lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1064688836.1072.16.camel@miles.debisschop.net>
From: kdebisschop at alert.infoplease.com (Karl DeBisschop)
Subject: RE: Probable new MS DCOM RPC worm for Windows

On Sat, 2003-09-27 at 12:40, Paul Schmehl wrote:

> ... the focus right now is completely on the 
> Microsoft clients.  I recently suggested that we should switch all MS 
> clients to Mac OS X.  :-)  They actually didn't laugh this time.
> 
> We already are pretty diversified.  Our "backoffice" stuff is primarily 
> Solaris, but we've got plenty of Linux flavors, HP_UX, SGI, FreeBSD, 
> OpenBSD, etc.

As someone noted, alot of the problems we face have to do with the
promulgation of idea that a running system needs no maintennence.
Compounded of course by the having more and more software installed on
unmaintained desktops that acts as a server (in the sense that it
listens for and responds to requests for services from the surrounding
network). 

Further, most people will allow that unless your job is computing, that
computers should aid your work, rather than become yet another
distraction - even if your work is to be a student.

As food for thought, what if you took an OS that gave you a little
lattitude - say Mandrake Linux, which is considered fairly user
friendly, and said "If you install this, the default configuration will
automatically download and install updates as they come from the vendor"
(after UT has done some light verification I'd assume).

Not that you or I would likely want this on our desltop, but maybe some
of your students would. And again, unless their job is computing, I
don't think that wish is totally ill-founded.

One problem would be that it would be hard then to avoid some degree of
responsibility for the quality of the patches. 

I suppose you could allow students to sign up for a UT-sponsored
SMS-style software push for windows. And in the long run, the cost might
be less than some of the other efforts you have to undertake to secure
things. But the initial outlay might be daunting.

Just sort of thinking out loud -- all these require additional work on
your part. But there may be some useful middle ground.

-- 
Karl DeBisschop <kdebisschop@...rt.infoplease.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ