Mailing List Archive

Support open source code!


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tlug: 2.2.14 Vs. TurboLinux



On Wed, 26 Apr 2000, Scott M. Stone wrote:

> we just have Workstation, Server, and Cluster Server here in the States.
> Haven't seen Cluster Server yet.  I wonder if they're going to play up the
> big security hole in Redhat's 'piranha' (web/ftp clustering software)
> now..

Having read all the posts reqarding that on Bugtraq, I think the ISS
announcement was, well, rather overdone.  That was a poor choice of a
default password, but hardly qualifies as a backdoor.  Red Hat has also
stated that it was in fact documented with instructions to change it (I
have not independently verified if it is or not).  There was also a
comment made (I don't recall by who) to the effect that if you deploy
something on the web without reading the docs, you are at least partly
responsible for anything bad that happens to you as a result thereof.  I
can't particularly argue with that.  RTFM is still good advice.

Anyway, not even Microsoft would do something as stupid as to try to
make a backdoor that way, especially when the source is available.  Even
MS hides their backdoors better and protects them with nice little
passwords that call Netscape engineers wienies :-)

As soon as this weak default password in Piranha was reported, Red Hat
created and released an updated package, so this is basically already a
non-issue except for those who have not changed that default password.
And now that this is a known issue, they better hurry.  The script
kiddies will come calling soon enough.

Web-based configuration systems in general make me nervous, though.  It
just leaves you with that many more chances for a hole to exist and be
exploited.  I'm only totally comfortable with them if they are
firewalled off, or they only work from localhost.

Jonathan

--------------------------------------------------------------------
Next Technical Meeting: May 13 (Sat) 13:30 Temple University Japan
* Topic: Crypto and Security	Speaker: Chris Sekiya
Next Nomikai Meeting: June 16 (Fri), Tengu TokyoEkiMae.
--------------------------------------------------------------------
more info: http://www.tlug.gr.jp        Sponsor: Global Online Japan


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links