[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Enough is enough...

Subject: Re: [cobalt-users] Enough is enough...
From: "Andrew Cockrell" <acockrell@xxxxxxxxxxxx>
Date: Tue Mar 6 18:19:51 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

I just signed up to the list, so I've missed the beginning of the conversation.  But...

----- Original Message ----- 
From: "Rodolfo Paiz" <rpaiz@xxxxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Monday, February 26, 2001 11:03 PM
Subject: RE: [cobalt-users] Enough is enough...

> Cobalt User,
> 
> Kindly remove your head from your colon. Now breathe deeply.
> 
> > With all the recent issues about hacked RaQs it is very
> > apparent that Cobalt / Sun does not accept any responsibility
> > nor offer any solid fixes for these critical flaws in their
> > servers.

Cobalt has released several patches, from what I've seen at their website.

You *HAVE* upgraded bind, haven't you?

You *HAVE* upgraded proFTPD, haven't you?

You *HAVE* disabled telnet, and installed SSH2 in it's place, haven't you?

Sendmail?

BTW, none of these products belong to Sun.  Exploits in any of the above are very well documented.

> And they should take responsibility for a BIND exploit... why?

Exactly.

> And the company that does what you suggest is... which?

Microsoft.  =P

> And you assert that RaQ's are special targets... why?

RaQ's aren't.  But poorly secured Unix systems are targets.

> > IMHO, the prudent Administrator would cease using Cobalt /
> > Sun products until there is a guarantee that they will
> > support their products as they have in the past and not pass
> > the buck back to the user.
> 
> The prudent administrator has a 95% lower chance of being hacked, since
> he/she has already made a strong effort to learn about and secure the
> box, *totally regardless* of what OS is running.
> 
> The prudent administrator knows that there are no guarantees; ever.
> 
> The prudent administrator knows that the buck was always his/hers;
> passing it to Cobalt shows a *stupid* administrator, or someone new to
> the business which is entirely different.

The prudent administrator would:

a)  install SSH2
b)  disable telnet
c)  refrain from using FTP.  Give preference to sftp.

btw., SSH2 (not OpenSSH) running under Linux qualifies as a non-commercial (free) license.  I don't understand why more people don't use it.

Follow-Ups:
- RE: [cobalt-users] Enough is enough...
  - From: Dan Kriwitsky
- Re: [cobalt-users] Enough is enough...
  - From: Matt Perry

References:
- RE: [cobalt-users] Enough is enough...
  - From: Rodolfo Paiz

Prev by Date: Re: [cobalt-users] PICO not working
Next by Date: RE: [cobalt-users] Enough is enough...
Previous by thread: RE: [cobalt-users] Enough is enough...
Next by thread: RE: [cobalt-users] Enough is enough...

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index