On Tue, 10 Jan 2006, Christopher Mahan wrote:
> Dear Darren,
>
> Topposting for effect.
>
> You write below: "I will not be changing this in Solaris."
>
> What? You are the final arbiter of what goes into Solaris?
>
> People are coming forward with concern about safety and system
> integrity, and you rebuff them with the "Go play with your marbles on
> the other side of the courtyard and leave the big boys to the serious
> business" attitude?
>
> I work at a fortune 200, in healthcare, and we are a large Sun
> customer. Let me tell you how it is from the trenches: Sun stuff
> sucks. It's much better than Microsoft or IBM, but it still blows
> chunks.
> We're using Solaris 8, and most of the admins here are clueless,
^^^^^^^^^^^^^^^
There's your problem ... right there! Sorry to be a smart ass ... but we
recently had a Solaris 8 box root kitted - and I'm on record, with many of
our clients, telling them that its almost impossible to keep Solaris 8
correctly patched - since there are hundreds and hundreds of patches issued
against it.
It was our *only* box still running Solaris 8 - and it was used to produce
SPARC binaries only for our clients who are *still* running Solaris 8.
The user/developer experience is soo much better on Solaris 10 - to the
point where one should not equate any characteristics of "Solaris" with
Solaris 8.
> asking us inane stuff like hardcoding our user passwords in scripts
> because policy says that we cannot have service accounts (not that I
> am following their advice, mind you). Now, there are a hosts of
> issues, and for brevity's sake, I will not mention them. Let me just
> tell you that Sun's stuff is what I use when I absolutely have no
> other option. I run Debian stable for my own stuff and it's so much
> better for me, lemme tell you.
>
> So when someone comes along, on their dime, and raises issues about
> security and system integrity, and not being uppity and all "We are
> the BEST company in the world Yayes!" (which if you want more of
> please navigate to http://blogs.sun.com/roller/page/mary), and asking
> in a mild manner and with the spirit of cooperation, whether a tool
> used specifically for enhanced security (SSH) can have a particular
> option, I the very least I expect you to demonstrate professional and
> respectful demeanor.
>
> On the particular issue, I would consider a flag, such as "Disable OS
> Identification to client" to be an acceptable option for all parties
> to consider.
Hiding the identity of the host running SSH will do little or nothing in
terms of improving that boxes ability to fend off a determined hacker. It
may slow down a script kiddie type attacker - since they will now need to
run more automated attacks than if the OS version was immediately
evident. So you gain ... what? The time it takes them to type in the name
of the next shell script(s) that'll mount the next attack sequence.
And the downside to what you are proposing, is that it'll break standards.
So basically, you're asking for a change with questionable, if indeed any,
benefits, that will break standards. It will not past muster - regardless
of who does the technical review.
I can understand Darren M saying that he won't be working on it, because:
- it's a very bad use of his (talented developer) time.
- there is other, more pressing, work to be done that'll bring more benefit
to the OpenSolaris user community.
- it'll break standards
- it won't pass technical review; why even try to have it reviewed.
- if it is really important to someone, they can modify the code
themselves
As an aside, the whole topic of hiding the identity of processes, as a
means of improving security, it highly questionable. I see it often cited:
- hide the revision string of Bind
- hide the version string of Sendmail
- hide the DNS name of a host
.....
It buys you little or nothing, in terms of improving your computer
security. <sarcasm> Well, maybe it buys you something if your DNS naming
convention is 'credit-card-oracle-9-db-server' </sarcasm>.
> Now, to be fair, you may have been having a bad day. We all do from
> time to time. Just don't let your bad day affect the eagerness of
> participants to make this OS/distro better.
>
> Sincerely,
>
> Christopher Mahan
> [EMAIL PROTECTED]
Regards,
Al Hopper Logical Approach Inc, Plano, TX. [EMAIL PROTECTED]
Voice: 972.379.2133 Fax: 972.379.2134 Timezone: US CDT
OpenSolaris.Org Community Advisory Board (CAB) Member - Apr 2005
_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org
