Vulnerability Development mailing list archives
Re: Lindows Issues
From: De Velopment <devel () www2 kparker org>
Date: Sun, 21 Jul 2002 01:50:19 -0700 (PDT)
Hello KF, On Thu, 18 Jul 2002, KF wrote:
I am a paying customer and unfortunately if you read their agreements I may be violating their wishes by publishing info like that. I may also loose my right to be a Lindows insider.
I'm a "Lindows Outsider" as I simply purchased a Microtel box from the Walmart web site, so I have no qualms in saying the little that I know.
This is also why the info that I have released I stressed the Xandros side of things and was not directly refrencing Lindows. <snip>
I was not aware of the Xandros part in this. All I was able to quickly find was evidence of the Debian GNU/Linux "Woody" release, with the 2.4.18 Linux kernel. Unfortunately, there were hardware problems with the Microtel PC itself (neither sound nor CD worked). I sent the box back to Microtel and am expecting a new, working one soon. However, I had a good look while I could. Everybody's worst fears are correct: Out of the box, it came up in a modified KDE in ROOT, with no password. (If I sign onto KDM under SuSE as root, it lets me, but gives me this red background with pictures of "bombs bursting in air". This is done, of course, to discourage people from doing exactly what Lindows does!) However, to slightly lessen these security fears, I found none of the usual services open to the outside world, such as Web, Email, FTP, SSH or Telnet. (Lindows, on its web site, says it also runs a firewall to keep people out). OK. So the default is Root. The underlying Debian distro still works so I added my usual three users using the command line "useradd", with no trouble. I also put a strong password on Root and now, when booting up, some sort of XDM is running, asking for user and password. However, Root is STILL the default. One test I want to run fairly soon when I get the machine back from Microtel is to sign on to KDE as a normal user and then see if the special Lindows apps still work. So, to summarize, based on Debian GNU/Linux, through Xandros. Prefers that you run as Root all the time (EEK!) But Debian tools are still there to override that behavior. Outside ports not open but I believe there may be Lindows-specific Trojans developed that take advantage of vulnerabilities from within. I will test further when I get my replacement computer and will report any significant findings here. (It may be an advantage that I simply purchased a Lindows preload system, as I have not signed any non-disclosure agreements like may be occurring for the "Lindows Insiders"). Best regards, Ken Parker (devel () www2 kparker org)
Current thread:
- RE: Lindows Issues McAllister, Andrew (Jul 18)
- Re: Lindows Issues KF (Jul 18)
- <Possible follow-ups>
- RE: Lindows Issues Gregory_DeGennaro (Jul 18)
- Re: Lindows Issues Matt Simmons (Jul 18)
- Re: Lindows Issues Jonas M Luster (Jul 19)
- Re: Lindows Issues Matt Simmons (Jul 18)
- Lindows Issues sec daddy (Jul 18)
- Re: Lindows Issues KF (Jul 18)
- Re: Lindows Issues H C (Jul 18)
- Re: Lindows Issues KF (Jul 18)
- Re: Lindows Issues De Velopment (Jul 21)
- Re: Lindows Issues KF (Jul 18)
- Re: Lindows Issues Jonas M Luster (Jul 19)
- Re: Lindows Issues Timothy L. Salus (Jul 19)
- Re: Lindows Issues David Wagner (Jul 19)
- Re: Lindows Issues Valdis . Kletnieks (Jul 19)