How do we get software vendors (free, pay, virus) to distribute software with appropriate defaults?
michael> Second step, publish a directory. I.e. detect the michael> non-conforming devices and publish their IP addresses in an michael> LDAP server.
Let me get this straight, you are suggesting that the way to fix the problem that there are potentially millions of insecure machines connected to the Internet is to *PUBLISH* the IP addresses of all of them in an easy to parse format? Cute.
Yes, more or less. I am suggesting that people who have *detected* a vulnerability and wish to publicize this fact should publish their lists in a standard format and make it available via a standard protocol like LDAP. Since the number of *detected* vulnerable hosts is a lot lower than the total number of vulnerable hosts this is not as big as you think. And since one has to *detect* the vulnerability before publishing it, the scaling issue with detection is more of an issue than with publishing. Besides LDAP has proven to be scalable to very large databases. LDAP was developed as a light-weight system so that it could be scaled massively.
Don't tell me...we'll be able to pull the vulnerability that got the hosts in the list too, so we can verify that "our" machines are, indeed, misconfigured? ;-)
Sure, why not? If someone is going to the trouble of collecting the information and publishing it, then they should publish this as well. After all, when you query an LDAP server you can specify which fields you want to retrieve. Applications that don't need the vulnerability info won't bother asking for it. --Michael Dillon