sunsolve.database.txt

1999-08-17T00:00:00
ID PACKETSTORM:11962
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Tue, 11 May 1999 19:22:59 +0100  
From: "Robson, Ken" <RobsonK@EBRD.COM>  
To: BUGTRAQ@netspace.org  
Subject: Sun Microsystems Leaks extensive Amounts of Information About Itself   
& It's Customers Through Its Sunsolve Database...  
  
Hi Folks,  
  
I have just been scouring Sun's Bug Reports for some information and I  
discovered that you can easily trawl for useful information about both Sun  
and its clients. Information exposed includes:-  
  
* Copies of /etc/passwd (i.e. user names)  
* Copies of /etc/shadow (i.e. encrypted passwords)  
* Configuration of network services (i.e. inetd.conf)  
  
It is trivial to put together searches that glean this for some of their  
customers. Whilst the contract services restrictions are in place for  
accessing these accounts, logins must be in wide circulation. I know 3 or 4  
accounts from various past employers myself.  
  
When logging a support call I do not often consider what might happen to the  
call notes. I am sure that Sun are not the only company doing this and this  
is not aimed at Sun in particular, they are just an example. Serious  
consideration should be given to what information you are prepared to pass  
to those who support you - do you trust the rest of their customers (at  
best) or the entire internet (at worst).  
  
Anyway not earth shattering but food for thought.  
  
Regards,  
  
Ken.  
  
PS - Please do not interpret the domain that this mail comes from as any  
indication that I work for the European Bank for Reconstruction &  
Development. I in fact contract to Hewlett Packard and am simply based at  
the bank - all the opinions expressed above are my own and have nothing to  
do with either of these organisations.  
  
-----------------------------------------------------------------------------  
  
Date: Wed, 12 May 1999 09:56:00 -0700  
From: Alan Coopersmith <alanc@GODZILLA.EECS.BERKELEY.EDU>  
To: BUGTRAQ@netspace.org  
Subject: Re: Sun Microsystems Leaks extensive Amounts of Information About Itself & It's Customers Through Its Sunsolve Database  
  
> When logging a support call I do not often consider what might happen to the  
> call notes. I am sure that Sun are not the only company doing this and this  
> is not aimed at Sun in particular, they are just an example. Serious  
> consideration should be given to what information you are prepared to pass  
> to those who support you - do you trust the rest of their customers (at  
> best) or the entire internet (at worst).  
  
The actual service order notes are not available to customers through SunSolve  
- but parts of bug reports that may be generated by them are. At least a few  
years ago when I worked in SunService they reminded us not to put customer  
information in the public part of bug reports, but there was no review system  
to make sure we didn't screw up. If you want to protect yourself, make sure  
that if your call results in a bug report you go to SunSolve and review the  
public copy to make sure there's nothing in there you wouldn't want others to  
see and if there is, call up your service rep and make them move it to the  
sun-internal-access-only section of the bug report.  
  
Disclaimer: I no longer work in Tech Support at Sun and do not and cannot  
speak for SunService or whatever they're called after the latest "realignment  
of the Sun planets".  
  
--  
________________________________________________________________________  
Alan Coopersmith alanc@godzilla.EECS.Berkeley.EDU  
Univ. of California at Berkeley http://soar.Berkeley.EDU/~alanc/  
aka: alanc@{CSUA,OCF,CS,BMRC,EECS,ucsee.eecs,cory.eecs}.Berkeley.EDU  
  
`