Re: [cobalt-users] Enough is enough...

["Colin J. Raven" <cjraven@xxxxxxxxxxx>]

On Sat, 24 Feb 2001, Cobalt User wrote:

> We have been using Cobalt products since the very beginning of Cobalt.  
And up till they went public and then were bought by Sun we have considered 
Cobalt a great company to work with providing us with reliable servers.
Prudent move....good equipment :-)
> However...
(Here we go, this gets better folks, keep reading!)
> With all the recent issues about hacked RaQs it is very apparent that 
Cobalt / Sun does not accept any responsibility nor offer any solid fixes for 
these critical flaws in their servers.
Geez, would you *please* turn on word wrap? Maybe 72 chars would be good? 
"Critical Flaws"???? The only "critical flaw" I see here is admins who
don't know squat about networking and UNIX.

> IMHO, the prudent Administrator would cease using Cobalt / Sun products
> until there is a guarantee that they will support their products as they
> have in the past > and not pass the buck back to the user.
The "prudent administrator" understands the difference between BIND4 and
BIND8.
The "prudent administrator" understands the fact that unless you can
install bastille Linux, implement ipchains, tripwire, portsentry et al you
*don't* have a secure box...period. There is yet to be a distro that is
intrinsically secure out of the box.

> At this point Cobalt / Sun you have lost a customer, and most of all one 
> of your greatest proponents since the beginning (Yes, we also run Sun
> servers).
Are you kidding me? The first job a "prudent adminsitrator" (read
accomplished administrator) does when booting a new Solaris installation
is secure it before he even plugs it into a switch. Security is job1,
nothing else even comes close. 

> Additionally, we do not intend on buying any Sun products.  
Er....don;t you mean *more* Sun products? hmmm???? From what you wrote
above, you already bought some servers...what are you gonna do...sell
them? 
So OK, let's say (hypothetically, for a moment) that you cease buying Sun
products. Good. Now you're making progress you say. Tell me this...*what*
OS will you replace the "insecure" Sun OS with? Redhat? Caldera?
TurboLinux? Tell me this....which of these distro's are secure on bootup?

> It is obvious that Sun is allowing this lack of
> quality and commitment and the "Prudent Administrator" would only be
> doing their job by not allowing this equipment into their network
> either.
<pissed off and hitting my stride now>
Are you referring to Solaris??? There are MEGS of docs on public web
servers all over the world that describe almost every conceivable Solaris
hole, how to plug it...FOR EVER...and scads of other docs describing the
"lesser-known" exploits, and *precisely* what to do about them. Gawd, you
are so far out on a limb here, the tender branch that supports your
soon-to-be unsupportable position is about to snap!
There is NO (and I repeat NO) professional Solaris admin that would agree
with your position. It is axiomatic that a new OS install *must* be
secured from day one (as said above)

Your job as a "Prudent Administrator" is to author a coherent security
policy, get it signed off on, and then damn well implement it. YOU are the
tool of choice to defeat attacks, because only YOU know your configuration
and topology. YOU are expected...nay...REQUIRED to know about exploits,
and the required defences and remedies. That is your JOB!
Now, Linux is NO different to any other UNIX in its capability to
withstand attack. The difference is the administrator who reads and
researches as much as any doctor reading the JAMA and myriad other
professional journals each day/week.

If you have read this far, I will add reasoned comment to this rant. IMO,
Cobalt made a grave mistake shipping any "appliance" with BIND4. BIND8 has
been out so long they could hadly claim "there was no time to upgrade
before going to market". That claim if ever made would be horseshit at the
moment of utterance. Others better suited to this analytical role are
pursuing this issue, but with forethougt, not shoot-from-the-hip reactions
such as you wrote above. 

Furthermore, shipping an "appliance" who's claim
to fame is that "you don't need to know UNIX to use it and profit from it"
and then load dated and known-to-be tragically insecure critical software
is tantamount to negligence, given the market Cobalt was going after.
However, Sun has been at the helm less than 6 months, and this ship takes
more turning around (from a corporate perspective) than can easily be
imagined by the casual onlooker.

To summarize therefore:-
You overlook key issues in your presentation. These are:
1. The role of the skilled admin in knowing what security means and how to
write then enforce a coherent policy.
2. The absolute knowlege that there is no *NIX distro that is "secure" on
first boot. (This body of awareness goes back 20 years)
3. Don't blame others. Learn and the knowlege shall be for ever yours (and
anyone else you subsequently teach)
4. Post to this list with humility. If you don't, someone will quickly
chop you down to size. Sometimes briefly and dismissively, and at other
times with surgical care. We *ALL* have something to learn, and the
population of this list goes all the way from 1st day panicked newbie to
people who are kernel hackers in their own right.
5. Frankly, I question your credentials to even effectively discuss this
issue. There are far too many flaws in your reasoning.

> PS. Looks like it's time to start selling their stocks too to cut my losses there as well.
Oh! So let me ask you what you bought at? I bought Sun at $17 many years
ago. Sold half at just over double, and held the rest to this day
having been the beneficiary of splits and extraordinary dividends as the
years have passed. And you are....what?....going to sell some mythical
holding at a bottom market? On the basis that you are miffed at the
intrinsic insecurity of an appliance product that has not even been
effectively brand-managed yet? and has upside potential that can add 30%
to stockholder dividend in the next 12-18 months???
(Disclosure: I am not an employee of Sun Microsytems, I am not a dealer or
VAR of Sun products, I don't give a shit. I care about a decent return on
an invested buck and couldn't care less what flavor of UNIX you or anyone
else runs)

Listees...this time I made damn sure I addressed the facts and didn't
wantonly waste the guy...but ohmygawd...it was close. I promised the list
that I would think before writing "next time" and (I think) kept my
promise. Sorry if this got long, but it IS necessary.

Regards, 
-Colin
--
Colin J. Raven
Linux Registered User #82296
Mon Feb 26 21:11:01 EST 2001
  9:11pm  up 16 days,  8:02,  3 users,  load average: 0.04, 0.02, 0.00