[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] RAQ3 vulnerabilities
- Subject: Re: [cobalt-security] RAQ3 vulnerabilities
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Tue, 4 Dec 2001 23:12:47 +0100
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Nico,
> What good would physical access to any 'standard' (ie. no RaQ or equivalent
> with all kinds of nifty buttons on the front) server do without any or all
> of the following:
>
> - serial cable connected to laptop/desktop
> - ethernet connected to laptop/desktop
> - screwdriver
> - axe
> - etc...
>
> as far as "changing software specifications" on that server is concerned?
> With that, I mean: load a different kernel, install software (rootkits,
> trojans, etc.); you know the drill.
I think Graeme Fowler summed it up pretty well and there isn't much that I
can add, except from throwing in a little bit from my own perespective and
experience:
As a contractor I service a lot of Sun servers. Not just Sun/Cobalts, but
also Netra's, Ultra's, the Enterprise Servers 3x00-6500 and E10K's. Just two
weeks ago I was sent to the HQ of one of the biggest banks in Europe. The
security there for getting into the server room where the hundrets of servers
were busily shifting the big bucks was as intense as you can imagine. It
required a lot of scrunity and forms, pictures were taken and a face
recognition software at the entrance of the server room had to verify that
the cardholder for the ID card matched the person who's using the card. There
was a special door resembling an airlock which made sure only one person at a
time can enter (or leave) the server room. Additionally nobody is ever
allowed to enter the server room alone and the whole episode was filmed from
various angles as cameras monitor every corner and movement.
I sure expect less scrunity and paranoia from an ISP, where less is at stake.
But if I have the slightest doubt in the respective ISPs professionality and
seriousness when it comes to entrusting them the operational activa of my
business, then I'm faster out of dodge than you can say: "Whazzap??" ;o)
In my primary occupation as IT-contractor as well as in my business on the
sidelines I usually service between 2-6 customer machines per day on the
average. Sometimes people like us are forced to sign NDA's and other legal
framework before we get close to the machines, but in most cases it's less
than a handshake and a gentlemans agreement. The credentials, his integrity
and his business conduct are what a contractor lives on. If word spreads that
one of us behaved unethically or unlawful, then you can imagine how fast word
of it starts to spread and how fast the customer base melts away.
But back to your input: The ROM kernel on the Cobalts is actually a nice
thing. It allows you to still access the machine even if it is almost
completly hosed. That the kernel can be employed from the frontpanel is a
sufficient security measure for me, as you have to press two buttons to make
it run. So it can't be pressed accidentially and I suppose that anyone
getting close to a server in a datacenter is supposed to know what he (or
she) is doing. If not, then it is just as Grame Fowler said: YGWYPF (you get
what you pay for).
--
With best regards
Michael Stauber
SOLARSPEED.NET