[Scoop-help] User Search - Security Issue?

Sat Feb 23 01:31:35 PST 2008

Oh, absolutely, security through obscurity isn't really all that 
effective. At least not for long :-)

The main thing I was getting at is that UID 1 isn't necessarily the 
administrator. There is no requirement in the system as to what UIDs or 
usernames have administrative permissions. 

It may not be best practise in security terms, but administrative 
permissions are added to an admin's primary account. The account I post 
comments with is the same one I edit users with. If a site has five 
admins, they could very well be UIDs 2, 593, 3759, 10000, and 16937. 
Should those accounts be hidden in the user search results? Remember 
that they're posting comments and participating in discussions too, and 
are as likely to be searched as any other account...

-janra

On Fri, 22 Feb 2008 20:36:51 -0500, Steve Baetz wrote:
> Hi Janra,
> 
> From a security standpoint, obfuscation or hiding in plain sight is not
> necessarily a security measure (My day job is a Security SE for a very large
> network equipment company).  And you're quite correct about many software
> packages advertising who is admin and who isn't (everyone else ;) ... I
> would agree that changing the name is a prudent measure, but in addition, if
> the search results left out any account with the UID of 1 that would hide it
> altogether, thus adding another layer on the onion so to speak. :)
> 
> Just my thoughts.
> 
> Regards,
> Steve
> 
> 
> On Thu, Feb 21, 2008 at 12:25 AM, <janra at write-on.org> wrote:
> 
>> Well, there's nothing that says a) the admin account has to keep the
>> same name, in fact I recommend changing the username just on general
>> principle; b) the admin account has to be UID 1; c) there is only one
>> admin account; d) some random yahoo couldn't make a user account called
>> "site admin" anytime he wanted.
>> 
>> If you wanted you could demote UID 1 to a regular user and promote a
>> different user to admin. (But in the other order... always make sure at
>> least one account is superuser unless you like mucking about in mysql
>> directly!)
>> 
>> There is no prevention in terms of searching for the entire list of
>> users. Just as there is no prevention of searching and returning every
>> comment or every story - in fact those are rather handy features to
>> quickly find the most recently posted comments, for example.
>> 
>> Given that a lot of software not only doesn't hide which accounts are
>> the admin accounts but advertise it beside their username on every
>> comment they make, I'm curious to know what benefit hiding the name of
>> the admin account would provide.
>> 
>> -janra
>> 
>> On Wed, 20 Feb 2008 23:03:12 -0500, Steve Baetz wrote:
>>> I noted a method in the list archives about using the Search function
>> and
>>> using a Find: Users with a blank string.
>>> 
>>> Problem I see here is that this could reveal the admin account to
>> someone
>>> who may be looking for it.  Question is how do you prevent users from
>>> searching for the entire list of users on the site?
>>> 
>>> Though the admin account could be obfuscated by a different name, this
>> is by
>>> no means an effective security measure.
>>> 
>>> Thanks.
>>> Steve
>>> _______________________________________________
>>> Scoop-help mailing list
>>> Scoop-help at lists.kuro5hin.org
>>> http://lists.kuro5hin.org/mailman/listinfo/scoop-help
>> 