[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-developers] Fwd: CERT Advisory CA-2002-20 Multiple Vulnerabilities in CDE ToolTalk

Subject: Re: [cobalt-developers] Fwd: CERT Advisory CA-2002-20 Multiple Vulnerabilities in CDE ToolTalk
From: "William L. Thomson Jr." <wlt@xxxxxxxxxxxxxxxxxxxx>
Date: Thu Jul 11 11:34:00 2002
List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>

> The Cobalt Raq appliance is for all of us that want an appliance.  If you 
> do not need an appliance, by all means upgrade all you want.  For the rest 
> of us, Cobalt is keeping a restricted system to try and keep us safe and 
> secure.

Or misleading you to believe you are safer and secure that your are. For
example I received a free security scan from Qualys 
http://www.qualys.com/

Which alerted me to a few vulnerabilities in my XTR. One of which that I
can remember had to do with Front Page, and since I do not use it I
simply disabled it. But there were others I can't remember and could not
address easily.

> I know, the box is not safe and secure without adding other things 
> and turning off a few others.

How, are you a professional hacker. Have you paid a professional company
to scan your box, or have you received a free one like I did.

If not you are assuming and there is a huge difference between that and
knowing.

Plus, no matter what the Cobalt guys do, your appliance is only as safe
and secure as you make it. It is easy for a user to create and account
with a week password, and therefore giving a hacker the initial entrance
needed to proceed to do further damage.

So it's only as safe and secure as you make it, regardless of it being
an appliance. You should never have blind faith in a products security.
Since I assume you will ultimately be responsible for problems that
could arise from an exploit. I doubt your clients will understand if you
try to blame Cobalt, nor will Cobalt reimburse you for lost income and
etc.

> But, the operating system as shipped, used 
> to be Red Hat 6.2, but Cobalt removed some things and modified 
> others.  With doing this, it is much more complicated upgrading the modules 
> than fixing them. 

Yes, but now that Cobalt is owned by Sun, they should have the resources
needed to stay on top of the game.

> If it is not acceptable to you, do it yourself or buy 
> another product.

My point was I am one that path, but out of loyalty to Cobalt, I felt
it's best for the future of the product to know reasons why Cobalt users
would used to love the product would drop the product for others.
Get it?

It's called constructive criticism. I am not bashing on Cobalt, I have a
tremendous respect for the time and effort required to make such a
product, and only make comments for improvement purposes.

If I had the same skills, then I would be making and selling appliances
not buying them. :)
  
-- 
Sincerely,
William L. Thomson Jr.
Obsidian-Studios, Inc.
439 Amber Way
Petaluma, Ca. 94952
Phone  707.766.9509
Fax    707.766.8989
http://www.obsidian-studios.com

References:
- Re: [cobalt-developers] Fwd: CERT Advisory CA-2002-20 Multiple Vulnerabilities in CDE ToolTalk
  - From: Jan Wildeboer
- Re: [cobalt-developers] Fwd: CERT Advisory CA-2002-20 Multiple Vulnerabilities in CDE ToolTalk
  - From: David Lucas

Prev by Date: Re: [cobalt-developers] Fwd: CERT Advisory CA-2002-20 Multiple Vulnerabilities in CDE ToolTalk
Next by Date: Re: [cobalt-developers] Fwd: CERT Advisory CA-2002-20Multiple Vulnerabilities in CDE ToolTalk
Previous by thread: Re: [cobalt-developers] Fwd: CERT Advisory CA-2002-20 Multiple Vulnerabilities in CDE ToolTalk
Next by thread: Re: [cobalt-developers] Fwd: CERT Advisory CA-2002-20 Multiple Vulnerabilities in CDE ToolTalk

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index