Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Counseling not to use Windows (was Re: Anonymoussurfing my ass\!)
From: full-disclosure () lists netsys com (Ron DuFresne)
Date: Mon, 15 Jul 2002 16:34:31 -0500 (CDT)

On Mon, 15 Jul 2002, Schmehl, Paul L wrote:

        [SNIP]


It isn't the OS that's the problem.  It's the manufacturer's choices of
default settings and the ignorance of the users (and admins in many
cases.)  Isn't this precisely the same problem on *nix?  Give me an
ignorant user on a default install of *nix and I'll give you a hacked
box in a few minutes (except perhaps OpenBSD, which is one of the few
that ship "secure" out of the box.)

Please don't misunderstand - I am NOT saying Windows is a good as or as
secure as Unix.  Given the choice, I'll take OpenBSD.  But the *real*
problem isn't software, it's humans.


You hit on the duality of the issue<s> beofre trying to refine it into a
plurality issue.  The *real* problem is vendors relasing bugy code with
insecure defaults which *promotes* users remaining clueless.  take a look
at the wireless issues spewing into the airwaves now, and look at not only
the default installs of the products available for playing with wireless
toys and trikets, but, take a serious look at the documentation and how
much is devoted to the issue of securing the toys.  For example, take a
look at the pdf manual for the d-link dwl-650 wireless net card, 80 pages
of which about 2 pages are devoted to trying to secure the devices in any
fashion via wep, not that wep is all that secure, but, it beats nothing
<the default>.  Or consider this, even if a vendor 'attempts' to do
something less then a default open braodcast:

Orinoco RG-1000 residential gateway is reported in past advisories to
     ship with WEP enabled;  From: Bill Arbaugh <waa () CS UMD EDU>
     Subject: RG-1000 802.11 Residential Gateway default WEP key
     disclosure flaw Date: Mon, 2 Apr 2001;

                Unfortunately, the default
                     WEP key is set to the default network name, SSID. The
                     SSID appears in several 802.11 management frames in
                     the clear-- even when WEP is enabled. Therefore, an
                     attacker with a sniffer capable of capturing
                     management frames can determine the current WEP key
                     which is the last five digits of the network name,
                     (provided the default has not been changed). Armed
                     with the network name, and the current WEP key the
                     attacker can easily gain access to the users wireless
                     LAN. Additionally, the default network name for the
                     unit studied was the last six nibbles of the MAC
                     address converted into ASCII [1]. As a result even if
                     the key were not the network name, an attacker could
                     determine it by sniffing the MAC address of the unit.

                     To Lucent/Ornioco's credit, the fact that the default
                     encryption key should be changed is strongly
                     encouraged in the manual.  However, the fact that the
                     default key is disclosed in the clear as part of the
                     network name is unfortunate.  The default encryption
                     key should be changed to a randomly generated value
                     set at the factory.



The moral to this is, don't just beatup on the users, but, get ugly with
the vendors and force them to pay attention to security as well, and force
users to shoot themselves in the foot rather then just shooting em in the
head from the beginning.

If openbsd only tried to do things half-assed, they certainly would not
get the allcolades they do from the user comunity here.

Thanks,


Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault