[Scoop-help] User Search - Security Issue?

Fri Feb 22 17:36:51 PST 2008

Hi Janra,

>From a security standpoint, obfuscation or hiding in plain sight is not
necessarily a security measure (My day job is a Security SE for a very large
network equipment company).  And you're quite correct about many software
packages advertising who is admin and who isn't (everyone else ;) ... I
would agree that changing the name is a prudent measure, but in addition, if
the search results left out any account with the UID of 1 that would hide it
altogether, thus adding another layer on the onion so to speak. :)

Just my thoughts.

Regards,
Steve

On Thu, Feb 21, 2008 at 12:25 AM, <janra at write-on.org> wrote:

> Well, there's nothing that says a) the admin account has to keep the
> same name, in fact I recommend changing the username just on general
> principle; b) the admin account has to be UID 1; c) there is only one
> admin account; d) some random yahoo couldn't make a user account called
> "site admin" anytime he wanted.
>
> If you wanted you could demote UID 1 to a regular user and promote a
> different user to admin. (But in the other order... always make sure at
> least one account is superuser unless you like mucking about in mysql
> directly!)
>
> There is no prevention in terms of searching for the entire list of
> users. Just as there is no prevention of searching and returning every
> comment or every story - in fact those are rather handy features to
> quickly find the most recently posted comments, for example.
>
> Given that a lot of software not only doesn't hide which accounts are
> the admin accounts but advertise it beside their username on every
> comment they make, I'm curious to know what benefit hiding the name of
> the admin account would provide.
>
> -janra
>
> On Wed, 20 Feb 2008 23:03:12 -0500, Steve Baetz wrote:
> > I noted a method in the list archives about using the Search function
> and
> > using a Find: Users with a blank string.
> >
> > Problem I see here is that this could reveal the admin account to
> someone
> > who may be looking for it.  Question is how do you prevent users from
> > searching for the entire list of users on the site?
> >
> > Though the admin account could be obfuscated by a different name, this
> is by
> > no means an effective security measure.
> >
> > Thanks.
> > Steve
> > _______________________________________________
> > Scoop-help mailing list
> > Scoop-help at lists.kuro5hin.org
> > http://lists.kuro5hin.org/mailman/listinfo/scoop-help
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kuro5hin.org/pipermail/scoop-help/attachments/20080222/77cff839/attachment.html 