[Dshield] Is this some kind of washing hands or pointing fingers at innocent parties?

Ed Truitt ed.truitt at etee2k.net
Thu Sep 12 11:24:19 GMT 2002


----- Original Message -----
From: "KeithTarrant" <KeithTarrant at spamcop.net>
To: <list at dshield.org>
Sent: Wednesday, September 11, 2002 5:13 PM
Subject: Re: [Dshield] Is this some kind of washing hands or pointing
fingers at innocent parties?


> A hint to the target audience is here: "The activity appears to be
> associated with a coordinated series of individual attempts to compromise
> Windows 2000-based servers."  So people running Windows 2000 based
> servers, not ordinary home users, but admins who don't patch their
> software, set good passwords, run good firewalls, and eliminate guest and
> admin accounts.
>
> Security is a partnership.
>
> With software marketed for home users, it should be secure right
> out-of-the-box.  So, agreed, Windows XP should disable the default guest
> account and administrator account after forcing the user to replace them,
> and it should default to forcing strong passwords.  Those would be good
> suggestions to make to M$ directly, and I think I will in a minute.

Actually, I can see removing the "Guest" account, but it would probably be
best to simply force the Administrator account to have a strong password, or
else restrict the account to logging in at the console.  And, for home
users, I can't see forcing a strong password.  Remember, home users in many
cases are even lazier than business users, and getting them to even *use* a
password can be considered a "victory".  I like how MS has dealt with the
issue in XP/Home, where if you don't supply a password for the Admin account
you can't use it to logon over the network.  *That* is a good way to handle
the situation IMNSHO.

> With software marketed for business users, that it isn't foolproof right
> out-of-the-box provides employment opportunities.

I'm not expecting foolproof.  Just reasonably secure.  Oh, and when you
write to M$ you also might suggest they set the default install for
Exchange/SMTP to deny anonymous relay, the way Sendmail has been for some
time now.

> And why pick on M$.

Because it's fun?

> Almost all software vendors make vulnerable products.  *ix is no better
> right out-of-the-box.

Agreed.  But, many *nix types have customized install procedures that secure
the boxes as they are built.  Fortunately, more Windoze types (at least in
the big business world) are building and using those custom install scripts.
The GUI-based installers present with Windoze and some of the newer Linux
distros tend to encourage people to "take the defaults" - which is a Very
Bad Thing.

Simply clicking OK, isn't.

> - Keith

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."




More information about the list mailing list