| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dufresne at winternet.com (Ron DuFresne)
Subject: Counseling not to use Windows (was Re:
Anonymoussurfing my ass\!)
On Mon, 15 Jul 2002, Schmehl, Paul L wrote:
[SNIP]
>
> It isn't the OS that's the problem. It's the manufacturer's choices of
> default settings and the ignorance of the users (and admins in many
> cases.) Isn't this precisely the same problem on *nix? Give me an
> ignorant user on a default install of *nix and I'll give you a hacked
> box in a few minutes (except perhaps OpenBSD, which is one of the few
> that ship "secure" out of the box.)
>
> Please don't misunderstand - I am NOT saying Windows is a good as or as
> secure as Unix. Given the choice, I'll take OpenBSD. But the *real*
> problem isn't software, it's humans.
You hit on the duality of the issue<s> beofre trying to refine it into a
plurality issue. The *real* problem is vendors relasing bugy code with
insecure defaults which *promotes* users remaining clueless. take a look
at the wireless issues spewing into the airwaves now, and look at not only
the default installs of the products available for playing with wireless
toys and trikets, but, take a serious look at the documentation and how
much is devoted to the issue of securing the toys. For example, take a
look at the pdf manual for the d-link dwl-650 wireless net card, 80 pages
of which about 2 pages are devoted to trying to secure the devices in any
fashion via wep, not that wep is all that secure, but, it beats nothing
<the default>. Or consider this, even if a vendor 'attempts' to do
something less then a default open braodcast:
Orinoco RG-1000 residential gateway is reported in past advisories to
ship with WEP enabled; From: Bill Arbaugh <waa@...UMD.EDU>
Subject: RG-1000 802.11 Residential Gateway default WEP key
disclosure flaw Date: Mon, 2 Apr 2001;
Unfortunately, the default
WEP key is set to the default network name, SSID. The
SSID appears in several 802.11 management frames in
the clear-- even when WEP is enabled. Therefore, an
attacker with a sniffer capable of capturing
management frames can determine the current WEP key
which is the last five digits of the network name,
(provided the default has not been changed). Armed
with the network name, and the current WEP key the
attacker can easily gain access to the users wireless
LAN. Additionally, the default network name for the
unit studied was the last six nibbles of the MAC
address converted into ASCII [1]. As a result even if
the key were not the network name, an attacker could
determine it by sniffing the MAC address of the unit.
To Lucent/Ornioco's credit, the fact that the default
encryption key should be changed is strongly
encouraged in the manual. However, the fact that the
default key is disclosed in the clear as part of the
network name is unfortunate. The default encryption
key should be changed to a randomly generated value
set at the factory.
The moral to this is, don't just beatup on the users, but, get ugly with
the vendors and force them to pay attention to security as well, and force
users to shoot themselves in the foot rather then just shooting em in the
head from the beginning.
If openbsd only tried to do things half-assed, they certainly would not
get the allcolades they do from the user comunity here.
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
Powered by blists - more mailing lists