[64461] in North American Network Operators' Group
Re: AOL fixing Microsoft default settings
daemon@ATHENA.MIT.EDU (Chris Brenton)
Fri Oct 24 08:34:03 2003
From: Chris Brenton <cbrenton@chrisbrenton.org>
To: nanog@merit.edu
In-Reply-To: <20031024042233.GB20749@puck.nether.net>
Date: 24 Oct 2003 08:31:04 -0400
Errors-To: owner-nanog-outgoing@merit.edu
On Fri, 2003-10-24 at 00:22, Jared Mauch wrote:
> On Fri, Oct 24, 2003 at 12:13:59AM -0400, Sean Donelan wrote:
> > http://www.securityfocus.com/news/7278
> >
> > How many other ISPs intend to follow AOL's practice and use their
> > connection support software to fix the defaults on their customer's
> > Windows computers?
>
> Sounds good to me. The potential for these users
> to be less-than-educated enough about the existance of
> this "feature" means that the potential for this to
> increase the overall network security is a good thing.
Does anyone know anything about what security has been put in place for
this? These quotes troubled me:
"So two weeks ago, AOL began turning the feature off on customers'
behalf, using a self-updating mechanism in AOL's software."
<snip>
"Users are not notified of the change..."
Is this "mechanism" an SSL connection? HTTP in the clear? AIM? Is it
exploitable?
I think the intention is admirable, but it has the potential to be a
real nightmare if implemented incorrectly. The fact that it can all
happen without the knowledge of the end user means even a savvy users
could get whacked if the underlying structure is insecure.
C
