Re: Wanted: hackers for tiger team (new england area)

[alan () mid net (Alan Hannan)]

> Err I have to stick my (stupid) head up in support of sun here... do you
> realise the scale of their operations? They have 10's of thousands of
> hosts, operations in countries from dubai to venezuala. The big problem
> with sun is their lack of funding for proper security... they are too
> busy getting on with the company mission to slow down and do all that
> painful stuff that the crackers sof the world make nescessary.

        I think it's important to remember what seems like obvious security
to people like me and Mark, is viewed as stumbling blocks and workarounds
by the vast majority of SUN's customers.  It seems to me that either SUN
should have developed their Solaris to encompass an in-place secure OS,
and allow it to be downgraded, instead of what is shipped, or not publically
espouse their inadequacies in security.  Perhaps I'm verging on the masses
favorite hobby of flaming, but this really seems foolish to me..  The fact that
a company/organization has a large amount of hosts does little to excuse
inadequacies in security.  The fact that a large organization is subdivided
and codivided into separate organizations with both communal and individual
tasks is all that is needed to reuff your defense.  Simply: So what if they
have a grandiose scheme if crackers can get in and steal their customers
intangible properties?

> Sun was started as a can-do sort of company with some great personnel,
> and they have a relaxed atmosphere that is conducive to producing the
> types of machines and systems that you like so much on your desks. Now,

        If they're such a can do company, then why was our order for 6 machines
just pushed back (for the second time) for 45 days?  I agree that we want the 
machines on our desk, but we want them this year.  Perhaps this time exclusive
mentality has protruded from the security side which is relatively lax in
fixing security holes, and into the sales department.

> back to the issue of contracting someone elses tiger team, the deal is
> suns internal security the NSG, "Network Security Group" (name changes
> a lot :) consists of (and I quote) "NSG is me (Alec), Brad, Ken, Tim
> and Nick (the boss)". Not especially huge. I wont mention their patching
> system, it might explain too much. (Hi Mark). Now the NSG, being so small
> has a damn hard job to do, they have to co-ordinate audits, secure new

        So they have a small department.  I'm sure I could demonstrate
the inadequcies of this department in script execution time alone to 
adequately patch holes, let alone develop new security programs and audit
themselves.  So?  Instead of excusing them, why are they not faulted?  Bear
in mind that I don't know it to be true that only 5 people do security
for SUN.  In fact, I doubt that to be true.  But the fact that I've heard
rumors that SUN has been incredibly hacked, disseminated, and patched, does
little to encourage mercy in critique of the security department.

> Before you jump at them, consider what they have to do and what they have
> to work with. They need more funding and fresh blood and a mental shakeup
> to clear the cobwebs. They are essentially preventative and therein lies
> the greatest problem, you can only do so much with what you have, with
> the amount of things to do, steps are missed. If new methods are created
> dark hats then it can be a while before they learn about it and cover
> themselves.

        Perhaps this is true, and this is why it is important to remember that
we are critiquing both SUN and the executive decisions to invest only so much
in security.

> > And if you'd want to know exactly what the "doorknockers" are up to...
> > ever considered logging keystrokes?
>
> Now thats a new one.. Thanks!....

If this is an example of the revolutionary ideas being offered to SUN to secure
their systems, then I'll volunteer my cat to head the team.

> > I trust /etc/hosts.equiv does not contain wildcards when shipped, do I
> > assume correct?
>
> Heh, I like that.

I like it too.  Because, though it's not precisely true for all utilities, it
is certainly true for a number of the utilities shipped in Solaris.

-- 
+ alan                                                                  +
======\\ "Whenever people agree with me I always feel I must be wrong." +
 |\/|  \\____________________________             - Oscar Wilde         +