lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: pauls at utdallas.edu (Schmehl, Paul L)
Subject: MS should point windowsupdate.com to 127.0.0.1

> -----Original Message-----
> From: Jeroen Massar [mailto:jeroen@...ix.org] 
> Sent: Thursday, August 14, 2003 6:51 PM
> To: 'Tobias Oetiker'; full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] MS should point 
> windowsupdate.com to 127.0.0.1
> 
> Tobias Oetiker wrote:
> 
> > Because the local techs have no clue, it will
> > take the affected companies ages to get back on the net.
> 
> Which is perfect actually as it points out all the
> stupid admins who get paid a lot of cash but really
> sit around all day with their finger up their noses.

I just curious how you geniuses would solve this problem.  You have a
multi-six figure scientific instrument, which is only manufactured by
one vendor in the entire world.  Your research department depends upon
that instrument to do research for which they are being funded
handsomely by grants and expected to produce results.

There's only one problem.  The instrument requires that you run Windows
2000 Server with IIS, and the vendor requires that you not apply *any*
patches post SP2.  The government certifies the equipment at a certain
patch level, and if the equipment is patched then the certification no
longer applies, the research is no longer funded and you are now staring
a six figure boat anchor.

Given that scenario, please apply your scintillating logic to the
problem of patching this machine to protect it against threats that were
discovered *after* SP2.

1) Minus points if you say "Don't use it."  Not an option
2) Minus points if you say "Don't allow access to the Internet.  It
*requires* access to the Internet.  (IOW, it has to be able to connect
to "live" IP address ranges, not private IPs.)
3) Bonus points if you can figure out how to maintain this machine with
no interruptions of service and with no breakins.
4) Minus points if you say, "I'd patch it anyway.  Screw the vendor."
5) Double minus points if you say, "I wouldn't work somewhere if they
had those requirements."

Take your time.  I'm not doing much.  (I'm not asking for the solution
either.  I already have it.  I'm just wondering if you can actually
think outside the box, or if you're armchair quarterbacks without a
nickle's worth of actual enterprise experience.)

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ