RE: [cobalt-users] Cobalt to provide compensation for server hack?

[Rodolfo Paiz <rpaiz@xxxxxxxxxxxxxx>]

> > Please confirm that you have properly installed and
> > configured AT LEAST
> > the latest PKG or RPM files for the following applications:
> >
> > * ipchains
> > * portsentry
> > * logcheck
> > * amavis
> > * apache
> > * sendmail
> > * bind
> > * qpopper
> >
> > Latest stable versions, of course.
>
> ....and kiss your warranty goodbye. Unfortunately, Cobalt can't
> have it both ways - the warranty has to cover the software,
> because it's void if you change any of these things as supplied,
> or add anything other than their sanctioned updates. What you are
> saying here, is in fact the EXACT opposite, of everything Cobalt
> insists you do. I'm not lawyer, but I'm sure there's very likely
> a legal argument they haven't showed some kind of duty of care.
> (ie: making the box secure voids the warranty because it's not
> sufficiently secure when they hand it over.)

Donna, you have quite a few valid points here, and your argument is well
said. I don't argue *at all* that Cobalt should try harder to make the
boxes more secure and less buggy; the product could clearly stand a
great deal of improvement. So could the warranty terms.

However, my primary point was that the responsibility for keeping the
server running and ensuring its security is, in the end, that of its
owner/administrator.

Even though the target market is (partly) people clearly without the
knowledge to properly operate a server--which again supports the point
that Cobalt should improve security--those people should realize that
eventually practically everyone gets hacked and try to make sure it
doesn't happen to them. Also note that *most* hacked systems get
compromised well after the fixes have been released by their respective
vendors... it's not possible for the vendor to secure the box forever if
the administrators don't participate.

There's clearly major room for improvement at Cobalt, no question. I do
consider their software and systems pretty deficient. That's why I'm now
running only RedHat systems, and investing the time and effort to become
competent at running servers. Not because I want to, but because it is
my responsibility to make sure they run and keep running the way I want
them to, and because I feel that the Cobalt system has more cost than
benefit in that sense.

Free market: product not good enough, I buy from someone else. But when
I charge someone for serving their website, I take primary
responsibility for ensuring that the site gets served; no one else does.

Valid exception: if someone wants to sue Cobalt for the Qube2's GUI
firewall administration being hopelessly broken (which can be proven to
be true), and can demonstrate that they (a) made reasonable efforts to
fix it and couldn't (which is logical given the target market); and (b)
can demonstrate damages suffered due to poor security, *that's* a valid
lawsuit.

> It's about time the finger was squarely pointed where it belongs,
> with the people compromising these systems.

It's certainly true that the hackers/crackers/spammers who cause damage
one way or another should be primarily responsible and liable. It's also
true, on a secondary level and in a non-criminal way, that those who
issue software and sell products should be more responsible about
issuing patches and fixes. All I said was that still, the primary single
responsibility for keeping the server running is squarely in the hands
of he/she who runs one.

You make valid points about the warranty issues, however; and I for one
would recommend that Cobalt carefully evaluate this whole thing before
they do get sued, which they eventually will. Whether the lawsuit they
get hit with eventually is or is not "valid," however, I cannot say.

--
Rodolfo J. Paiz
rpaiz@xxxxxxxxxxxxxx <mailto:rpaiz@xxxxxxxxxxxxxx>