lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: pauls at utdallas.edu (Paul Schmehl)
Subject: RE: Probable new MS DCOM RPC worm for Windows

--On Saturday, September 27, 2003 2:53 PM -0400 Karl DeBisschop 
<kdebisschop@...rt.infoplease.com> wrote:
>
> As food for thought, what if you took an OS that gave you a little
> lattitude - say Mandrake Linux, which is considered fairly user
> friendly, and said "If you install this, the default configuration will
> automatically download and install updates as they come from the vendor"
> (after UT has done some light verification I'd assume).
>
That's actually been done at some edus.

> Not that you or I would likely want this on our desltop, but maybe some
> of your students would. And again, unless their job is computing, I
> don't think that wish is totally ill-founded.
>
> One problem would be that it would be hard then to avoid some degree of
> responsibility for the quality of the patches.
>
That's the real sticking point.  Whenever these types of discussions arise 
(which is often right after another MS debacle) two concerns are raised. 
As a state agency, we by law cannot work on personal equipment on state 
time.  This means that we cannot support student computers.  (Despite this 
prohibition we do provide small levels of support if they bring their 
computer to our help desk.)  Secondly there is a real concern that if we 
provide them with any software through any kind of automated methodology 
that we then become liable for anything that goes wrong.

> I suppose you could allow students to sign up for a UT-sponsored
> SMS-style software push for windows. And in the long run, the cost might
> be less than some of the other efforts you have to undertake to secure
> things. But the initial outlay might be daunting.
>
We've talked about providing them with access to SUS and possibly even SMS, 
but no decision has been made.  I suspect we'll end up not doing it.  It's 
much less troublesome (WRT the two issues I mentioned above) to simply 
quarantine them when they have a problem and let them figure out the 
solution on their own or with our assistance.

> Just sort of thinking out loud -- all these require additional work on
> your part. But there may be some useful middle ground.
>
I'm a big believer in doing work now to allow us to do less work later. 
IOW being proactive rather than reactive.

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ