[Scoop-help] User Search - Security Issue?

Sat Feb 23 12:26:10 PST 2008

Steve,
    Simply excluding a specific user from search results wouldn't be 
sufficient. It would also require that the administrative user never be 
used to post stories to the site, since an attacker could simply through 
process of elimination, identify superusers by locating accounts that do 
not appear in search results. As Janra mentioned, Scoop uses role-based 
access control, so any role/group could be defined with any set of 
permissions, thus hiding specific users from search results doesn't buy 
you much, unless you create a privilege granted to certain roles/groups 
to exclude_from_user_search such that any user group could be excluded 
from search results.
    The major problem with this approach is it represents exactly the 
type of security through obscurity that you're arguing against. 
Obfuscation through exclusion from search results is the same as 
obfuscation through changing username. Regardless, an attacker could 
simply go through every user by UID. Preventing identification of a 
privileged account is not a security measure, regardless of your 
methodology.
    Instead, all users should be encouraged to set secure passwords that 
could not be guessed via a brute-force attack. With this in mind, it 
would be reasonable to implement in Scoop, password quality checking 
similar to that used by any modern implementation of the UNIX passwd 
command.

Just my two cents...

Best Regards,
Colin Hill

-- 
Scoophost.com - a service of Pinnacle Digital
Scoop consulting and hosting services

> Date: Fri, 22 Feb 2008 20:36:51 -0500
> From: "Steve Baetz" <sbaetz at gmail.com>
> Subject: Re: [Scoop-help] User Search - Security Issue?
> To: janra at write-on.org
> Cc: scoop-help at lists.kuro5hin.org
> Message-ID:
> 	<93f31b2a0802221736t3ef14ea2n126d47c3313a207f at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> Hi Janra,
> 
>>From a security standpoint, obfuscation or hiding in plain sight is not
> necessarily a security measure (My day job is a Security SE for a very large
> network equipment company).  And you're quite correct about many software
> packages advertising who is admin and who isn't (everyone else ;) ... I
> would agree that changing the name is a prudent measure, but in addition, if
> the search results left out any account with the UID of 1 that would hide it
> altogether, thus adding another layer on the onion so to speak. :)
> 
> Just my thoughts.
> 
> Regards,
> Steve