[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] procmail and other GPL source...
- Subject: Re: [cobalt-users] procmail and other GPL source...
- From: SteelHead <brk@xxxxxxxx>
- Date: Thu Jul 26 05:33:38 2001
- Organization: LinuxHelpers
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
snip
> Let's see... I've worked for Cobalt since November of 1997. I was employee
> number 13. I have no knowledge of any backdoor into any Sun Cobalt product
> nor have I any knowledge of any intention of putting in a back door.
>
> However, my opinions on any computer system sold by any vendor you choose
> to look at is that as long as it powers on and talks to the outside world,
> you are likely to have security holes. As an example I will point to the
> newest version of ssh... 3.0. Sold commercially, and has a very
> embarrasing bug which opens a potential root exploit (any password 2
> characters or less is can be basically satisfied by entering a null
> password due to a bad string comparison piece of code)
>
> Why any vendor would actually add a hole is beyond me.
>
> Give me a physical box and I'll remove the drive and mount it elsewhere (or
> just press the password reset button). Give me the serial console on a
> reboot and I'll boot it single user and get a root prompt without requiring
> a password. Give me a little time for a research and I'm sure I can find
> an exploit to get in.
>
> One of the key tenets of "computer security" is not deluding yourself that
> such a thing actually exists. It's an oxymoron. The best you can ever do
> is minimize your risk. If any of you ever find a backdoor inserted by any
> of our engineers, you should loudly and publicly embarrass us so that we
> never ever do it again. Please, I'm serious.
>
> - Lyle
>
> PS - the thoughts and opinions I have expressed in this particular message
> are my own, not necessarily Sun Microsystem's.
Lyle, Thank you.
I am a firm believer that *any* computer system can be hacked, you just have
to be able to figure out the security used and use lots of Knowledge, Skill
and Patience. If someone is trying to get in a box, it will happen.
Actually, I am surprised that there is no backdoor, but given the password
reset feature, I would consider that to be a backdoor in spirit.
Require the users to use a minimum 8 character non-text only password,
disable telnet and telnetd, never give shell access. Security is more about
keeping a secret than it is building walls.
regards
Bill