[SUMMARY] Security concerns for Calendar Manager programs

From: David Foster (foster@pinwheel.ucsd.edu)
Date: Thu Dec 28 2000 - 13:02:08 CST


Wanted input about calendar manager programs, especially security
concerns related to various software packages. Several entire
responses and original post follows.

Packages Discussed:
   Corporate Time (Steltor)
   Meeting Maker (On Technologies, www.on.com, www.meetingmaker6.com)
   iPlanet's Calendar Manager (www.iplanet.com)
   Netscape Calendar (www.netscape.com)
   
One vote for << CorporateTime >> which runs as a throwaway user, in
contrast to many other packages which run as root and have the consequent
buffer overrun and other security problems when encountering "unexpected"
input.

But then a big negative for << CorporateTime >>. Server is a resource hog,
admin NT software was not very reliable, users didn't like the interface,
"gouging" license fee structure, and CS&T was not very responsive to
bug reports.

Two votes for << Meeting Maker >> which has both Solaris and NT clients.
Cisco and Apple are two of their biggest clients.

One vote for << iPlanet's Calendar Manager >> since it's simple, web-based,
and runs on Suns.

<< Netscape Calendar >> was found by one to be unstable, as it is licensed
by a 3rd party (always scary), C&G.

One person wanted to know what this had to do with Sun management and
what was wrong with the Solaris Calendar Manager service. While this
question was off-topic, I don't believe it is a breach of the list
charter to ask for software (or hardware) recommendations, especially
when it relates directly to system security. As for the Solaris Calendar
Manager, there have been too many security problems related to this
software, it runs with root privilege, and I just don't trust it.
So phooey on you!

Some of the responses in their entirety follow:

==========================================================================

We just purchased CorporateTime here. We've run the predecessor product,
CS&T's unison (version 1.0 is the back end of Netscape Calendar, I think),
for nearly 4 years.

CS&T became someone, who eventually became Steltor.

At any rate, CT runs as a throwaway user, "unison" and confines its
activities fairly well to its own directory. The clients don't require
any greater privs than an ordinary user (that is, no SUID/SGID stuff). On
the whole, I'd say it's very secure. More so than most other calendaring
products I've seen, most of which run as root and are so poorly programmed
that unexpected data from a client will make them dump core, die, or
otherwise behavior dangerously.

==========================================================================

Well, we use Meeting Maker at the University of Arizona where I
work. Its made by On Technologies (www.on.com). Solaris and
Windows clients are available (we run both). The server side is
NT based at our site, although I don't know if that's required.
Meeting Maker info is at www.meetingmaker6.com as I remember it.

==========================================================================

We currently use Meeting Maker. They are preety good. Cisco, and Apple I
think are two of their largest customers. We are preety happy with them.
Netscape Calendar was licensed from a third party. C&G I think they are
called. In any case, they are not very stable.

If you want I can put you in touch with the guy who runs meeting maker at
Apple. As for security concerns, if you are running a hubbed network then
clear text everything across the wire should be a concern. Though I believe
the developers are working on this.

==========================================================================

Just my 2 cents: When I was working at McGill University in the CC .. they
implemented CorpTime and were
not exactly thrilled with the software. The server is a real resource hog,
and administration via the default NT
admin software is not fully reliable (or at least wasn't for the version
we were using). End users who preferred
Outlook were not satisfied with the user interface. The license fee
structure was more gouging than microsoft
(amazing but true). Oh yes, CS&T (developers of Corptime) were amazingly
non-responsive to bug reports
and user-interface requests.

==========================================================================\

Thanks to:

Wyman Eric Miles
Ric Anderson
Evans, Tim
Andy Paton
Thomas Vincent
Tim Chipman

> We are currently looking into purchasing a calendar manager program,
> and would like your input on possible security concerns regarding
> the following products:
>
> Corporate Time (Steltor communications)
> Groupwise (Novell)
> Netscape Calendar (duh)
> Meeting Maker (Meeting Maker I think)
>
> Any other options recommended? I know next to zippo about calendar
> manager programs, so any input is greatly appreciated.
>
> Dave Foster

   << All opinions expressed are mine, not the University's -- duh >>

  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   David Foster National Center for Microscopy and Imaging Research
    Programmer/Analyst University of California, San Diego
    dfoster@ucsd.edu Department of Neuroscience, Mail 0608
    (858) 534-4583 http://www-ncmir.ucsd.edu/
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:25 CDT