May 2010

The Plan for 2010…


During the summer of 2008, while being frustrated by the design and configuration of the OpenVPN virtual private networking (VPN) project, and hearing constant complaints from others about their own continual annoyance and trouble with all existing VPN solutions, I began thinking about the need for a truly user-friendly, easy-to-use, and connectivity-robust private networking product to allow individuals and corporations to reliably connect back to “home base” anytime they are out and about.

During the balance of the year, as the outline of such a product began to take shape, I realized that no one had really yet done a VPN “right,” and that the GRC approach to bring a great deal of innovation to a VPN product. Early in 2009 I settled upon the name “CryptoLink” and GRC obtained trademark protection and “cryptolink” domains in all of the eight most important top-level domains, including .COM, .NET, .ORG, .INFO and .US. Patent work began, and the first of three or four patents is now pending.

“Connectivity-robust” means that where all other existing VPN solutions fail to establish a connection, or cannot reliably hold onto connections, CryptoLink can succeed. And unlike other commercial solutions (like GotoMyPC, etc.) involving a 3rd-party who could be induced by court order to allow state (governmental) access to your systems, CryptoLink’s core design enforces a fundamental “TNO” – Trust No One – model. No known force on Earth will be able to compromise nor gain unauthorized to a CryptoLink connection.

And CryptoLink won’t be a “service model” where you “subscribe” and are billed monthly. (I hate those.) Instead, you purchase CryptoLink once for a reasonable price and you can use it forever, on as many systems as you personally and privately own. No “fees” – period. And no form of per-system “activation” (I hate that too).

So for all of those reasons (and many more that will be made clear over time) I am as excited as I could be about CryptoLink, and I’m beyond anxious to get its development underway. However, as I explained in the previous “2008 & 2009” posting, this 2010 year started with three significant GRC projects awaiting final documentation completion and public release. If I didn’t finish them first, all of the time and effort that went into them would be lost.

Also, since, once I get started, I plan to devote myself 100% to CryptoLink’s development, I also need to spend a bit of time working on GRC’s web site in just two areas before I abandon it during CryptoLink’s development:

First, with the “Security Now!” podcast heading into its 6th year, having every podcast we’ve ever produced (250 at the time of this writing) on a single web page has become ridiculous. (Actually, it’s been unwieldy for some time.) So I need to spend a little time reorganizing the Security Now! region of the website.

Secondly, we are fortunate and honored to receive a more or less continuous stream of SpinRite testimonial success stories from often-amazed SpinRite owners. I can’t think of any better way to communicate SpinRite’s potential to recover endangered or lost data than to share those true stories with potential buyers who are trying to decide. But we don’t currently have any means for keeping up to date with new testimonial submissions, nor really any place for them to be sent or posted. So I also need to spend a bit of time over on the SpinRite marketing side before I switch over to pure CryptoLink development.

At the time of this posting, the DNS Benchmark utility has been completed for some time and its documentation has all been authored. It only awaits my proofreading then final proofing by the terrific volunteers in GRC’s great newsgroups. After that, the documentation for the DNS Spoofability system will be completed and it will be made public along with the Benchmark. And after that, the web browser cookie monitoring and forensics system will documented and made public. Then I only need to bring the Security Now! page into the 21st century and get the SpinRite testimonials under control…

Then… I’ll finally be caught up, have the GRC decks cleared, and be able to knuckle down and plow into writing the code for CryptoLink… which is really what I want to be doing because I believe so much in the importance of this next product.

• Subscribing to this GRC News blog…
For purely GRC work-related information and updates, if you subscribe to this GRC News blog (see subscription field in the upper right of this page) you will receive a notice of any updates I post here. You can also “follow” my GRC work on Twitter at @GibsonResearch.

• Subscribing to my (Steve Gibson’s) personal blog…
If you’re curious to know more about what’s going on with me — a more “behind the scenes view — I will also be blogging more frequently on my personal blog at, and also “tweeting” much more often at @SGgrc.

And thank you so much for your interest and support of GRC and of my efforts here.
Steve's Sig


2008 & 2009

How were the years 2008 and 2009 spent?

Those two years saw the development and near-completion of two major new GRC online facilities, and one significant piece of freeware. I say “near completion” because the second and third of those projects interrupted the completion of the one before them, resulting in three major “loose ends” that — even as I’m writing this in May 2010 — are still awaiting final completion and documentation before they see the light of day.

3rd-Party Cookie Alerts
The first project is a system to alert GRC’s visitors to their browsers being configured for the acceptance of 3rd-party cookies — i.e. Web browser cookies being planted by sites other than the ones you’re visiting. As our projects often do, it hugely outgrew our original plans and acquired a life of its own. It developing into a sophisticated “Web Browser Cookie Forensics” system providing GRC’s visitors with an online facility to examine, test, characterize and understand their web browser’s precise cookie management. (During the development of that system we discovered significant bugs in the cookie handling of every web browser!)

DNS Spoofability Testing
The second project, which, due to its importance, interrupted and preempted the completion and publication of the 3rd-party cookie notification project, is a new online facility to check the “spoofability” of an visitor’s current DNS resolvers — i.e. the DNS their system depends upon for returning the correct IP address for any domain name they look up. It, too, developed into a much larger and more capable system than we originally intended or expected.

DNS Benchmark
This third project delayed the completion and publication of the DNS Spoofability project because the two were closely related and I realized that I needed to have the third one finished as part of the second. This was GRC’s newest (and extremely cool) freeware: the GRC DNS Benchmark.

The DNS Benchmark grew from a related piece of code known to GRC insiders as DNSRU: the DNS Research Utility. I originally wrote DNSRU, another piece of unpublished work, in 2002 while exploring the idea of using DNS for rapid Internet-wide messaging. Among other things, it incorporated some unique DNS benchmarking capabilities, so GRC insiders who had a copy of the never-officially-released code kept using it during the seven intervening years and asking when it would be “finished.”

Since DNSRU was about DNS, it made sense to finish it by evolving it into a polished and finished piece of freeware so that it could be released as part of the forthcoming DNS Spoofability system. The code was finalized at the end of September 2009.

Also during these two years, in addition to tackling and completing many smaller background projects, we began moving toward defining and preparing for the development of GRC’s next major commercial product, CryptoLink. Trademarks and domain names were acquired, and work began on patents, with the first CryptoLink patent — a new single-packet authentication technology for stealthing open TCP ports — submitted to the United States Patent and Trademark Office (USPTO) by early 2009, and now in “patent pending” status.

But, mostly, 2008 and 2009 saw a great deal of development on facilities and code that ended up being close to release and — finally — only needed to have their documentation completed.

2010 will see all of this work finalized, documented, and released. And once that is all finished, we’ll be very much closer to finally getting to work on the design and development of CryptoLink, our next commercial product.

Please see the May 2010 posting for a status report as of May 2010.

Steve's Sig

Posted in Uncategorized | 15 Comments