[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] URGENT Hacking

Subject: Re: [cobalt-security] URGENT Hacking
From: "Dan Diehl" <dan@xxxxxxxxxxxx>
Date: Tue, 5 Sep 2000 10:39:11 -0500
Organization: TMC Media

Very Nice Response. Can you guys move on now please!

Dan

----- Original Message ----- 
From: WebFusion System Administrator <graeme.f@xxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Tuesday, September 05, 2000 6:20 AM
Subject: Re: [cobalt-security] URGENT Hacking


> [Note that I work for the company which hosts Mark's RaQ. This email is
> my opinion and not that of WebFusion in any way]
> 
> Mark Baker wrote:
> > Thanks Chris, but a lot of these issues we'd expect cobalt fix
> > as the Raq's are sold as the simple machine which is what we like
> > to get, but are happy to play with.
> 
> In this case, the fault doesn't lie at Cobalt's door. It doesn't lie at
> our door. It isn't even your fault, Mark. It is in fact the fault of one
> of your users - passwords are the first line of defence. Making a
> password short, simple or based on a dictionary word is a recipe for
> disaster - that's why when changing a password on most Unix and
> Unix-based systems using the 'passwd' command will spit out errors like:
> 
> BAD PASSWORD - based on a dictionary word
> BAD PASSWORD - it's WAY too short!
> 
> Perhaps Cobalt could integrate this into their GUI. Changing the
> connection limit in the FTP config makes no difference to a determined
> cracker. They'll just put in a timeout and come back when the lockout
> has expired.
> 
> System security on RaQs is as much the responsibility of the system
> administrator (as Chris already pointed out) as it is that of the
> supplier. You wouldn't expect the company who built your house to bolt
> the door when you go out, just as you shouldn't expect Cobalt to supply
> patches for what are in fact configuration issues. Familiarity with the
> underlying systems, in this case, breeds a tendency toward paranoia
> which a little of in this business is always healthy.
> 
> I know it's not much consolation right now but I personally would
> recommend that you get hold of a decent Linux administration book and
> familiarise yourself with the nuts and bolts underpinning your system.
> Then you'll be in a position to really shout at Cobalt when things go
> wrong.
> 
> Regards,
> 
> Graeme Fowler
> Systems Administrator
> --
> THIS EMAIL IS MY OPINION AND MY OPINION ALONE.
> 
> 
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>

Follow-Ups:
- Re: [cobalt-security] URGENT Hacking
  - From: Gossi The Dog

References:
- RE: [cobalt-security] URGENT Hacking
  - From: Chris Weiss
- Re: [cobalt-security] URGENT Hacking
  - From: Mark Baker - Cobalt Lists
- Re: [cobalt-security] URGENT Hacking
  - From: WebFusion System Administrator

Prev by Date: [cobalt-security] glibc <= 2.1.3 vulnerabilities
Next by Date: Re: [cobalt-security] URGENT Hacking
Previous by thread: Re: [cobalt-security] URGENT Hacking
Next by thread: Re: [cobalt-security] URGENT Hacking

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index