Reporter Packet Storm
`Date: Tue, 11 May 1999 19:22:59 +0100
From: "Robson, Ken" <RobsonK@EBRD.COM>
Subject: Sun Microsystems Leaks extensive Amounts of Information About Itself
& It's Customers Through Its Sunsolve Database...
I have just been scouring Sun's Bug Reports for some information and I
discovered that you can easily trawl for useful information about both Sun
and its clients. Information exposed includes:-
* Copies of /etc/passwd (i.e. user names)
* Copies of /etc/shadow (i.e. encrypted passwords)
* Configuration of network services (i.e. inetd.conf)
It is trivial to put together searches that glean this for some of their
customers. Whilst the contract services restrictions are in place for
accessing these accounts, logins must be in wide circulation. I know 3 or 4
accounts from various past employers myself.
When logging a support call I do not often consider what might happen to the
call notes. I am sure that Sun are not the only company doing this and this
is not aimed at Sun in particular, they are just an example. Serious
consideration should be given to what information you are prepared to pass
to those who support you - do you trust the rest of their customers (at
best) or the entire internet (at worst).
Anyway not earth shattering but food for thought.
PS - Please do not interpret the domain that this mail comes from as any
indication that I work for the European Bank for Reconstruction &
Development. I in fact contract to Hewlett Packard and am simply based at
the bank - all the opinions expressed above are my own and have nothing to
do with either of these organisations.
Date: Wed, 12 May 1999 09:56:00 -0700
From: Alan Coopersmith <alanc@GODZILLA.EECS.BERKELEY.EDU>
Subject: Re: Sun Microsystems Leaks extensive Amounts of Information About Itself & It's Customers Through Its Sunsolve Database
> When logging a support call I do not often consider what might happen to the
> call notes. I am sure that Sun are not the only company doing this and this
> is not aimed at Sun in particular, they are just an example. Serious
> consideration should be given to what information you are prepared to pass
> to those who support you - do you trust the rest of their customers (at
> best) or the entire internet (at worst).
The actual service order notes are not available to customers through SunSolve
- but parts of bug reports that may be generated by them are. At least a few
years ago when I worked in SunService they reminded us not to put customer
information in the public part of bug reports, but there was no review system
to make sure we didn't screw up. If you want to protect yourself, make sure
that if your call results in a bug report you go to SunSolve and review the
public copy to make sure there's nothing in there you wouldn't want others to
see and if there is, call up your service rep and make them move it to the
sun-internal-access-only section of the bug report.
Disclaimer: I no longer work in Tech Support at Sun and do not and cannot
speak for SunService or whatever they're called after the latest "realignment
of the Sun planets".
Alan Coopersmith alanc@godzilla.EECS.Berkeley.EDU
Univ. of California at Berkeley http://soar.Berkeley.EDU/~alanc/