lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <BAY7-DAV32DMT0nlTTh00039086@hotmail.com>
From: helmut_hauser at hotmail.com (Helmut Hauser)
Subject: Full-Disclosure] Anti-MS drivel

I just have to say that Microsoft is working on higher and tighter security
[Windows XP Service Pack 2]

As far as I can say it looks promising.

Maybe it is a bit too late but they are moving - Server 2003 is more secure,
most services are tuned off by default and Windows XP goes in that
direction.

The new virii/worms are getting in the social engineering direction.
Look at sven - fake mail microsoft style or sober - "you have been caught"
and mimail - which was zipped - indeed proves that after Iloveyou nobody has
learned - uh oh - let?s look into it !!!,
and not to forget Sobig which pretended to origin from known senders and
flooded mailservers.

IMHO if another outbreak (very likely) occours it should be on the media (TV
and Radio) so even Joe Sixpack knows then:
-> Do not run that attatchment !
-> Download THIS update to stay secure.

Sometimes it?s to blame us administrators for not installing patches -
slammer and blaster patches were released way BEFORE the outbreak(s) occured
but most admins did not patch,
simply they dont?t even know that there is a patch available ! Could you
blame Microsoft on that ? Simply no, cause as admin I have to know about
patches/releases, I have to be on the MS security mailinglist and so on.

e.g. I had to help out one large organisation (the famous infected notebook
thingy) to patch the whole IT, what a nightshift ...

*nix admins patch regulary but some (so called) windows admins) don?t -
cause they did not realize that there is something to patch ...

It?s all about knowledge and education.

I recommend the MS SUS server, it?s free, you can test patches before
approving them and it is inexpensive compared to SMS

But that?s for us admins with a clue, what about the aunt annie and Joe
Sixpack ?

IMHO Windows may be insecure by default but there are patches and windows
update but most private users turn it of by default - heck if I had a modem
I would do the same ...

What should MS do ?

- Put free CDs with Patches everywhere [like [censored] AOL does with their
"Software"]
- Go to media, even it hurts
- Shut down unecessary (insecure) Services
- Change the behavior of XP Home (everyone is admin) - create an own install
account with warning background - SuSE like with bombs
- Include a security tour after (pre)-installation (OEM)

- Software vendors - change your installers - most games run only as admin
in WinXP ...

And I truly agree with Tobias Weisserth that Windows XP Home should have
been locked down and hardened for the home user (Joe Sixpack).

It?s a crippled version of XP Pro with less features even in the security
area, you can patch it - like the german magazine CT pointed out - but that
is
not manageable for the home user without any clue - heck I have had one mate
who put his windows9x into the recycle bin and called me his windows won?t
boot anymore.
Nothing is impossible ! So don?t blame the Joe Sixpacks around - Media
coverage and a better security support is all.

just my 0,0002 cents

Helmut Hauser
Systemadministration EDV


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ