Re: [cobalt-security] URGENT Hacking

["WebFusion System Administrator" <graeme.f@xxxxxxxxxxxxxxx>]

[Note that I work for the company which hosts Mark's RaQ. This email is
my opinion and not that of WebFusion in any way]

Mark Baker wrote:
> Thanks Chris, but a lot of these issues we'd expect cobalt fix
> as the Raq's are sold as the simple machine which is what we like
> to get, but are happy to play with.

In this case, the fault doesn't lie at Cobalt's door. It doesn't lie at
our door. It isn't even your fault, Mark. It is in fact the fault of one
of your users - passwords are the first line of defence. Making a
password short, simple or based on a dictionary word is a recipe for
disaster - that's why when changing a password on most Unix and
Unix-based systems using the 'passwd' command will spit out errors like:

BAD PASSWORD - based on a dictionary word
BAD PASSWORD - it's WAY too short!

Perhaps Cobalt could integrate this into their GUI. Changing the
connection limit in the FTP config makes no difference to a determined
cracker. They'll just put in a timeout and come back when the lockout
has expired.

System security on RaQs is as much the responsibility of the system
administrator (as Chris already pointed out) as it is that of the
supplier. You wouldn't expect the company who built your house to bolt
the door when you go out, just as you shouldn't expect Cobalt to supply
patches for what are in fact configuration issues. Familiarity with the
underlying systems, in this case, breeds a tendency toward paranoia
which a little of in this business is always healthy.

I know it's not much consolation right now but I personally would
recommend that you get hold of a decent Linux administration book and
familiarise yourself with the nuts and bolts underpinning your system.
Then you'll be in a position to really shout at Cobalt when things go
wrong.

Regards,

Graeme Fowler
Systems Administrator
--
THIS EMAIL IS MY OPINION AND MY OPINION ALONE.