[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] SUN don't care about security update ?

Subject: Re: [cobalt-security] SUN don't care about security update ?
From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
Date: Wed, 20 Mar 2002 10:02:18 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

"Simon Wilson" <simon@xxxxxxxxxxxxx> wrote:
> A direct quote from Cobalts website. You see the last bit "everything
> you need to begin hosting now".

For reference, Simon's referring to
http://www.cobalt.com/products/raq/index.html.

> Well read that as "everything you need provided you don't need it to be
> secure and don't mind if it gets hacked within 24 hours"

It's like my Cannondale mountain bike.  Cannondale's marketing material
could have said "everything you need to begin riding now".  And if I didn't
do my homework I might believe it.  I had to buy special shoes for my
clipless pedals.  I had to buy a helmet so I could safely (well more safely)
ride off-road.  I had to buy a U-lock so I could lock it up without someone
easily stealing it.  And I had to buy repair kits, spare parts, maintain it
and take it in for service periodically.  Plus I bought riding gloves and
biking shorts to make the ride more comfortable.  See some analogies?

> I bought a RAQ4 it's the first server I ever bought, I new nothing about
> Linux, servers, dns, nothing. I bought it to host websites for my small
> business. Within one week of subscribing to this list, reading manuals,
> researching on the web, I realised that it is totally insecure.

As are most *nix operating systems (and MS operating systems) out of the
box.  At least you realized it quickly.

> My point is: had the advertising been honest, had it said on the box -
> "looks good, nice spec but open door to hackers" I never would have
> touched it.

Other than in drug ads, when have you ever seen an advertisement that
prominently displayed its weaknesses?  It's not smart advertising.  IMO, the
servers could be made more secure out of the box.  Given how many problems
some Cobalt owners have with setting up a basic site, DNS or an email alias
through the GUI I can only imagine the nightmares that will be encountered
when inexperienced administrators start mucking around with the security
GUI, if there ever is one.

> In English law a product must be fit to perform the purpose for which it
> is sold. The RAQ4 out of the box is not fit to host websites.

Re-read the marketing materials.  I think the purpose is very clear and I
think that the RaQs are fit to do what is described.  IANAL, but I think you
may be reading a lot more into the promises than are really there.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/

Follow-Ups:
- Re: [cobalt-security] SUN don't care about security update ?
  - From: Paul Jacobs

References:
- RE: [cobalt-security] SUN don't care about security update ?
  - From: Simon Wilson

Prev by Date: Re: [cobalt-security] SUN don't care about security update ?
Next by Date: RE: [cobalt-security] SUN don't care about security update ?
Previous by thread: Re: [cobalt-security] SUN don't care about security update ?
Next by thread: Re: [cobalt-security] SUN don't care about security update ?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index