[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Attack on CORE SRS

Date: Wed, 18 Feb 1998 08:52:20 +0000
From: Jeff Williams <jwkckid1@ix.netcom.com>
Subject: Re: Attack on CORE SRS

Kent and all,

Kent Crispin wrote:

> On Wed, Feb 18, 1998 at 11:22:04PM +1100, Adam Todd wrote:
> > At 20:58 17/02/98 -0500, Eugene Kashpureff wrote:
> > >See also:
> > >
> > >http://www.news.com/News/Item/0,4,19220,00.html?latest
> [...]>
> > I guess this means CORE is out of the running where the GREEN PAPER is
> > concerned.
>
> As the press release indicated, while the hardware was indeed the
> intended platform, it was still in a testing phase.  Security
> arrangements were not yet complete, pending completion of an audit by
> an outside agency.

  So?  This doesn't exonerate the fact that there was pretty bad security in
place.
No only that, but this certianly doesn't meet your own MoU standards.  You
shouldn't be testing until your physical security is in place.  That is just
plain bad management and decision making.

>
>
> > They certainly didn't cope well with the SECURITY requirements.
>
> They coped pretty damn well, under the circumstances -- total downtime
> was under 30 hours.  With the final production configuration,
> safeguards, and backup systems in place that would be much less.

  30 hours of doantime out of how many total YEARS of operation?  We don't
have that many hours of down time in two years.  GOOD LORD!

>
>
> Remember that this was not DNS -- the CORE DNS servers are widely
> distributed.  This was the back-end database machine.  In production
> the impact would have been a 29 hour delay in registrations, which
> would be queued at the registrars.  There would have been no impact
> on the net at all.

   Thanks good for that!  So far it doesn't look like backend database servers
are anywhere near ready for production.

>
>
> > Guess this has to being to question whether CORE who raised by my estimates
> > over $1.5 million dollars in the last fe months had ever intended meeting
> > the required security requirements.
>
> Actually, the security requirements in the Green Sheet were largely
> duplicated from the security requirements in the CORE RFP.  There is
> no question but that the CORE SRS will easily meet the security
> requirements of the GP.

  Form this article, you sure can't tell it!

>
>
> The circumstances of this attack were rather unusual, to say the
> least.  That fact will be carefully considered in the final security
> configuration.  In this sense the attackers have done us a favor.

  Maybe they have.  This will reamain to be seen depending on how and what
exactly, the adjustments you make are done.  So far, your batting avrage is
sub par!

>
>
> --
> Kent Crispin, PAB Chair                 "No reason to get excited",
> kent@songbird.com                       the thief he kindly spoke...
> PGP fingerprint:   B1 8B 72 ED 55 21 5E 44  61 F4 58 0F 72 10 65 55
> http://songbird.com/kent/pgp_key.html
>
> --
> DOMAIN-POLICY administrivia should be sent to <listserv@lists.internic.net>
> To unsubscribe send a message with only one line "SIGNOFF DOMAIN-POLICY"
> For more help regarding Listserv commands send the one line "HELP"

 Regards,

--
Jeffrey A. Williams
DIR. Internet Network Eng/SR. Java/CORBA Development Eng.
Information Network Eng. Group. INEG. INC.
E-Mail jwkckid1@ix.netcom.com

References:
- Re: FYI (I wonder where the security is now?)
  - From: Jeff Williams <jwkckid1@ix.netcom.com>

Prev by Date: Re: Public Resource vs Private Ownership
Next by Date: Re: Attack on CORE SRS
Prev by thread: Re: FYI (I wonder where the security is now?)
Next by thread: Re: FYI (I wonder where the security is now?)
Index(es):
- Date
- Thread