The magic security CD disc Re: HTTP proxies

Alex Bligh alex at
Mon Dec 9 11:07:12 UTC 2002

--On 08 December 2002 23:16 -0500 Sean Donelan <sean at> wrote:

> It takes a lot of time to talk individual users through fixing their
> computers.  Especially when they didn't break it.  They just plugged
> the computer in, and didn't spend 4 hours "hardening" it.  Most of the
> time we're not talking about very complex server configurations, with
> full-time system administrators.  The "magic" CD would be for people who
> don't know they are sharing their computers with the Internet.

How unfortunate that the magic CD you refer is not the one with "Microsoft
Windows" written on the front :-p

Seriously, it is faintly ridiculous that we have operators talking about
a magic CD to fix the broken default installations of various operating
systems (I include Linux etc. here too). If OS vendors shipped, by default,
less broken configs (or at least configs that turned services off -
e.g. port 137 - when not required), much, though not all, of this
problem would go away. Just like it is (now) considered irresponsible
to ship a PABX/Voicemail system with open dialthrough, the same should
be true of operating systems. In many such OS's, like it or loath it,
automatic or semiautomatic update mechanisms already exist. This would
seem to be a good use to put them too. Perhaps NIPC etc. should start
talking to OS vendors.

Concrete example (not to pick on MS for a change) - every time I've
installed a Linux machine I spend 10 or 20 minutes rewriting the (kernel)
firewall rules for the box to suit the apps I have installed. It's a
completely automable task. Someone unfamiliar with either IP or UNIX would
find writing such a script very hard and it would take them much longer. Do
mainstraim distributions include such an automatically built script by
default? Not to my knowledge.

Alex Bligh

More information about the NANOG mailing list