[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200308120921.23789.jeremiah@nur.net>
From: jeremiah at nur.net (Jeremiah Cornelius)
Subject: Windows Dcom Worm planned DDoS
On Tuesday 12 August 2003 06:40 am, Franky Van Liedekerke wrote:
> I guess everybody can implement SUSserver (www.susserver.com): it's a
> local version of a windows update server.
> If you implement this, you can allow only this server access to the
> microsoft update sites, and let everybody else (from within the
> ISP his network) connect to the local update server.
I guess everyone can implement THIS to upgrade Windows:
http://www.tldp.org/HOWTO/KickStart-HOWTO.html
Or even better! Why should you distribute risky code to every physical point
in an organization? Personal OS installs are for laptops.
http://www.ltsp.org/documentation/ltsp-3.0-4-en.html
Microsoft's "Trustworthiness' is running a wee bit thin. This exploit
survived their charming little 'code review and profiling' PR episode last
year - and the 5 month delay of Win2003 for security reasons.
>From a risk perspective, every security manager in the world should be
weighing the value of including any MS platform or protocol in their trusted
operations. Factors in this equation include a vendor who's business
interests are in potential or active conflict with most of their customers; a
vendor with a track record of CONSISTANTLY getting the most important things
wrong 8 out of 10 times; a vendor with a willingness to embed^H^H^H^H^H
infest server platforms with public keys, for which they maintain the private
keys.
This last factor - from any vendor - should present an irrepairable violation
of Security Policy. Why worry about trojans on your OS of choice, when the
OS is itself a trojan?
--
Jeremiah Cornelius, CISSP, CCNA, MCSE
Information Security Technology
email: jcorneli@...mail.com - mobile: 415.235.7689
"What would be the use of immortality
to a person who cannot use well a half hour?"
--Ralph Waldo Emerson
Powered by blists - more mailing lists