[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] recents hacks CERT # 25583
- Subject: RE: [cobalt-users] recents hacks CERT # 25583
- From: "GPS" <gps@xxxxxxxxxxxxxx>
- Date: Sat Feb 24 11:40:03 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
>> Ok after a few hacks and a rehack I go in toutch with CERT, they are aware
>of
>> the vunerability, but were not aware that so many Cobalts owners had to
>deal
>> with this...
>
>Are they aware that *thousands* of people using those same versions of BIND
>and ProFTPd have had to deal with this?
>I'm sure they are.
>
>> I want the law to look at this,
>
>Why?!? This is an issue with the above two programs, not with the Cobalt.
>Don't you people get it yet?
>This is not because you're running a Cobalt. This is NOT Cobalt's fault.
>
>Back in '98 I was on a WinNT server with Verio running iChat software. You
>This is the SAME thing.
>Blame the people who are responsible for this - the hackers, NOT Cobalt or
>the people who wrote BIND and ProFTPd!!
I see your point Carrie but playing devil's advocate here....
Assuming one takes Cobalt's Marketing materials as a given...Server appliances
to be used by Non-Linux, Non-System Administrators.
The original authors of the Linux system files is irrelevant. Your Sun Server
appliance is running COBALT Bind and COBALT proFTP. All wrapped up in a proprietary
NON-OpenSource Package. Using RPMS to upgrade exploitable system files is "EXPERIMENTAL
and NON-SUPPORTED". Translates in plain English to "We don't take any responsibility if
you install RPM's, you have to WAIT for the OFFICIAL COBALT SANCTIONED PKG Release."
Given that, a Server Appliance customer doing what COBALT TOLD THEM TO OR OTHERWISE IMPLIED
leaves them in this state:
RaQ2:
Security: BIND Update 3.0.2
HTTP RaQ2-All-Security-3.0.2-9353.pkg Posted: February 14, 2001
FTP Point your FTP client to ftp://ftp.cobalt.com Size: 3,992,001 bytes
This patch upgrades the version of bind used by DNS to 8.2.3. This version
of bind contains various security fixes for security holes that were found in BIND-8.2.2_P5.
Server Appliance Error Response: This point release requires OS Update 3.0
1 week of having the appliance on the Net with NO bind update pkg and now 10 days of having
the appliance sit without being updated while the appliance owners wait for Cobalt to release
an official Bind PKG that works. (once again remember that an Appliance owner is NOT supposed to
install RPMs)
Why hasn't it been fixed in 10 days? Is it not important enough? ISP help desks are open 24/7 for $19.95/mo customers
why can't Sun Engineer/Programmers work around the clock on such a critical issue?
You don't have to be a Clarence Darrow to see the Legal liability in this scenario. Tech companies have
been sued for far less. Look at the Toshiba Floppy Class Action: http://www.ebnews.com/story/OEG19991029S0046
Same timeline and scenario for the ProFTPd pkg.
Sysadmin & Security Consultant Labor costs along with lost business, value of stolen or compromised client data on hosted sites as
well as the legal liability the virtual site clients can throw at the Server Appliance owner could easily amount to $10,000+...the
FBI
threshold. Multiple that times the number of Appliances compromised here and in the UK and elsewhere and well...if there's any Class
Action Litigation
Loving Counsels lurking on this list I can see the drool pouring down their chins. Forget Cobalt. This is SUN now. They have the
resources
to remedy this.
http://www.hoovers.com/co/capsule/3/0,2163,14833,00.html