Date: Sat, 27 Feb 1999 02:16:02 -0500 (EST) From: <mike@seidata.com> To: Julian Elischer <julian@whistle.com> Cc: hackers@FreeBSD.ORG Subject: Re: Cobalt blames linux for their security problems! Message-ID: <Pine.BSF.4.05.9902270211230.4716-100000@ns1.seidata.com> In-Reply-To: <Pine.BSF.3.95.990226192359.12223W-100000@current1.whistle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 26 Feb 1999, Julian Elischer wrote: > There's a good idea.. use a free OS and then blame it for your problems.. Tell me about it... here's my response. <quote> In the recent (Feb. 25th) article, "Teenager Finds Web-Server Hole" by Polly Sprenger, I'd like to comment on the following quote: "Vivek Mehra, vice president of product development at Cobalt, said the hole, which could give a hacker access to a history file documenting a user's activities, wasn't specific to their appliance, but to the Linux operating system. Righi disagreed and said RaQ's default settings are to blame." Namely, I'd like to express 100% agreement... with Righi. Mr. Mehra's comment clearly shows a lack of technical prowess, and is hopefully not shared by Cobalt. I can immediately think of three "quick fixes" to the history file hole... First, you can (as suggested) simply disable the history file, or symlink it so that no information is saved. This is a "work around", however, not a real fix. Two other (preferred) methods would be a.) place the administrative home and web server home under different directories and b.) configure Apache (the HTTP server Cobalt runs) to disallow web viewing of the history file. Regardless of which method you choose, it is neither Linux' or Apache's fault. It's also not the shell's fault. It's Cobalt's fault. We're all human. We all make mistakes. The difference between moving on after a mistake with maintained respect by your peers and wallowing in finger-pointing techniques that show your own stupidity is one that Mr. Mehra (hopefully not Cobalt as a whole) has apparently not yet grasped. </quote> I had actually looked into some of Cobalt's products... must say I've lost quite a bit of respect for them as a result of their reponse to this issue. Then again, what's to consider anyway... They don't run FreeBSD. ;) -- Mike Hoskins Systems/Network Administrator SEI Data Network Services, Inc. http://www.seidata.com "In a world where an admin is rendered useless when the ball in his mouse has been taken out, its good to know that I know UNIX." -- toaster.sun4c.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9902270211230.4716-100000>