On Thu, 31 Dec 1998, Mike Pelley wrote: > Hello Bugtraq. > I work for WindDance Networks Corporation. While developing our Breeze > Network server mentioned in a previous message, we were interested in having > some 'friendlies' try out the Breeze and offer suggestions regarding > additional potential functionality requirements for their clients and > others. As our current president, Rainer Paduch, was previously the > president and vice-chairman of iStar before it was acquired by PSINet, he > asked if they would take a look at our prototype. They accepted, so I made > an image of one of our development machines for them to check out and > recommend features/changes. I did my recommendations. > A few weeks later Mr. Vardomskiy (Stany) called me and mentioned some > security concerns, which he has outlined in his previous message. I > explained that the version of the Breeze he received was not intended for > customers, and most of the issues he mentioned were well known and the way > they were because this was an image of my development machine and not a > production machine. I explained that we had some things to work on, and > that we had a security review planned after we had ensured that the machine > was stable and functional. For starters let me make something clear. I am not blaming anyone specifically for the problems with the server. Such things happen. However I do express concern that the update that was promised to me as a representative of PSInet was not received in a timeframe. If there would have been a major security hole found in a major product of any other companies with which WindDance attempts to compete, everything possible would have done to fix the problem ASAP. Even Microsoft releases hot-fixes. I am hoping not to begin a flame war or anything, but here are my concerns: After doing software developement for a rather long time, I have noticed that very often the security of the software package or system is implemented in exactly the same way as you describe - as an afterthought. This results in a number of security holes that are very hard to plug during the security review, and usually most of the holes are overlooked. The product is rushed to the market, the management is concerned about the due dates or contracts that were already signed, and as a result the final security review either doesn't happen at all, or happens in a rushed manner. I am concerned that the web server in WindDance's package runs as root and doesn't drop it's privileges - If you have written all your scripts to assume that the server is root, then you will have to rewrite them all during your security audit, which will result in delays to shipping the product to the market, as essentially you will be re-implementing the product anew (with corresponding time requirements). I am concerned that you have daemons running that do not do error checking and just assume that the data fed to them is correct - in your current implementation they seem to be a cornerstone of your set-up, and inspite of the problems with them, are you willing to go and re-write them all during the security audit, and while having your managers standing and looking over your shoulder, attempting to speed things up (but in fact just slowing things down). > I am distressed that Mr. Vardomskiy has misrepresented the status of the > machine he received and I do not understand why he was confused after our > conversation on the phone. We have since created a beta release image of > the Breeze. I did not promise to contact Mr. Vardomskiy, but I did mention > that we would soon have a newer load available and would be happy to send it > over if PSINet had time to evaluate it. I am not going to argue, but I have to say for myself that I am happy that the problems with the current set-up have been made public. It happens too often that only under the pressure of the public knoweledge many security holes and design flaws eventually get fixed. The server as marketed is a sealed box - intended users probably do not have the technical expertise to get into the system to find out what drives it from inside. As a result there is no guarantee that the system as shipped will be fixed at all - the end users are not supposed to find out after all, should they? If WindDance is interested in continued evaluation of Breeze product, then the best person to ship the updates for the system would most likely be Gert-Jan Hagenaars (gjat_private), Senior System Administrator, PSInet Canada, as I am leaving the company. > If anyone has any specific questions about the Breeze or the issues > mentioned before please contact me anytime. > > Mike Pelley > System Designer > WindDance Networks > (613) 728-1700 x 15 > mikepat_private Happy New Year. //Stany, stanyat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:55 PDT