[8893] in bugtraq
Re: Breeze Network Server remote reboot and other bogosity.
daemon@ATHENA.MIT.EDU (owner-bugtraq@NETSPACE.ORG)
Fri Jan 1 17:04:24 1999
Date: Thu, 31 Dec 1998 22:32:56 -0500
X-To: Mike Pelley <mike@pelley.com>
From: <owner-bugtraq@NETSPACE.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <000b01be351b$0a2d90a0$0200000a@terminus.intranet.int>
On Thu, 31 Dec 1998, Mike Pelley wrote:
> Hello Bugtraq.
> I work for WindDance Networks Corporation. While developing our Breeze
> Network server mentioned in a previous message, we were interested in having
> some 'friendlies' try out the Breeze and offer suggestions regarding
> additional potential functionality requirements for their clients and
> others. As our current president, Rainer Paduch, was previously the
> president and vice-chairman of iStar before it was acquired by PSINet, he
> asked if they would take a look at our prototype. They accepted, so I made
> an image of one of our development machines for them to check out and
> recommend features/changes.
I did my recommendations.
> A few weeks later Mr. Vardomskiy (Stany) called me and mentioned some
> security concerns, which he has outlined in his previous message. I
> explained that the version of the Breeze he received was not intended for
> customers, and most of the issues he mentioned were well known and the way
> they were because this was an image of my development machine and not a
> production machine. I explained that we had some things to work on, and
> that we had a security review planned after we had ensured that the machine
> was stable and functional.
For starters let me make something clear. I am not blaming anyone
specifically for the problems with the server. Such things happen.
However I do express concern that the update that was promised to me as a
representative of PSInet was not received in a timeframe. If there would
have been a major security hole found in a major product of any other
companies with which WindDance attempts to compete, everything possible
would have done to fix the problem ASAP. Even Microsoft releases
hot-fixes.
I am hoping not to begin a flame war or anything, but here are my
concerns: After doing software developement for a rather long time, I
have noticed that very often the security of the software package or
system is implemented in exactly the same way as you describe - as an
afterthought. This results in a number of security holes that are very
hard to plug during the security review, and usually most of the holes are
overlooked. The product is rushed to the market, the management is
concerned about the due dates or contracts that were already signed, and
as a result the final security review either doesn't happen at all, or
happens in a rushed manner.
I am concerned that the web server in WindDance's package runs as root and
doesn't drop it's privileges - If you have written all your scripts to
assume that the server is root, then you will have to rewrite them all
during your security audit, which will result in delays to shipping the
product to the market, as essentially you will be re-implementing the
product anew (with corresponding time requirements). I am concerned that
you have daemons running that do not do error checking and just assume
that the data fed to them is correct - in your current implementation they
seem to be a cornerstone of your set-up, and inspite of the problems with
them, are you willing to go and re-write them all during the security
audit, and while having your managers standing and looking over your
shoulder, attempting to speed things up (but in fact just slowing things
down).
> I am distressed that Mr. Vardomskiy has misrepresented the status of the
> machine he received and I do not understand why he was confused after our
> conversation on the phone. We have since created a beta release image of
> the Breeze. I did not promise to contact Mr. Vardomskiy, but I did mention
> that we would soon have a newer load available and would be happy to send it
> over if PSINet had time to evaluate it.
I am not going to argue, but I have to say for myself that I am happy that
the problems with the current set-up have been made public. It happens
too often that only under the pressure of the public knoweledge many
security holes and design flaws eventually get fixed. The server as
marketed is a sealed box - intended users probably do not have the
technical expertise to get into the system to find out what drives it from
inside. As a result there is no guarantee that the system as shipped
will be fixed at all - the end users are not supposed to find out after
all, should they?
If WindDance is interested in continued evaluation of Breeze product,
then the best person to ship the updates for the system would most
likely be Gert-Jan Hagenaars (gj@istar.ca), Senior System Administrator,
PSInet Canada, as I am leaving the company.
> If anyone has any specific questions about the Breeze or the issues
> mentioned before please contact me anytime.
>
> Mike Pelley
> System Designer
> WindDance Networks
> (613) 728-1700 x 15
> mikep@winddance.net
Happy New Year.
//Stany, stany@notbsd.org