subscribers ago, I wrote (in assembly language of course) our own custom eMail management system. At the time I never imagined that we would ever have the 794,019 subscribers we have today, but I'm glad we have a system that makes their sign-up and maintenance manageable. (NOTE that this system was shutdown and replaced by the GRC Corporate News Blog which eMails subscribers whenever any new posts are made.)
| ||ID for SCSI/ASPI/ATAPI devices|
Before creating TIP (see next item) I needed to understand the ASPI API. So I created the simple but useful "ID" utility as my own ASPI training test-bed. Today, ID helps people figure out what's going on with their Iomega ZIP, JAZ, or other storage devices under Windows.
| ||TIP Trouble In Paradise for Iomega users|
Iomega's popular ZIP and JAZ drives suffer from a worrisome condition known as the "Click of Death". SpinRite was not the right tool for data recovery here because the Click of Death is caused by a terminal failure of the IoMega drive. A specialized tool was required. So I wrote the free TIP "early warning system" for all ZIP and JAZ users.
| ||ASPI ME ASPI drivers installer|
The original ASPI_ME was simply a better installer of Adaptec's FREE ASPI drivers than its own. It became wildly popular and enjoyed substantial success. But Adaptec didn't approve of ASPI_ME and asked that it be discontinued. I was working on my own full replacement when the idea for ShieldsUP! hit me. I have never returned to that project.
| ||Free & Clear "ClearType" demo|
Microsoft's announcement of their "ClearType invention" rubbed me the wrong way because it seemed both obvious and derivative from many previous systems. So, I quickly and independently "invented" the technology for myself. Then I created the "Free & Clear" demo to show how obvious and "open" any similar solution should be.
| ||FIX-CIH whole drive recovery after "Chernobyl" virus attack|
On April 26th of 1999 the Windows "Chernobyl" virus completely wiped out tens of thousands of hard drives. I realized that since only the first megabyte of each drive was erased, it was theoretically possible to completely resurrect the drives by rebuilding the partition table, first partition boot sectors, and first FAT table. I quickly wrote the free FIX-CIH utility to save the data belonging to all of these people. You can see for yourself why I did it.
| ||ShieldsUP! Internet security testing and education|
One afternoon, when I was writing ASPI drivers for the world, I realized that I could check the Microsoft Windows file and printer sharing security of anyone who came by our web site. The rest, as they say, is history. The success of ShieldsUP! focused my attention upon the growing problems of Internet security and privacy. The direction of my work was changed forever.
| ||NoShare/LetShare file sharing enable/disable for Windows|
Before I worked out the details of "unbinding" network protocols from transports, I wrote a pair of simple to use utilities to achieve the same effect. The NoShare and LetShare utilities were discontinued once the protocol/transport unbinding and rebinding system was proven more effective.
| ||A Passion for Technology my InfoWorld column compendium|
Every week, for eight years, I wrote a column in InfoWorld Magazine, the industry's leading PC newsweekly of the era. My column was often the #1 rated feature in the publication.
| ||Internet Spyware Analyzer keeping Aureate/Radiate honest|
The exact behavior of the nasty Aureate/Radiate advertising spyware was unknown. I created the "Internet Spyware Analyzer" to simulate contact with "home base" and to allow me to figure out exactly what was going on. From that information I was able to help Internet users deal with this menace.
| ||OptOut the original spyware detection and removal tool|
The work on the Internet Spyware Analyzer (above) led to the creation of the free "OptOut" spyware removal tool. Optout was hugely successful with more than 2,544,000 individual downloads. When the Lavasoft folks promised to extend their Ad-Aware tool, while keeping it free, I formally turned the task of spyware removal over to them. They are doing a >great< job.
| ||Real Networks commercial "phone home" spyware|
I went a bit ballistic when I discovered that Real Networks' file downloading utility, "Real Download", was sending a report of every download back to Real Networks with a unique ID they had assigned to me. When I went public with this news I was immediately threatened with legal action by Real Networks. Within a week they had backpedalled, apologized, and updated Real Download to remove the privacy-invading unique ID tagging.
| ||NanoProbe my own TCP protocol implementation|
I designed and wrote a complete IP protocol suite from scratch, in assembly language, to enable several major advances in our remote Internet security testing technology. The first advance is deployed in the second-generation, much faster, NanoProbe-enhanced ShieldsUP! tests. The NanoProbe system includes support for ARP, ICMP, UDP & TCP protocols and generates custom security-testing Internet packets. Our Research & Development "NanoProbe" server at http://nanoprobe.grc.com/ hosts pre-release development of new technologies.
| ||GENESIS denial of service immunity for TCP|
A consequence of the NanoProbe RSVP Agent technology (see next item) is the need to open a server to the Internet to accept inbound RSVP client-authentication connections. I was concerned by the potential for SYN-packet flooding denial of service (DoS) attacks against that server. So I created a compatible "stateless TCP handshake" technology for a SYN-flood immune server.
| ||RSVP Agent absolutely determining the user's IP|
User IPs are sometimes obscured by an ISP's transparent proxy server which re-issues the browser's request. This causes us to see the proxy server's IP address rather than the user's. Our next-generation security tests, which will be much more aggressive, require absolute confirmation of the target IP. The RSVP technology accomplishes this.
| ||Newsgroups Reorganization our community grows|
As our private newsgroups grew in popularity and traffic, we reached the point where the organization of our group hierarchy needed to be scrapped and reconceived. After we developed a new hierarchy, I wrote a series of NNTP protocol utilities to relocate and "re-thread" all of the existing content into the new structure.
| ||Wizmo a weird little "Windows Gizmo"|
I wanted a quick means for invoking my systems' power management. But I couldn't find any existing freeware, so I created my own. WIZMO goes much further and adds many other cool features (like a gravitational attraction simulation screen saver). I use it constantly on all of our systems.
| ||The Assimilator a grueling hardware firewall/router tester|
What happens to personal routers when they are hit with a SYN-flood? How good are their firewalls? Is there any practical difference between stateful packet inspection firewalls and a simple NAT router? I built "The Assimilator" to answer such questions. It will be used whenever we need to "melt down" commercial hardware or software products of any kind.
| ||LeakTest v1.0 motivation for plugging a glaring vulnerability|
Before I created the first simple version of LeakTest, only the ZoneAlarm personal firewall could not be fooled by simple application masquerading. Today, as a direct consequence of LeakTest v1.0, every outbound-blocking personal firewall (not WinXP or BlackICE Defender) has been updated to correct this deficiency.
| ||PatchWork a quick tool to secure Windows servers|
A Russian organized crime ring had broken into more than 40 eCommerce sites running unpatched versions of Microsoft's IIS web server. So the FBI and the SANS Institute asked me to create a simple utility that anyone could use to check IIS servers for the four vulnerabilities being exploited by the Russians.
| ||EarthLink Browser Tag anatomy of EarthLink's custom tag|
One weekend, the gang hanging out in our newsgroups discovered an intriguing and frightening "Browser Tag" being added to all queries generated by Earthlink's customized version of Internet Explorer. It appeared to be a "sticky" user-ID of some sort. Once we raised the alarm, Earthlink explained that it was generated from a bunch of user and browser settings and was not a user identifier.
| ||The Media Page putting our audio/video library online|
The products and events on this web are often covered by ZD/TechTV. But many of the people who actively participate in our newsgroups are unable to receive the cable channel telecasts. So I took a few days to convert, compress, and assemble our library of audio and video clips.
| ||SocketLock & SocketToMe Raw sockets?
These two little test utilities were designed to "put the lie" to Microsoft's claim that Windows XP depended upon having full raw sockets. SocketLock disabled them completely and SocketToMe tested for the presence of full raw sockets. It turned out that WinXP worked just fine without raw sockets, and Microsoft finally removed them with XP's Service Pack 2.
| ||UNIX News Server switched to a "real" UNIX News server|
The increasing load on our Microsoft-based news server began causing frequent system crashes. So I switched to FreeBSD UNIX and the INN server. I heavily customized the open-source news server adding cryptographic user authentication, secure article cancellation, troll-blocking, and many other features.
| ||Advanced IIS Filter preemptive security for IIS|
Following the "IIS Worm Wars" of 2001, it was clear that the world needed to be protected from future "Malicious URL" exploits against IIS. So I created a prophylactic filter (APF) to examine and discard bogus URLs before they could touch and exploit IIS. Here's a sample bogus URL aimed at our hybrid, APF-protected, web server: https://www.grc.com/ 00000.
| ||ShieldsUP! Upgrade much faster nanoprobe-enhanced testing|
As required for many of the things I have planned for GRC (LeakTest v2, NanoProbe tests, RSVP, Spoofarino and more) the now mature NanoProbe technology was moved from the NanoProbe R&D server to the main production GRC.COM server. This allowed me to NanoProbe-enhance the traditional ShieldsUP! tests to increase their reliability while allowing more ports to be probed much more quickly.
| ||ID Serve remote Internet server identification, and more|
The "IIS Worm Wars" of 2001 worried many eCommerce site users about the security of the sites they were trusting with their confidential financial information. I wrote ID Serve in response to many questions asking how the make and model of remote Internet servers could be determined.
| ||UnPlug n' Pray manage Windows' unsafe UPnP Internet service|
On December 20th, 2001, Microsoft revealed a highly critical defect contained in the Universal Plug and Play (UPnP) services running in all versions of Windows XP and many copies of Windows ME. Beyond applying another patch to Windows, the United States FBI urged users to completely disable Microsoft's UPnP service. I created UnPnP to automate this process.
| ||Site Technology Upgrade added some cool new features|
Most of January of 2002 was spent creating a new "query-stream" technology for our web server. This attaches a custom database to the server to allow accesses to be tracked without logging. The bottom of every web page on our site now shows its last change date and age, and the average number of times it is viewed per day. The new suite of "Freeware" pages are also automatically recreated nightly with updated statistics.
| ||XPdite quick Windows XP critical security fixer|
A critical security flaw has always existed in Windows XP. This flaw allows a specially formed URL to delete the contents of entire file system directories. Although this flaw was finally fixed by XP's first service pack, the size of the service pack and many stability problems associated with its use argued for a more immediate solution. XPdite provides instant protection for this vulnerability with a 30k download.
| ||GRC.COM network topology change it was time to update things
We were given the opportunity to assume the management of our own equipment to be installed in our ISP's facility. This allowed us to be significantly more self-sufficient in the face of our occasional need for quick network tuning and tweaking. (Now we don't need to bug Verio for every small change.)
| ||ShieldsUP! Overhaul time for new technology
For nearly all of the first four years of its existence ShieldsUP! could best be described as an "introductory" remote port scanner. Times changed and so has ShieldsUP! Today ShieldsUP! has arguably taken the lead to become the Net's most authoritative and reliable Internet port vulnerability scanning facility.
| ||GRC eCommerce custom order processing system
I finally made time to address the need for online, 24/7/365, real time purchasing and downloading of our software. We were late doing this since I refused to use someone else's "shopping cart" system that I didn't write and couldn't trust. (Serious security vulnerabilities and exploits are being discovered in those apps all the time.) So I built my own system from scratch to securely manage the process of accepting customers' private information, interacting with the international banking network, and providing our software to our customers moments later.
| ||The DCOMbobulator DCOM: check it, then chuck it
Microsoft's DCOM patch to fix the nasty remote compromise vulnerability doesn't always "take". And even when it does it foolishly leaves the unneeded DCOM facility running. So I created the DCOMbobulator for two purposes: It allows any Windows user to quickly check their DCOM patch effectiveness . . . and then to shut down DCOM for good. (But it can be turned back on anytime if it's ever needed.)
| ||SpinRite v6.0 The *MAJOR* Upgrade
Version 5.0 of SpinRite managed to survive untouched for six long years (which was, in retrospect, somewhat longer than it should have). But during that time its support for FAT file systems only began to significantly limit the product's usability as Windows XP brought NT's sophisticated NTFS file system into the consumer mainstream. By the middle of 2003, it became clear that a new version of SpinRite was urgently needed. Seven months of development, with lots of support and testing help from the members of our grc.spinrite.dev newsgroup, turned v5.0 into the far more capable, speedy, and useful v6.0.
| ||ClicKey Adding sound to "too quiet" keyboards
After purchasing a tiny Toshiba Libretto sub-laptop with "chicklet" keys, I was annoyed by the lack of any audible (or much tactile) feedback. So I wrote Add sound to a "too quiet" keyboard
| ||Third-Party Cookies How many users leave them enabled?
I embarked upon a research project to determine the percentage of GRC's visitors who currently have third-party cookies (the bad one's) enabled in their browsers. The link above shows real-time statistics. (The graphics charts are not "live".)
| ||MouseTrap Check your system for "MICE"
At the start of 2006, a very serious critical Windows vulnerability was discovered to have existed in every version of Windows since NT. To me, the code execution path seemed to have been put in there deliberately, once upon a time. This utility quickly checks to make sure your system has been patched.
| ||Pure CSS Menus 100% Script-free menuing
This research project developed the technology of 100% script-free, pure CSS (cascading style sheet) menus for any web site. All of the work was placed into the public domain for the benefit of the Internet community.
| ||SecurAble Check processor security features
Modern generation processors have improved support for 64-bit code, "hardware virtualization" and buffer overrun exploitation. This little utility quickly determines and displays which of those features a system support. (And it also provides nice processor identification.)
| ||Perfect Passwords A reliable source of randomness
Modern WiFi security, as well as many other forms of security, now depends upon using passwords that cannot be easily guessed or "brute forced." But high-quality "unguessable" passwords are surprisingly difficult for people to invent. GRC's Perfect Passwords page provides a high quality and trustworthy source of randomness for any purpose.
| ||PPP GRC's perfect paper passwords system
As more banking and eCommerce happens over the Internet, identity theft and impersonation is becoming a growing problem. "Multifactor Authentication" can go a long way to improving "logon" security. So we developed a simple and highly secure "one time password" system and have encouraged its wide usage.
| ||GRC Versioning System Super-lightweight software versioning system
To support the rapid development of the DNS Benchmark, and for the future work on CryptoLink, I created a pseudo-DNS server at GRC which can be queried with a single DNS packet for the latest version of any of GRC's recent software. The returned version number, as an IP address, is also a single small packet.
Everything above is finished and was
completed in that approximate sequence.
| ||DNS Characterization creating a contemporary appraisal
Every day, the Internet's Domain Name System (DNS) silently, faithfully, and reliably looks up and converts millions of domain names into IP addresses. As the Internet grows, the scalability of the system depends upon the exact operation of individual "name servers" spread throughout the Internet. I plan to invest a few weeks building some unique tools, then working with the people in our newsgroups to explore and develop a characterization of contemporary ISP DNS server operation. (This may seem like an odd project, but I have a few ideas up my sleeves.)
Everything below is in various stages of design or completion,
and may be completed in approximately this sequence.
| ||CryptoLink GRC's unique remote connectivity product
VPNs (Virtual Private Networks) and similar remote connectivity solutions are all either prohibitively complex, unreliable, difficult to use, or available on a "subscription" basis.
We think it's possible to do a MUCH better job . . . and we're going to give it a try!
| ||ZipMon the long-awaited replacement of TIP (Trouble In Paradise)
There is much more I can do for owners of IoMega ZIP and JAZ drives than I have so far. I hope to offer a surprisingly comprehensive solution for long-term ZIP and JAZ drive management and maintenance.
| ||P. A. << details embargoed pending development >>
I have an idea for a useful and important commercial product. I can not reveal much more than that here, but I am excited about creating and offering it.
| ||LeakTest v2.0 a comprehensive firewall testing tool
LeakTest v1.0 accomplished its simple but important mission of revealing the application masquerading vulnerability present in most personal firewalls. But that's all it did. There is a need for a thoroughly comprehensive, easy-to-use, end-user personal firewall testing tool. LeakTest v2.0 will answer that need.
| ||Spoofarino holding ISP's accountable
Spoofarino will be a simple end-user utility to determine whether ISPs are allowing Internet packets containing fraudulent return addresses (spoofed source IPs) to escape onto the public Internet. It is another of the applications that has been dependent upon the availability of the NanoProbe technology.
| ||Site Redesign & Search way past time to fix the home page!
This web site has been growing steadily as a consequence of the work I've been finishing. Its overall design, which was appropriate for a much smaller site, is becoming old and creaky. We badly need a complete home page redesign and a site-wide search.
| ||NetFilter our product to tame the Internet
Commercial interests have hungrily descended upon the Internet. This has been a badly mixed blessing. There is a serious need for an end-user consumer-oriented comprehensive Internet content filter to protect the identity and privacy of Internet users while returning control of our Internet connections to us. The GRC NetFilter, described here, will be our solution.
| ||FlowMeter accurate and true bandwidth measurement
I have an idea for a really cool "true bandwidth" measurement utility. It would not require any sort of bulk file downloads and it would measure only the local service provider's bandwidth to you. Are you really receiving the bandwidth you are paying for? All I need is the time to write it. I really want to.
| ||The Assimilator Net-connected device stress-testing
I want to spend some time with "The Assimilator", which I built back in February, 2001. I want to experiment with personal firewalls and residential gateways and NAT routers "under abusive load" to see how they behave when pushed beyond their breaking point.
| ||Project-X IF ONLY there were more time . . .
For many years I have had an idea for creating a very cool, but highly research and development intensive, product. I desperately want to have the time to see whether I can pull it off (I believe I can) and every PC user would kill to have it. But, if you have made it down to this point on this page, I am sure I don't need to tell you how busy I am. I am already crushed by my shorter-term project backlog. Since work on Project-X would require me to disappear from the world for a LONG time, it is continually pushed back until all of the much less time consuming projects have been completed and are in your hands.
So . . . there you have it.
As you can see, I have achieved many of the goals and completed the great majority of the projects I have started. Many, which still await completion, have been dependent upon the creation and deployment of the NanoProbe technology which is now solidly running on the grc.com servers. My future projects need only the time to work on them.
I invite you to join me on this journey by subscribing to GRC's Corporate News Blog to receive notifications of infrequent news updates regarding GRC's services, freeware or new commercial software. And, if you're interested in knowing more about what's going on with me, you are also invited to check out (and subscribe to) my personal commentary blog. And, finally, you're invited to participate in our very active, always timely, and terrific online newsgroups.
To the friends of Steve Gibson and GRC.COM:
My mission is to empower Internet users with
information, knowledge, and tools to serve
and protect their individual interests.
But this is sometimes controversial and messy. If you are familiar with my work on this web site, you already know that I take stands on issues that I consider important. Through twenty years of participation in the PC industry, I have earned the respect of most of its members. Therefore, my work often receives attention and publicity . . . and often makes waves. This invites criticism from those whose interests are contrary to mine, those who are annoyed by my non-academic populist style, those who wish their work were as popular as mine, or those who are paid to creatively generate criticism. (And some people just seem to be grumpy.)
I am sincerely sorry when my actions upset or annoy anyone individually, but this appears to be an inevitable cost of taking a stand and working to create change. So be it. Disagreement, as a healthy consequence of conflict, often works to illuminate the truth. I welcome the truth, as well as your feedback and your thoughts.
Thank you for the strength of your support and enduring loyalty. I am committed to being worthy of both.