>Thanks, but I'd venture to bet that I might be a notch
>higher on the security ladder than you may give me
>credit for.. But nonetheless, I do own two of these
>little jokers and I'm tired of dealing with
>Cobalt/SUN's lack of communication and urgency when it
>comes to security issues.. (we're just now getting GCC
>and zlib updated on these boxes..? It's been three
>months (or more) since those vulnerabilities were
>announced..) I had them updated on my other machines
>-1 day- after the vulnerabilities were announced, 1
>short DAY..! But I'm _not_ about to go whacking on
>little boy blue because he has this nasty habit of
>going tits up when you go mucking with things under
>the hood.. Esp if you still allow customers to use the
>GUI's -which is the whole point of the "appliance"
>thing to start with, isn't it.? I sure didn't buy
>them (at top price $2800+ three years ago) for their
>fine hardware specs.. Not even at that time..
>
>Little blue is only 2 of my entire fleet (I've sold
>off the others), of which only one is used for
>production and that's just because they make it easy
>to offer ASP and FP to those users who _must_ have
>those services (and I personally consider both
>services a security risk and that's why I keep them
>segregated from other users/machines).. I can then
>easily accommodate those users without poising my
>other Linux systems - Instead, I've spent the last
>year deploying several hardened systems that left
>these little boxes behind long ago... On my other
>hardened systems, the focus is on;
>
>1 - Kernel security (2.4.18) as well as kernel ACL.
>2 - OpenSSH/BIND/ProFTP run from chroot jail.
>3 - Striped Linux libraries for better performance.
>4 - GCC 3.1 for improved performance
>5 - GLIBC 3.0.3
>6 - And running IPTables which is so much better then
>IPChains -but requires the 2.4 kernel.
>
>Trust me, I'm no little house wife doing this on the
>side for a hobby... This is how I make my living and
>put a roof over my head.. and have done so since '95..
>
>
>> Actually, if you want to do something
>> _productive,_ stop shaking trees (or
>> fists) and ask politely if anything is being done to
>> deal with this issue.
>> Has anyone bothered to actually contact anyone at
>> Sun and ask if there's
>> anything in the works?
>
>Yes, several of us, as well as the guys from UK2 whom
>have a whole fleet of RaQ3's (see notes from yesterday
>morning on security list).. But sadly (typically)
>Cobalt's reply was "we'll get back to you and let you
>know.." -and yet we (and the masses) still sit here
>waiting for the "official" word that the issue is even
>being ack much less a release of the updated software
>which truly wouldn't (shouldn't) take more than a day
>to get out the door -even with good QT.. Instead, I
>spent yesterday needlessly watching each (Cobalt) box
>by the min to ensure it's not come under attack
>(again)..
>
>When one is DoS'd by this little number (hell forget
>the issue now of possible remote exploits that CERT
>claims is in the wild) - but when one is DoS'd you'll
>find _nothing_ in any of the logs pointing to the
>attacker. The only thing you'll find is one line in
>the error log noting a parent/child segment fault
>-then the box (and all it's services) dies a slow
>death over the next 5-10 mins.. The only solution is a
>simply reboot.. But I'm not real keen on having to sit
>and watch my boxes 24/7 and reboot them every time
>some ghoul wants to post some chunked data against
>Apache esp when there's a fix available from most all
>other vendors except Cobalt/SUN...
>
>> Or are we all too busy
>> running around in little
>> circles bemoaning how unfair life is?
>
>Please, save it for someone else.. I'm going to go
>ahead and give the upgrade a spin on the _non_
>production box this eve, which I know I can perform on
>any other box, just not confident on doing so on
>little blue without blowing out the GUI.. But seeing
>how we've yet to even have _confirmation_ of the issue
>and/or a fix is in the works from Cobalt/SUN, I guess
>those of us seriously concerned (and/or previously
>effected) have no other choice but to bit the bullet
>and give it a spin...
>
>I think the time has come to setup another (hardened)
>Linux box and deploy ASP/FP on it, so I can finally
>chuck little blue on E-Bay once and for all - would
>you possibly be interested..? I'll seriously sell it
>to you after (around) the first of Aug/Sep -after I've
>had time to deploy another system and get my current
>users migrated over to the real thing.. because these
>two little blue boxes are def heading for E-Bay.. I
>don't have any more time to spare sitting around
>playing with Cobalt/SUN any-longer.. Nor can I sadly
>say that the last three years was a good ride.. It
>wasn't..
>
>Cheers!
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! - Official partner of 2002 FIFA World Cup
>http://fifaworldcup.yahoo.com
>
>_______________________________________________
>cobalt-users mailing list
>cobalt-users@xxxxxxxxxxxxxxx
>To Subscribe or Unsubscribe, please go to:
>http://list.cobalt.com/mailman/listinfo/cobalt-users
>
>
_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users