>> How do we get software vendors (free, pay, virus) to distribute
>> software with appropriate defaults?
> Second step, publish a directory. I.e. detect the
> non-conforming devices and publish their IP addresses in an
> LDAP server.
Let me get this straight, you are suggesting that the way to fix the
problem that there are potentially millions of insecure machines
connected to the Internet is to *PUBLISH* the IP addresses of all of
them in an easy to parse format? Cute.
Yes, more or less. I am suggesting that people who have *detected* a
vulnerability and wish to publicize this fact should publish their lists
in a standard format and make it available via a standard protocol like
LDAP. Since the number of *detected* vulnerable hosts is a lot lower than
the total number of vulnerable hosts this is not as big as you think. And
since one has to *detect* the vulnerability before publishing it, the
scaling issue with detection is more of an issue than with publishing.
Besides LDAP has proven to be scalable to very large databases. LDAP was
developed as a light-weight system so that it could be scaled massively.
Don't tell me...we'll be able to pull the vulnerability that got the
hosts in the list too, so we can verify that "our" machines are,
indeed, misconfigured?
Sure, why not? If someone is going to the trouble of collecting the
information and publishing it, then they should publish this as well.
After all, when you query an LDAP server you can specify which fields you
want to retrieve. Applications that don't need the vulnerability info
won't bother asking for it.
--Michael Dillon