[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

re: comments

To: opsec@ops.ietf.org, <opsec@psg.com>
Subject: re: comments
From: Dan Hollis <goemon@anime.net>
Date: Fri, 13 Jun 2003 15:26:07 -0700 (PDT)

2.3.12 Ability to Disable Directed Broadcasts
'These SHOULD be the default settings.'

s/SHOULD/MUST/

If you give vendors leeway to make stupid defaults, they WILL choose the 
stupid ones. History has conclusively proven this. Look at all the open 
smtp relays, and open proxies out there.

This RFC MUST be far more anal with defaults.

Basically, the opsec RFC should mandate that a device plugged into a 
network with its default settings and no changes from defaults whatsoever 
MUST NOT be able to be exploited or used for any known attack.

There doesnt seem to be anything regarding default passwords, which is a 
known avenue of attack on many devices.

-Dan

Follow-Ups:
- Re: comments
  - From: "George M. Jones" <gmjones@mitre.org>

Prev by Date: Re: comments on draft-jones-opsec-00.txt
Next by Date: RE: comments
Previous by thread: Re: comments on draft-jones-opsec-00.txt
Next by thread: Re: comments
Index(es):
- Date
- Thread