lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200308120921.23789.jeremiah@nur.net>
From: jeremiah at nur.net (Jeremiah Cornelius)
Subject: Windows Dcom Worm planned DDoS

On Tuesday 12 August 2003 06:40 am, Franky Van Liedekerke wrote:

 
> I guess everybody can implement SUSserver (www.susserver.com): it's a
> local version of a windows update server.
> If you implement this, you can allow only this server access to the
> microsoft update sites, and let everybody else (from within the
> ISP his network) connect to the local update server.

 
I guess everyone can implement THIS to upgrade Windows:
 
http://www.tldp.org/HOWTO/KickStart-HOWTO.html
 
 
Or even better!  Why should you distribute risky code to every physical point 
in an organization?  Personal OS installs are for laptops.
 
http://www.ltsp.org/documentation/ltsp-3.0-4-en.html
 
 
 
Microsoft's "Trustworthiness' is running a wee bit thin.  This exploit 
survived their charming little 'code review and profiling' PR episode last 
year - and the 5 month delay of Win2003 for security reasons.
 
 
>From a risk perspective, every security manager in the world should be 
weighing the value of including any MS platform or protocol in their trusted 
operations.  Factors in this equation include a vendor who's business 
interests are in potential or active conflict with most of their customers; a 
vendor with a track record of CONSISTANTLY getting the most important things 
wrong 8 out of 10 times; a vendor with a willingness to embed^H^H^H^H^H 
infest server platforms with public keys, for which they maintain the private 
keys. 

 
This last factor - from any vendor - should present an irrepairable violation 
of Security Policy.  Why worry about trojans on your OS of choice, when the 
OS is itself a trojan? 

 
-- 
Jeremiah Cornelius, CISSP, CCNA, MCSE
 
Information Security Technology
 
email: jcorneli@...mail.com - mobile: 415.235.7689
 
 
"What would be the use of immortality 
to a person who cannot use well a half hour?"
 
--Ralph Waldo Emerson

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ