Hi Nico, > What good would physical access to any 'standard' (ie. no RaQ or equivalent > with all kinds of nifty buttons on the front) server do without any or all > of the following: > > - serial cable connected to laptop/desktop > - ethernet connected to laptop/desktop > - screwdriver > - axe > - etc... > > as far as "changing software specifications" on that server is concerned? > With that, I mean: load a different kernel, install software (rootkits, > trojans, etc.); you know the drill.
I think Graeme Fowler summed it up pretty well and there isn't much that I can add, except from throwing in a little bit from my own perespective and experience: As a contractor I service a lot of Sun servers. Not just Sun/Cobalts, but also Netra's, Ultra's, the Enterprise Servers 3x00-6500 and E10K's. Just two weeks ago I was sent to the HQ of one of the biggest banks in Europe. The security there for getting into the server room where the hundrets of servers were busily shifting the big bucks was as intense as you can imagine. It required a lot of scrunity and forms, pictures were taken and a face recognition software at the entrance of the server room had to verify that the cardholder for the ID card matched the person who's using the card. There was a special door resembling an airlock which made sure only one person at a time can enter (or leave) the server room. Additionally nobody is ever allowed to enter the server room alone and the whole episode was filmed from various angles as cameras monitor every corner and movement. I sure expect less scrunity and paranoia from an ISP, where less is at stake. But if I have the slightest doubt in the respective ISPs professionality and seriousness when it comes to entrusting them the operational activa of my business, then I'm faster out of dodge than you can say: "Whazzap??" ;o) In my primary occupation as IT-contractor as well as in my business on the sidelines I usually service between 2-6 customer machines per day on the average. Sometimes people like us are forced to sign NDA's and other legal framework before we get close to the machines, but in most cases it's less than a handshake and a gentlemans agreement. The credentials, his integrity and his business conduct are what a contractor lives on. If word spreads that one of us behaved unethically or unlawful, then you can imagine how fast word of it starts to spread and how fast the customer base melts away. But back to your input: The ROM kernel on the Cobalts is actually a nice thing. It allows you to still access the machine even if it is almost completly hosed. That the kernel can be employed from the frontpanel is a sufficient security measure for me, as you have to press two buttons to make it run. So it can't be pressed accidentially and I suppose that anyone getting close to a server in a datacenter is supposed to know what he (or she) is doing. If not, then it is just as Grame Fowler said: YGWYPF (you get what you pay for). -- With best regards Michael Stauber SOLARSPEED.NET _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
