The Daily Static
  The Daily Static
UF Archives
Register
UF Membership
Ad Free Site
Postcards
Community
Geekfinder
UFie Gear
Advertise on UF
Forum Rules
& FAQ

Username

Password


Create a New Account

  
 

Back to UserFriendly Strip Comments Index
<rant>Why the HECK do people by rogue19712005-01-27 05:15:18
  While we're at ranting: disasters waiting to happe by Moraelin 2005-01-27 06:15:16
You know, what I really had enough of is piss-poor security in the name of making it easy for the users. It's just a time bomb: it will bite the user later. And will just cause them more distress than just making them type a new password or personally enable a potentially dangerous option when they need it. And cause more of us unwilling nerds to be coaxed into fixing the victims' computers.

E.g., I already gave the example with the wireless cards shipping with security completely disabled.

E.g., let me rant about this SMC Barricade gateway some more. By default it comes (A) with a default super-user and password, _and_ (B) configured so its configuration page is accessible from the _Internet_ too. (I suppose someone thought "but what if the poor users are away and need to remotely configure their firewall?")

You can probably see the problem yet. Any user who just comes home and plugs the thing in, without bothering to reconfigure anything, is just waiting for a script kiddie to come reconfigure their firewall/gateway. It comes _pre-configured_ to be open wide to a script kiddie.

You don't even have to manually do it. I could easily write a small Java program, or a shell script using wget, which scans a block of addresses for SMC routers to reprogram. Chances are I'll find at least a few thousands with that default config.

Among other fun things such a script can do, if you're malicious enough, includes:

- re-configuring it to be an open proxy from the internet side too. (Anonymous surfing on someone else's gateway, here we come.)

- moving their computer in the "DMZ"... which, as I've said it before, in SMC's definition means moving it to a completely unprotected zone _outside_ the firewall. Just for the fun of them getting a virus even if they think they're behind the firewall.

- uploading new firmware. I mean, heh, forget about running a spam zombie on the users' computer. You can upload one on their gateway appliance, where they can't even run a virus scanner to remove it. Or install a sniffer there, for that matter: credit card number collection here we come. Again, you can't even detect or remove it easily from there.

Etc.

It's a potentially _huge_ problem waiting to happen. All in the mis-guided name of being "user friendly." _And_ then we also tell the poor sod that it's all easy, no technical expertise needed. Just to help lure him/her into the trap.

And sometimes I want to beat such people with a clue-by-four. Not a foam one either.
[ Reply ]

 

[Todays Cartoon Discussion] [News Index]

Come get yer ARS (Account Registration System) Source Code here!
All images, characters, content and text are copyrighted and trademarks of J.D. Frazer except where other ownership applies. Don't do bad things, we have lawyers.
UserFriendly.Org and its operators are not liable for comments or content posted by its visitors, and will cheerfully assist the lawful authorities in hunting down script-kiddies, spammers and other net scum. And if you're really bad, we'll call your mom. (We're not kidding, we've done it before.)