[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] procmail and other GPL source...
- Subject: Re: [cobalt-users] procmail and other GPL source...
- From: Lyle Scheer <lyle.scheer@xxxxxxx>
- Date: Thu Jul 26 01:17:06 2001
- Organization: Sun Microsystems, Inc.
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Steve Werby wrote:
> <baltimoremd@xxxxxxxxxxxxxxx> wrote:
> > Sounds real nice....and I'd be willing to buy the logic if I hadn't heard
> > from a reliable source that there is at least one person who is not and
> > employee of Sun/Cobalt who has access to the back door.
>
> A backdoor may exist, then again it may not. I've been active on the cobalt
> lists since mid-1999 and I have a pretty strong RaQ/Linux admin skills (more
> by need than by choice) and can say I'm not certain there is a remote-access
> Cobalt-developed back door...and if there is I'm not certain non-Cobalt
> employees are aware and able to utilize it.
Let's see... I've worked for Cobalt since November of 1997. I was employee
number 13. I have no knowledge of any backdoor into any Sun Cobalt product nor
have I any knowledge of any intention of putting in a back door.
However, my opinions on any computer system sold by any vendor you choose to
look at is that as long as it powers on and talks to the outside world, you are
likely to have security holes. As an example I will point to the newest
version of ssh... 3.0. Sold commercially, and has a very embarrasing bug which
opens a potential root exploit (any password 2 characters or less is can be
basically satisfied by entering a null password due to a bad string comparison
piece of code)
Why any vendor would actually add a hole is beyond me.
Give me a physical box and I'll remove the drive and mount it elsewhere (or
just press the password reset button). Give me the serial console on a reboot
and I'll boot it single user and get a root prompt without requiring a
password. Give me a little time for a research and I'm sure I can find an
exploit to get in.
One of the key tenets of "computer security" is not deluding yourself that such
a thing actually exists. It's an oxymoron. The best you can ever do is
minimize your risk. If any of you ever find a backdoor inserted by any of our
engineers, you should loudly and publicly embarrass us so that we never ever do
it again. Please, I'm serious.
- Lyle
PS - the thoughts and opinions I have expressed in this particular message are
my own, not necessarily Sun Microsystem's.