AOL fixing Microsoft default settings
Chris Brenton
cbrenton at chrisbrenton.org
Fri Oct 24 12:31:04 UTC 2003
On Fri, 2003-10-24 at 00:22, Jared Mauch wrote:
> On Fri, Oct 24, 2003 at 12:13:59AM -0400, Sean Donelan wrote:
> > http://www.securityfocus.com/news/7278
> >
> > How many other ISPs intend to follow AOL's practice and use their
> > connection support software to fix the defaults on their customer's
> > Windows computers?
>
> Sounds good to me. The potential for these users
> to be less-than-educated enough about the existance of
> this "feature" means that the potential for this to
> increase the overall network security is a good thing.
Does anyone know anything about what security has been put in place for
this? These quotes troubled me:
"So two weeks ago, AOL began turning the feature off on customers'
behalf, using a self-updating mechanism in AOL's software."
<snip>
"Users are not notified of the change..."
Is this "mechanism" an SSL connection? HTTP in the clear? AIM? Is it
exploitable?
I think the intention is admirable, but it has the potential to be a
real nightmare if implemented incorrectly. The fact that it can all
happen without the knowledge of the end user means even a savvy users
could get whacked if the underlying structure is insecure.
C
More information about the NANOG
mailing list