Sun Microsystems Leaks extensive Amounts of Information About Its

[RobsonK () EBRD COM (Robson, Ken)]

Hi Folks,

I have just been scouring Sun's Bug Reports for some information and I
discovered that you can easily trawl for useful information about both Sun
and its clients.  Information exposed includes:-

*       Copies of /etc/passwd (i.e. user names)
*       Copies of /etc/shadow (i.e. encrypted passwords)
*       Configuration of network services (i.e. inetd.conf)

It is trivial to put together searches that glean this for some of their
customers.  Whilst the contract services restrictions are in place for
accessing these accounts, logins must be in wide circulation.  I know 3 or 4
accounts from various past employers myself.

When logging a support call I do not often consider what might happen to the
call notes.  I am sure that Sun are not the only company doing this and this
is not aimed at Sun in particular, they are just an example.  Serious
consideration should be given to what information you are prepared to pass
to those who support you - do you trust the rest of their customers (at
best) or the entire internet (at worst).

Anyway not earth shattering but food for thought.

Regards,

Ken.

PS - Please do not interpret the domain that this mail comes from as any
indication that I work for the European Bank for Reconstruction &
Development.  I in fact contract to Hewlett Packard and am simply based at
the bank - all the opinions expressed above are my own and have nothing to
do with either of these organisations.