lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: Bojan.Zdrnja at LSS.hr (Bojan Zdrnja)
Subject: Odd Behavior - Windows Messenger Service


> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of gregh
> Sent: Saturday, 19 July 2003 8:42 p.m.
> To: Bojan.Zdrnja@....hr; 'Disclosure Full'
> Subject: Re: [Full-Disclosure] Odd Behavior - Windows 
> Messenger Service
> 
> > There are different levels of "open".
> 
> Certainly are. In this case the term would be "wide open". 
> Take an easy example. Put a 98 box on your lan with a program 
> on it and go run it from any other machine while it is 
> waiting to be logged onto locally. 

Well, "wide open" is same as anything else in the world. OP was talking
about a *default* installation.
I assume that you, as any other security aware person, will harden it's box
before putting it on the Internet.
And you can install a host based firewall and make it even more secure.

Putting a 98 box on a LAN is equivalent with putting RedHat 6.2 on a LAN.

> OK well I wont be condescending - I'll just say that if 
> Microsoft acknowledge that it is something they will take 
> care of by making it an option in the future as they said 
> when I reported it to them last year, then someone obviously 
> thinks it CAN be a problem.

I don't really see a point in implementing this. So, if I understood you
correctly, they won't allow any network connection to a box until you log
in???
IMHO, that's not need feature at all. And besides, you won't be able to use
it if you have a network logon (domain).
What about when you lock your screen and go away?
 
> That was in reference to:
> 
> >> I don't see a reason on bashing WinXP for starting a RPC service
> >> automatically when absolutely everything does that (don't 
> mention obsolete
> >> Oses please).

I still see no connection between WinXP starting a RPC service and a company
next door to you not needing anti-virus.

Anyway, this is going waaaay from the list charter (IMHO, again) and I won't
participate anymore and filling everyone's mailboxes unless it will be
related to some security issues.

Best regards,

Bojan Zdrnja

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ