[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] CGI Script Question

Subject: Re: [cobalt-users] CGI Script Question
From: "Zeffie" <cobaltlist@xxxxxxxx>
Date: Mon Aug 14 12:22:28 2000

> On Sun, 13 Aug 2000, Jimmy Gross wrote:
>
> > I am very much aware of network security policies and procedures since
that
> > is the business I am in.

Hmmm then you know that as soon as you logon as a user "you" may be able to
hack to root.  This is why many service companys don't allow shell access at
all.  If not root access there are still hacks that require a user account.
I would rather not post examples however.

>
> Super.  I hope you know that my long response was mostly for the benefit
> of others who might read your statement about the admin user and think
> that taking other smart security related actions is futile.
>
> > What I was pointing out is that "admin" is a common
> > login on all raq products and in my opinion is a greater risk than with
a
> > user that has limited permissions.
>
 >Absolutely.  But also keep in mind that until recent Cobalt upgrades at
> least some of the RaQ line allowed normal system users to potentially
> issue commands as root due to a few exploits.  Or so I have been led to
> believe due to information posted on cobalt.com, security-related internet
> sites and the sites of some software I use that is pre-installed or
> commonly used on RaQs.  And I guarantee that many production RaQs are
> still vulnerable to these exploits.
>
> > Most of the users on this list have an
> > admin login and with the proper software and enough time their password
can
> > be easily acquired and hacked into.

I have to say it.  it's a speach......Flirt included

When making passwords you should always use a combination of numbers and
letters and do not form words, your child's birthdate, names, or anything
else that can be found in the dictionary.  Password length should be at
least 8 characters long, more is preffered and these days I reccomend and
use longer.  Eight is common just like you are in my heart so don't use
eight character passwords unless it is your maximum password length.

> For some time I've wanted to modify Cobalt's special sauce to allow me to
> rename the admin user to something else without breaking the GUI.  I
> haven't done so b/c I don't want to deal with the consequences of not
> getting it right the first time.  Maybe Cobalt will build the
> functionality of allowing the server admin to rename the admin user in one
> of their updates or future RaQ lines.  I wouldn't be surprised if one of
> the large hosting companies or more savvy power users has already done so,
> but I don't recall reading about it or speaking with anyone who's done so.
>
> > Fortunately, for my company we have a
> > security officer with a staff that monitors our networks.
>
> But unfortunately most RaQ owners that frequent this list don't.  And even
> if the big hosting companies have an entire security department I don't
> think they're monitoring their users' log files, checking that their
> permissions are correct, checking that their usernames are obscure and
> their passwords are not prone to a dictionary attack, etc.  That's
> generally the role of a server admin.  The hosting companies could do it,
> but they typically bill at $125-$175 an hour and most of their customers
> would not be able to afford any services worth having.
>

Pisonic makes a user watcher that goes along with protsentry
It will report suspicious user activity.  so I read once.
http://www.psionic.com/

Zeffie

Follow-Ups:
- Re: [cobalt-users] CGI Script Question
  - From: H.P. Stroebel

References:
- RE: [cobalt-users] CGI Script Question
  - From: Steven Werby

Prev by Date: RE: [cobalt-users] New BBS for all Cobalt User.
Next by Date: RE: [cobalt-users] Qube2 on ebay 820.00 NR
Previous by thread: RE: [cobalt-users] CGI Script Question
Next by thread: Re: [cobalt-users] CGI Script Question

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index