The magic security CD disc Re: HTTP proxies
hunter at compuhelp.com
Mon Dec 9 14:41:58 UTC 2002
As much of a flame magnet as this post may be, I'd actually like to
commend MS for their security efforts on Windows XP.
If you don't know how to update your system, who cares, XP bugs you by
default to install updates. If you don't click on "OK" when it tells you
to patch security wholes, who's to blame? MS can't push it, or there'd
be yet another lawsuit.
If you're not clued enough to understand the concept of passwords in
networking security, they've put in a very simple fix, which disallows
any user to be used to connect to an SMB share if it has a blank
password. Quite a leap from Windows 2000 which doesn't even prompt you
for a password to the administrator account it creates.
While none of this would stop a determined hacker who has some reason to
get to data on your hard drive or something, it does stop the casual
exploit scanner from finding machines with open admin access and easy
access to install backdoor services, which is more than I can say for
most distros of various Unixes.
Most computer manufacturers offer their computers with antivirus which
The adware and spyware stuff, well, users install software, not much you
can do about it. Couldn't you just see MS not allowing the install of a
program on Windows because it's got spyware? That's a PR nightmare.
As another flame magnet statement, I'd just like to point out that
linux/freebsd/solaris et al are not designed for the average user to
install. The entire lure of linux as a desktop OS is that it's
customizable by the user who feels too confined in a "spoon-fed windows
Wouldn't shipping a system that has functionality disabled in lieu of
security go against this simple principle?
If you're such a "computer geek" that you decide you need linux, you'd
think you'd do a small bit of reading before jumping into it and
installing an insecure machine.
As for systems in a server environment, well, I just can't think of any
excuse for a sysadmin who installs insecure servers. If you didn't know,
than you shouldn't be installing the OS in a server environment anyway.
From: Alex Bligh [mailto:alex at alex.org.uk]
Sent: Monday, December 09, 2002 6:07 AM
To: Sean Donelan; Steven M. Bellovin
Cc: nanog at merit.edu; Alex Bligh
Subject: Re: The magic security CD disc Re: HTTP proxies
--On 08 December 2002 23:16 -0500 Sean Donelan <sean at donelan.com> wrote:
> It takes a lot of time to talk individual users through fixing their
> computers. Especially when they didn't break it. They just plugged
> the computer in, and didn't spend 4 hours "hardening" it. Most of the
> time we're not talking about very complex server configurations, with
> full-time system administrators. The "magic" CD would be for people
> don't know they are sharing their computers with the Internet.
How unfortunate that the magic CD you refer is not the one with
Windows" written on the front :-p
Seriously, it is faintly ridiculous that we have operators talking about
a magic CD to fix the broken default installations of various operating
systems (I include Linux etc. here too). If OS vendors shipped, by
less broken configs (or at least configs that turned services off -
e.g. port 137 - when not required), much, though not all, of this
problem would go away. Just like it is (now) considered irresponsible
to ship a PABX/Voicemail system with open dialthrough, the same should
be true of operating systems. In many such OS's, like it or loath it,
automatic or semiautomatic update mechanisms already exist. This would
seem to be a good use to put them too. Perhaps NIPC etc. should start
talking to OS vendors.
Concrete example (not to pick on MS for a change) - every time I've
installed a Linux machine I spend 10 or 20 minutes rewriting the
firewall rules for the box to suit the apps I have installed. It's a
completely automable task. Someone unfamiliar with either IP or UNIX
find writing such a script very hard and it would take them much longer.
mainstraim distributions include such an automatically built script by
default? Not to my knowledge.
More information about the NANOG