At 11:28 AM 3/19/2002, you wrote:
>>I am not jumping into this discussion as "the official voice" of Sun >>with regards to security updates, our short/long term strategies on >>providing patches, etc. I just feel that some sort of commentary from >>within is appropriate here as the rumors and accusations are starting to >>get a little out of control. This is my only statement, and I will not >>be replying to this thread after this one comment. >> >>Sun Cobalt server appliances (Qube, RaQ) are just that -- appliances. >>They are purpose-built, pre-integrated combinations of hardware and >>software which deliver a fixed set of services, and are designed to be >>operated via the web interface. We did not "lock down" the appliance >>like many of our competitors do, so that the end users _are_ able to get >>shell access, and _are_ able to make their own modifications if they >>desire. But it is unreasonable to expect a manufacturer to support any >>random changes made by end users. Will GE support you if you decide to >>turn up the wattage in your microwave, or to use another list member's >>favorite terminology, would Kenmore still support you if you tweaked >>your washing machine motor to add a "superfast" spin cycle? No. >>Manufacturers support purpose-built systems "as shipped." While >>modifications are not prevented, they are not necessarily encouraged, >>and definitely not supported. > >It is expected that they would provide security updates in a timely manner >to fix security problems within the appliance as shipped. That is not too >much to expect. I do understand that there are other venues for addition >software that is NOT SUPPORTED by the guys in Europe and that there was a >problem with them using a .cobalt.com address and have now moved to >another url. I am not asking for support for their packages. I just want >support for my little appliance as shipped. Granted without a firewall or >other package, the machine doesn't stay online long before being modified >by a hacker. There could be a bit more done though. Everyone has been >reporting problems with zlib lately. Is it a problem on a Cobalt >system? If it is, why has it not been fixed. I am not asking for a fix >to ssh. Is there a problem with php as shipped on the system? Why has it >not been fixed? Yes, there are fixes to php and ssh on pkgmaster.com, but >they are not supported. php was shipped on the system, was it not? I am >willing to accept most of your statement, BUT, I am not happy about Sun >Cobalt not fixing security problems with the appliance as shipped. > >If the system is to be shipped as you state as not being "locked down", >fine. Spell that out to us on the web site. Tell us it is vulnerable to >security problems and that Sun Cobalt will NOT being providing support or >updates to fix those vulnerabilities. Tell us that as a browser based GUI >a person still needs to know linux to maintain the system in a secure >state and that it can NOT be done via the provided GUI. Once that is >done, maybe some third party will provide fixes for the Cobalt machines >that you refuse to fix. Just like Norton and Central Point used to make >enhancements for windows. Now we will have xyz company providing us with >fixes for our Cobatl system. > >Just state something up front and give us the means to take care of our >systems. Many of us bought the systems with the understanding that it >could be maintained via the GUI. We also were lead to believe that they >were somewhat secure. A machine out of the box can be hacked within >minutes of being put on line. This is absolutely stupid and personally I >think it is probably a liability to Sun. If sun ever came out with a list of how many security holes there are in the OS no one would by it. Yep, sun does have a huge liability, but try to get them to admit to it.. >_______________________________________________ >cobalt-security mailing list >[EMAIL PROTECTED] >http://list.cobalt.com/mailman/listinfo/cobalt-security _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
