[Dshield] 0wnlng Windows machines

Stasiniewicz, Adam stasinia at msoe.edu
Mon Feb 26 04:27:30 GMT 2007

Hi Tonni,

Glad it made sense.  As for the certificate errors, I see them both in IE 7
and FireFox on both the p0f and Webmail sites.  Both present the
same error: the certificate is not issued by a trusted root CA (which is
inline your description of the server's configuration).  IE 7 has changed
the way in reports certificate errors since IE 6 so maybe that is what Allen
is seeing.  But once I acknowledge the warning, both browsers will let me
see your site.

As of why your users don't see it, your Windows admin could use GPOs to
automatically configure trusts for all your internal certificates on your
internal computers.

As for the comments by John:

As good of an idea as that sounds on paper, I really don't see a feasible
idea as to how you could implement it...

Adam Stasiniewicz

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Tony Earnshaw
Sent: Sunday, February 25, 2007 4:47 PM
To: General DShield Discussion List
Subject: Re: [Dshield] 0wnlng Windows machines

Stasiniewicz, Adam wrote, on 25. feb 2007 19:41:

> The major reason you see Windows computers is simply because they are the
most abused.  While most Novell, Linux, Unix, etc systems are maintained by
IT staff who ensure they are properly functioning, most Windows computers
are used by clueless consumers.  What often happens is these clueless
consumers will buy their computer from Best-Buy or wherever and it will have
the latest patches on it.  They might even have a friends/relative/etc look
at the computer once or twice a year to "clean it up".  During those times,
the folks will usually install the latest patches and AV.  But in the space
between, the clueless consumer will not patch their computer or update their
AV (since again, they are clueless).  They will open virus infected emails
and install the latest crap on their machine.  For this reason, about 80% of
all spam comes from computers infected with spam viruses.  The remaining 20%
comes from hijacked netblocks and foreign countries with weak cyber laws.
> As for 2003 the main reason you are seeing it lower is because of the
limitations of your tool.  Your tool can't tell the different between the
client versions of Windows and the server versions.  So, if you could, you
would most likely see that 2000 server also has a very low rejection rate.
But because 2003 has no direct client version, you are only see stats for a
server OS.  And going back to my first point about Novell, Unix, and Linux,
2003 servers tend to be professionally managed by IT folks, who are much
better at keeping junk off those machines.
> Does that answer your question?

Thanks, Adam, it most certainly does.

"Alan" wrote to me off list, stating that his Windows IE7 browser had a 
certificate problem with our URL: Has anybody else the same problem with 
that? We run Apache 2.0.52 with locally generated openssl non-root 
public, private and CA certs. Our pupils, teachers and staff with 
Windows have no problems accessing webmail on the same server (but they 
don't know about this url); perhaps I've entered the wrong Order and 
Allow values? I did check it out from my own remote site with Firefox 
2.0 and it works fine for me. I do have "SSLRequire 
%{SSL_CIPHER_USEKEYSIZE} >= 128" for this url, perhaps IE7 can't swallow 
that? Hmmm ... yet another reason for finding Firefox 2.0 a really fine 
browser ...


Tony Earnshaw
Email: tonni at hetnet dot nl

SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
taught by our top rated instructors plus a huge vendor tools expo.
Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)

More information about the list mailing list