[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] SUN don't care about security update ?
- Subject: Re: [cobalt-security] SUN don't care about security update ?
- From: Paul Jacobs <paul@xxxxxxxxxxxxxxxxxx>
- Date: Wed, 20 Mar 2002 16:54:07 -0800
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
At 06:27 AM 3/20/2002, you wrote:
You did not buy a car without breaks, you bought a car without getting a
drivers license first.
Well, Although I agree on the statement that Sun Cobalt should maybe put
more effort in patching leakages, because they deliver a full product
including the software, I think you overreact now. I guess they can expect
the machines to be operated by skilled professionals. It's not a my first
sony. Part of the skill would be to understand to a certain level the kind
of thread there exists for a full-service server, and that this thread
exists from the moment you put the network cable in.
The lemon law would apply to the cobalt boxes if they were a car.
Ofcause no one can know everything, but I would expect you to know the basic
operation skills needed to secure the machine to quite a high level, so
stopping telnet, starting (and securing) sshd, putting on some kind of
firewall or portsentry, checking logs, blocking machines, using tools like
tripwire etc. etc.
That's like going to buy a car and the sales man say's "hey it drives it's
self, just turn the key and go" then later you find out you were Told a
half truth.... assumption make both party's look bad no matter how you look
at it.
When you buy a totally equiped holliday van, "ready to take you anywhere you
like", you can't complain if you hit the first tree because you don't know
how to drive it.
Jelmer
----- Original Message -----
From: "Simon Wilson"
> Home to as many as 200 websites or a single, powerful dedicated server.
> If you're a service provider, the Sun Cobalt RaQT server appliance is
> the alternative to "big iron" servers. The Sun Cobalt RaQ server
> appliance includes everything you need to begin hosting now.
>
>
> A direct quote from Cobalts website. You see the last bit "everything
> you need to begin hosting now".
> Well read that as "everything you need provided you don't need it to be
> secure and don't mind if it gets hacked within 24 hours"
>
> I bought a RAQ4 it's the first server I ever bought, I new nothing about
> Linux, servers, dns, nothing. I bought it to host websites for my small
> business. Within one week of subscribing to this list, reading manuals,
> researching on the web, I realised that it is totally insecure. I had
> bought a car without breaks, a house without doors, I might as well have
> left it lying in the street with a sign on it saying "nick me". Since
> that time I have had to learn vary quickly all about the security issues
> and thanks to many people on this list I think my server stays
> reasonably secure.
>
> My point is: had the advertising been honest, had it said on the box -
> "looks good, nice spec but open door to hackers" I never would have
> touched it.
>
> In English law a product must be fit to perform the purpose for which it
> is sold. The RAQ4 out of the box is not fit to host websites.
>
>
> __________________________________________
> Simon
>
>
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security