| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 10 Sep 2008 09:07:00 -0500 From: "Micheal Patterson" <micheal@...cq.com> To: "B 650" <dunc.on.usenet@...glemail.com>, "Theo de Raadt" <deraadt@....openbsd.org> Cc: <bugtraq@...urityfocus.com> Subject: Re: Sun M-class hardware denial of service ----- Original Message ----- From: "Theo de Raadt" <deraadt@....openbsd.org> To: "B 650" <dunc.on.usenet@...glemail.com> Cc: <bugtraq@...urityfocus.com> Sent: Tuesday, September 09, 2008 4:27 PM Subject: Re: Sun M-class hardware denial of service <snip> >> You stated in your original message that this is a high-end frame, of >> the kind generally used by financial institutions etc. I would >> imagine any system which warrants this kind of hardware would have >> some level of redundancy or DR. > > Oh great! Sun is off the hook for selling something which doesn't > work, and their customers must mitigate against it themselves. > Utterly ridiculous. B 650, the major problem with that statement, is that most facilities that have built up redundancy for such an issue have 100% or more backup of the exact same gear. That means that their DR plan is still crippled and subject to the exact same failure as the primary system. That isn't an effective DR plan. If the system were in place at say a nuclear power plant, and it was sold as a method to have separation to eliminate any problems with one system causing another to cascade crash, and this happens, that effects many other systems. Regardless if the initiator of the failure is a power user or not, the result is a total cascade failure and will result in a full system shutdown shutdown to recover from. It's still, by definition, a DOS. Simply because the actions of one individual, either by accident or malice, results in the denial of access to a system or group of systems. If you're one of the domains that will be effected, and you're taken down even though your network / system is stable and working properly, that would be seen as an unnecessary outage. What happens if the system doesn't boot back up properly after the power down? Now, the outage is extended and perhaps critical systems are no longer available. I used a nuclear power plant as an example, what if it were an airport, or a city's 911 / Emergency service? Fire Department dispatch system? EMS system? Do you still think that it's a non issue to take down an entire system for one faulty domain? -- Micheal Patterson Senior Communications Systems Engineer Rural Hospital Acquisition, LLC 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Powered by blists - more mailing lists