lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.43.0207151610080.16133-100000@tundra.winternet.com>
From: dufresne at winternet.com (Ron DuFresne)
Subject: Counseling not to use Windows (was Re:
 Anonymoussurfing my ass\!)

On Mon, 15 Jul 2002, Schmehl, Paul L wrote:

	[SNIP]

>
> It isn't the OS that's the problem.  It's the manufacturer's choices of
> default settings and the ignorance of the users (and admins in many
> cases.)  Isn't this precisely the same problem on *nix?  Give me an
> ignorant user on a default install of *nix and I'll give you a hacked
> box in a few minutes (except perhaps OpenBSD, which is one of the few
> that ship "secure" out of the box.)
>
> Please don't misunderstand - I am NOT saying Windows is a good as or as
> secure as Unix.  Given the choice, I'll take OpenBSD.  But the *real*
> problem isn't software, it's humans.


You hit on the duality of the issue<s> beofre trying to refine it into a
plurality issue.  The *real* problem is vendors relasing bugy code with
insecure defaults which *promotes* users remaining clueless.  take a look
at the wireless issues spewing into the airwaves now, and look at not only
the default installs of the products available for playing with wireless
toys and trikets, but, take a serious look at the documentation and how
much is devoted to the issue of securing the toys.  For example, take a
look at the pdf manual for the d-link dwl-650 wireless net card, 80 pages
of which about 2 pages are devoted to trying to secure the devices in any
fashion via wep, not that wep is all that secure, but, it beats nothing
<the default>.  Or consider this, even if a vendor 'attempts' to do
something less then a default open braodcast:

Orinoco RG-1000 residential gateway is reported in past advisories to
     ship with WEP enabled;  From: Bill Arbaugh <waa@...UMD.EDU>
     Subject: RG-1000 802.11 Residential Gateway default WEP key
     disclosure flaw Date: Mon, 2 Apr 2001;

                Unfortunately, the default
                     WEP key is set to the default network name, SSID. The
                     SSID appears in several 802.11 management frames in
                     the clear-- even when WEP is enabled. Therefore, an
                     attacker with a sniffer capable of capturing
                     management frames can determine the current WEP key
                     which is the last five digits of the network name,
                     (provided the default has not been changed). Armed
                     with the network name, and the current WEP key the
                     attacker can easily gain access to the users wireless
                     LAN. Additionally, the default network name for the
                     unit studied was the last six nibbles of the MAC
                     address converted into ASCII [1]. As a result even if
                     the key were not the network name, an attacker could
                     determine it by sniffing the MAC address of the unit.

                     To Lucent/Ornioco's credit, the fact that the default
                     encryption key should be changed is strongly
                     encouraged in the manual.  However, the fact that the
                     default key is disclosed in the clear as part of the
                     network name is unfortunate.  The default encryption
                     key should be changed to a randomly generated value
                     set at the factory.



The moral to this is, don't just beatup on the users, but, get ugly with
the vendors and force them to pay attention to security as well, and force
users to shoot themselves in the foot rather then just shooting em in the
head from the beginning.

If openbsd only tried to do things half-assed, they certainly would not
get the allcolades they do from the user comunity here.

Thanks,


Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ