NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Full-Disclosure> 2007-01

Re: [Full-disclosure] Perforce client: security hole by design

From: Ben Bucksch (newsbucksch.org)
Date: Wed Jan 03 2007 - 20:23:27 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Anders B Jansson wrote:
> I'd say that it's a design decition, not sure that it's a design flaw.
> It's all down to what you try to protect.
> ... connecting any device not 100% controlled by the company to a company network is strictly forbidden, doing so would be regarded as intended sabotage.
>

OK, so this bug is not a problem in your company or some Perforce
setups. That's fine. However, I hope it was clear from my description
that it's *not* fine in other cases:

    * remote contractors like me with their own machine who work for
      many companies and don't feel like having 20 boxen, on separate
      networks.
    * I've seen quite some startup companies who actually required their
      employees to bring their own computers, because the company didn't
      have money yet. Neither had the employees. What about their
      personal data?
    * As far as I can see, the FreeBSD project uses Perforce for some
      project parts [1],[2]. I'm quite sure they don't hand out
      computers to all relevant committers. In fact, that Perforce
      server is running against the Internet
      (perforce.freebsd.org:1666), so anybody cracking that machine
      might break into developers' machines. And, worst case, go on from
      there.
    * There are public Perforce servers for anonymous access. That's
      comparable with public FTP or HTTP servers. Surely you'd be upset,
      if a random FTP server would have access to your files just
      because you downloaded something.

In all these cases, this is a critical flaw for the Perforce user. Flaws
on ebay.com for ebay users are still flaws.

I understand the reasoning of Perforce's design, and I understand that
most companies think that their *own* servers are fine and never pose a
problem to *anybody*, why *would* they, but that's just not a valid
assumption for the rest of the world.

> IT director chosing Y would say "I chose a highprofile proffessional
> company with a good security track record".

Sometimes, the track record is only good because nobody looked into it.

Ben

[1] http://www.freebsd.org/platforms/mips.html
[2] http://people.freebsd.org/~scottl/p4-primer.txt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]