LIT and security

[Lancecastor]

It surprises me to see how naive people continue to be about the internet.

Thanks for the tip Draco. If Lit's SQL servers will allow multiple simultaneous log-ins to the same account from separate IP's...well, obviously it's swiss cheesey.

I think the simplest security precaution is to ensure one's Lit password is different from all one's other passwords and use a personal firewall, as the most plausible real life concern would be someone getting into Lit's Admin features and potentially being able to see your IP address and password and backtracking into your machine.


Lance

 

[Weird Harold]

A shared internet connection thru Win 2000 and dial up.

Lit wouldn't see that as any different than having two windows open on the same machine, because it only sees the single dial-up connection's IP address.

I would be interested in seeing the results of two seperate connections trying to use the same username.

 

[sterlingclay]

I don't know much about you, never seen you before anywhere. I see that you hold some sort of Network admin position, running Windows 2000. As an admin, you know you can set a specific user to be restricted to a certain terminal. Logons are not possible anywhere else. Lit does not work this way. It wouldn't make any sense to restrict users to a certain locale because we want the freedom to login wherever the hell we please. But, restricting access based on, say IP addys is the only way to ensure that a specific user account cannot be logged in elsewhere. Imagine the hassle of getting around firewalls and proxy servers. Account access restrictions is a complete and total pain in the ass, especially when dealing with thousands of users.

As for people obtaining your password, that's a completely different matter called Social Engineering that the Lit heads shouldn't have to worry about. Your password is Your responsibility. The automatic login doesn't have to be automatic. That is an option set for convenience. My system employs users accounts for everyone using it so that's one line of protection. I do not employ the automatic login, so that's another. My password meets most complexity requirements, and yes I do change it regularily. Most of your security issues fall back on your desire for a lack of personal responsibility. Laurel and Manu are not going to hold your hand while you wonder through Lit. You have access to servers? unbelievable.

 

[Lancecastor]

Lit wouldn't see that as any different than having two windows open on the same machine, because it only sees the single dial-up connection's IP address.

I would be interested in seeing the results of two seperate connections trying to use the same username.

I'm amazed at how insecure adult sites are with their data.

Check this out:

http://www.literotica.com/forum/showthread.php?s=&postid=3663035#post3663035

 

[Lancecastor]

Your password is Your responsibility.

Agreed. This is the easy answer.

Lance

 

[Draco]

Why is it so unbelievable that I have access to a server? I build PC's for a living, my main desktop machine at home is a Web server (at times) an FTP server (at times) a gaming server (a lot)and the network server in a household with 6 PC's (including laptops). A server doesn't have to be some great big lumbering piece of equipment, filling a whole refridgerated room, just a common desktop system with a network hub attached is all thats required.

And, I really dont see what running Windows 2000 has to do with it, you can buy it "off the shelf", from your local Software retailer. I run it because I still think its the best that MS has offered yet. Fast, stable, and no tacky interface like XP, but all the MS O/S's (even 3.11) can be jigged to share a dial-up connection, just need to know which settings to use over the network, and have the right hardware to do it.
Nothing unbelieveable there.

No. I'm not in Network admin. I'm a qualified (A+/Net+) technician, thats all, running a small successful business for mainly home users, with a few business clients as "bread & butter" work. (Hey, they pay my bills and keep me in vino)

WH, tomorrow I'm going to try logging into my account from seperate IP's. We have dual phone lines, so I can accomplish this quite easily. I'll let you know how I get on.

 

[sterlingclay]

Draco, I'll save you the effort. You will get on. The folks at Lit are not going to be restricting multiple logons by one user. It's just not feasible, knowing how much of a pain in the ass it would be to configure. It's possible though. In my working environment there are approximately 250 networked computers and I could conceivably log onto every one of them because that is the default. Using policy settings you can change that, but where I work that is not convenient for the users. And it is not convenient for many Lit members either.

To restrict a user to a location you either need their IP or computer name (if they are a member of your domain, which in this case - is not the case).

 

[sterlingclay]

Ooo wait a second! I am curious how this will work out. I remember something from Weird_Harold. When you share an Internet connection you certainly can login on several PC's because the SQL servers will see it as multiple desktops from one IP. But, multiple IP's is another question. I was thinking in terms of logging into a domain where every PC has an internal IP. Sorry, very tired.

I still hold true to keeping your passwords to yourself, but this one I am interested in. Watch out for social engineers and skilled hackers!

 

[Lancecastor]

I used to do a lot of stuff with e-commerce applications for banks, telecoms and isp's and found during pre-release diligence that most software components disclose a lot of backdoor capabilities through their error messages and welcome screens....OS, software version, server application code references, etc.

This site, for example, tells you what they're running, which version, what the use in the back end...it's easy to backtrack from here to the software provider and read their public tech groups, hacks, mods and such to see much more about what is do-able here than I'd be comfortable with disclosing if it were my business.

Given all the kiddy-hacks that have gone on here over the past several months I'm not sure why that stuff hasn't been edited out. I know for my part I've suggested it.

Lance

 

[Draco]

You kinda mis-understand my point.

I shouldn't be able to log in to my account, on one machine, when I'm already logged in on another.

It's that simple.

I can't do it on Yahoo Messenger, I cant do it on ICQ, so why should LIT be any different. Isn't that why we have Usernames and Passwords. To stop anyone coming in and imposing themselves as me, or reading my PM's or my emails or whatever?

No matter what proxy settings, etc that I use, if I'm logged in...I'M LOGGED IN and the LIT servers should detect and BLOCK the second log in attempt.

Surely, if I was running a site, any site that requires authenication, such as Username and Password, this would be the norm. I have User profiles set up on all the machines here, just for that purpose, so inquistive 11 & 13 year olds cant find my Writings, (erotica literature) My business records, or my porn folder.

Access to my movies (DVD-rips etc), and music etc is "free-reign"
but anything else is locked away from site, both on my server and over the network.

 

[Weird Harold]

This site, for example, tells you what they're running, which version, ...

You mean they display the copyright info...

"Powered by: vBulletin Version 2.2.8
Copyright ©2000, 2001, Jelsoft Enterprises Limited."

...As required by the user agreement to run a BB with vBulletin software?

Why that's just a horrible security breach.

 

[Lancecastor]

You mean they display the copyright info...

"Powered by: vBulletin Version 2.2.8
Copyright ©2000, 2001, Jelsoft Enterprises Limited."

...As required by the user agreement to run a BB with vBulletin software?

Why that's just a horrible security breach.

There's a lot of information on the VBulliten website that can and has been used against sites running VBulliten.

There is a VBulliten powered site, for example, whose primary purpose is to attack other VBulliten powered sites using trix detailed on VBulliten's public tech groups.

Lit's been shut down by those people and the site name is a banned word here.

Roll your eyes all you like, but displaying what you're running is an invitation to backtrack hacks.

Lance

 

[Draco]

Why that's just a horrible security breach.

And the worse bit is...they breach it on every page.

SHOCKING....

 

[Weird Harold]

There's a lot of information on the VBulliten website that can and has been used against sites running VBulliten.

My point is that it's a legal requirement to diplay the copyright notice whether you're running Vbulletin or UBB.

Commissioning and running a custom BB package is expensive, prone to bugs, and completely pointless -- unless the BB is needed for a high security discussion group with special security needs.

The copyright notice is all that most people need to find all they need to know about most software, but until copyright laws are changed, it has to be displayed.

 

[Lancecastor]

My point is that it's a legal requirement to diplay the copyright notice whether you're running Vbulletin or UBB.

Commissioning and running a custom BB package is expensive, prone to bugs, and completely pointless -- unless the BB is needed for a high security discussion group with special security needs.

The copyright notice is all that most people need to find all they need to know about most software, but until copyright laws are changed, it has to be displayed.

The version doesn't need to be displayed to protect C, but more to the point, VB could password protect their tech discussion groups.

Sloppy.

 

[LukkyKnight]

Dudes, take a damn chill pill, will ya?

Determining if you want to allow or disallow multiple logins (as in, from multiple IP addresses) isn't in and of itself an issue. The fact that hotmail alerts you is comforting to some, but hardly an argument that it's secure - you're merely more likely to discover somebody knows or discovered your password.

ICQ needs to limit you to one address active at any time to know where to direct the traffic because of how the sucker's written, point-to-point, like a lot of other traffic such as SMTP, SSH, FTP, or telnet, but none of those is inherently relevant to the design decisions for implementing an HTTP-oriented bulletin board for crying out loud.

Granted, this is far from the most secure arrangement possible, but ALL security is a decision of the desired balance between total safety and how use-able and/or convenient for the primary consumers any system is. This could be VERY secure, but it would be a serious pain in the ass. So, since what's at stake is passwords to a free site, not Credit Card #s, not even phone #s, why build freaking Ft. Knox?

If you want to propose improvements to the operators it would seem, IMHO, to serve EVERYBODY's interests better to do so in a private way rather than leaving the evidence of presumed holes out for discovery AT THE SITE ITSELF by the very sort of amateur scriptkiddies you're warning against, eh? How professional is that?

 

[Draco]

Good point WH. The same can be said about most softwares. Look at all the documented security flaws in Windows (all breeds of it) Outlook, Outlook Express, ICQ, MSN, AO-Hell, Yahoo, but we all use them. Even super secure Linux has holes, only the geek set tend to over-look them and frown on us mere mortals with MS Products. Even Macs...(I just had to throw that in)

There will always be holes in any type of software, or features that can be tweaked to provide holes, backdoors, hacks etc. If we got paranoid about every little flaw, we wouldn't get anything done.

 

[Lancecastor]

If you want to propose improvements to the operators it would seem, IMHO, to serve EVERYBODY's interests better to do so in a private way rather than leaving the evidence of presumed holes out for discovery AT THE SITE ITSELF by the very sort of amateur scriptkiddies you're warning against, eh?

Done, months ago.

 

[LukkyKnight]

Done, months ago.

So the point of hashing it over again now, on a site that may or may not be patched to the most current levels, is what? Design issues are for the software developers, aren't they? This is a sumnabitchin free site which uses a particular piece of software.

If you want to point out real or perceived security flaws why not do it someplace where people who not only may understand but also have the influence to effect changes are more likely to notice the discussion points? Doing it here, publicly, broadens any risks you identify.

 

[sterlingclay]

Lk, thanks for showing up and saying what I ment to say, in a clearer, more concise manour. I wanted to bring up protocols but I'm too tired to uhm... yeah... convey my stuff... yeah.

 

[LukkyKnight]

You're welcome. I'm sure I have no idea what I meant or said, I'm just a bartender.

 

[sterlingclay]

You're welcome. I'm sure I have no idea what I meant or said, I'm just a bartender.

Hey bartender, wanna tudor me? Finals in Windows 2000 Active Directory are coming up.

 

[Lancecastor]

So the point of hashing it over again now, on a site that may or may not be patched to the most current levels, is what? Design issues are for the software developers, aren't they? This is a sumnabitchin free site which uses a particular piece of software.

If you want to point out real or perceived security flaws why not do it someplace where people who not only may understand but also have the influence to effect changes are more likely to notice the discussion points? Doing it here, publicly, broadens any risks you identify.

It's a general discussion board and I'm here yakking in Draco's thread. BFD.

The Owners have already shown that they'll immediately delete threads they don't like, so I'm fine with leaving those decisions to them...are you?



Lance

 

[LukkyKnight]

Absolutely, do you see me asking for the thread to be deleted? Nope. What you do see, if you look, is somebody questioning the value and or professionalism of those espousing their mastery of the material under consideration. I addressed the few salient points in a technical manner which you appear to have no counter for, and you dodge the issue(s) I raised.

I understand better than you realize, perhaps.

 

[Lancecastor]

Absolutely, do you see me asking for the thread to be deleted? Nope. What you do see, if you look, is somebody questioning the value and or professionalism of those espousing their mastery of the material under consideration. I addressed the few salient points in a technical manner which you appear to have no counter for, and you dodge the issue(s) I raised.

I understand better than you realize, perhaps.

If you understand me then your post was uneccessary.



Assuming then you didn't understand me, I'll clarify.

My comments don't require technical "counters"...as we've seen here, the site has suffered service failures on an ongoing basis.

Draco started a thread about multiple log-ins.

I mentioned the open nature of the software provider's tech site.

You talked about ICQ etc.

Harold talked about Copyright.

You now think we shouldn't be talking about it at all I gather.

I disagree.

Hope this helps.

Lance