| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 25 May 2008 11:45:45 -0400 From: "Elazar Broad" <elazar@...hmail.com> To: full-disclosure@...ts.grok.org.uk, pschmehl_lists@...rr.com Subject: Re: Need some help with management -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yup, CCEs and default configurations/passwords are definitely quite common. The folks over at gnucitizen have been hitting on this for some time with their work on the bt home hub... Elazar On Fri, 23 May 2008 12:16:45 -0400 Paul Schmehl <pschmehl_lists@...rr.com> wrote: >--On Friday, May 23, 2008 11:56:15 -0400 Elazar Broad ><elazar@...hmail.com> >wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Its not even funny how often this happens. I have a friend who >does >> some consulting work for small businesses, and the amount of >times >> that he has come across medical practices that run their billing >> and record keeping software on the same "fully-loaded" XP box >that >> their receptionist(s) use to download random crap... >> > >Typical scenario - professor runs Windows XP with Skpe and Google >Toolbar and a >host of other "helpful" desktop applications - oh, but that's his >"server" too >- running IIS and mysql - default installs, mind you - replete >with cross-site >scripting and sql injection problems - and all his research with >no backups - >and then gets irate because his computer gets blocked at the >switch port for >policy violations. > >I could go on, but you get the idea. > >Why do they do it? Because they can - at least until we catch >them. > >How many mysql installs do you think there are worldwide, >listening on the >default port, with "root@...alhost", "root@...N", "@localhost" and >"@FQHN" all >in the default state with no password? > >-- >Paul Schmehl >As if it wasn't already obvious, >my opinions are my own and not >those of my employer. > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQECAAYFAkg5iakACgkQi04xwClgpZghQgP9H9a9uQNzPe2O6RZ0IWJ4IAlMWRiH A4S8uQ5WRA5IpwVtq5mbKPxjemXziyBPmeNbUQcOw0ommho9L+invuTr0JmgOlPlPDj/ +cShHRfnwyuQH+UJW4W6tYI7QTY7mw+KenGQ2/dcdeRDQdLXFeBs5CvemM9aQ1Lm4WY0 U8FoTgQ= =SdpU -----END PGP SIGNATURE----- -- Click to create your dream holiday trip now. http://tagline.hushmail.com/fc/Ioyw6h4eO7NyyZb6Q8LWimgLvmFKntEPFrRw2cnGZNjsjUAICHl7YU/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists