Bugtraq mailing list archives
Re: Wanted: hackers for tiger team (new england area)
From: alan () mid net (Alan Hannan)
Date: Sat, 8 Oct 1994 23:00:24 -0500 (CDT)
Err I have to stick my (stupid) head up in support of sun here... do you realise the scale of their operations? They have 10's of thousands of hosts, operations in countries from dubai to venezuala. The big problem with sun is their lack of funding for proper security... they are too busy getting on with the company mission to slow down and do all that painful stuff that the crackers sof the world make nescessary.
I think it's important to remember what seems like obvious security to people like me and Mark, is viewed as stumbling blocks and workarounds by the vast majority of SUN's customers. It seems to me that either SUN should have developed their Solaris to encompass an in-place secure OS, and allow it to be downgraded, instead of what is shipped, or not publically espouse their inadequacies in security. Perhaps I'm verging on the masses favorite hobby of flaming, but this really seems foolish to me.. The fact that a company/organization has a large amount of hosts does little to excuse inadequacies in security. The fact that a large organization is subdivided and codivided into separate organizations with both communal and individual tasks is all that is needed to reuff your defense. Simply: So what if they have a grandiose scheme if crackers can get in and steal their customers intangible properties?
Sun was started as a can-do sort of company with some great personnel, and they have a relaxed atmosphere that is conducive to producing the types of machines and systems that you like so much on your desks. Now,
If they're such a can do company, then why was our order for 6 machines just pushed back (for the second time) for 45 days? I agree that we want the machines on our desk, but we want them this year. Perhaps this time exclusive mentality has protruded from the security side which is relatively lax in fixing security holes, and into the sales department.
back to the issue of contracting someone elses tiger team, the deal is suns internal security the NSG, "Network Security Group" (name changes a lot :) consists of (and I quote) "NSG is me (Alec), Brad, Ken, Tim and Nick (the boss)". Not especially huge. I wont mention their patching system, it might explain too much. (Hi Mark). Now the NSG, being so small has a damn hard job to do, they have to co-ordinate audits, secure new
So they have a small department. I'm sure I could demonstrate the inadequcies of this department in script execution time alone to adequately patch holes, let alone develop new security programs and audit themselves. So? Instead of excusing them, why are they not faulted? Bear in mind that I don't know it to be true that only 5 people do security for SUN. In fact, I doubt that to be true. But the fact that I've heard rumors that SUN has been incredibly hacked, disseminated, and patched, does little to encourage mercy in critique of the security department.
Before you jump at them, consider what they have to do and what they have to work with. They need more funding and fresh blood and a mental shakeup to clear the cobwebs. They are essentially preventative and therein lies the greatest problem, you can only do so much with what you have, with the amount of things to do, steps are missed. If new methods are created dark hats then it can be a while before they learn about it and cover themselves.
Perhaps this is true, and this is why it is important to remember that we are critiquing both SUN and the executive decisions to invest only so much in security.
And if you'd want to know exactly what the "doorknockers" are up to... ever considered logging keystrokes?Now thats a new one.. Thanks!....
If this is an example of the revolutionary ideas being offered to SUN to secure their systems, then I'll volunteer my cat to head the team.
I trust /etc/hosts.equiv does not contain wildcards when shipped, do I assume correct?Heh, I like that.
I like it too. Because, though it's not precisely true for all utilities, it is certainly true for a number of the utilities shipped in Solaris. -- + alan + ======\\ "Whenever people agree with me I always feel I must be wrong." + |\/| \\____________________________ - Oscar Wilde +
Current thread:
- Re: Wanted: hackers for tiger team (new england area) Andrew T. Robinson (Oct 01)
- Re: Wanted: hackers for tiger team (new england area) G.J.W. Hagenaars (Oct 01)
- <Possible follow-ups>
- Re: Wanted: hackers for tiger team (new england area) Tim Newsham (Oct 02)
- Re: Wanted: hackers for tiger team (new england area) Tim Newsham (Oct 02)
- Re: Wanted: hackers for tiger team (new england area) Brad Powell (Oct 03)
- Re: Wanted: hackers for tiger team (new england area) G.J.W. Hagenaars (Oct 03)
- Re: Wanted: hackers for tiger team (new england area) Mark (Oct 08)
- Re: Wanted: hackers for tiger team (new england area) Alan Hannan (Oct 08)
- Re: Wanted: hackers for tiger team (new england area) John P. Rouillard (Oct 09)
- Re: Wanted: hackers for tiger team (new england area) Valdis.Kletnieks () vt edu (Apr 29)
- Re: Wanted: hackers for tiger team Steve Edwards (Oct 11)
- Re: Wanted: hackers for tiger team (new england area) G.J.W. Hagenaars (Oct 03)
- This is amazing. *Hobbit* (Oct 03)
- Re: This is amazing. bmanning () isi edu (Oct 04)