[Gllug] Insecure practices at my ISP

Garry Heaton garry at heaton6.freeserve.co.uk
Fri Apr 4 22:44:19 UTC 2003 

>>
>> >> On 4 Apr 2003 10:19:37, David Pashley <david at parguild.co.uk> said:
>>
>>    >> If he has not actually accessed areas of the system he is not
>>    >> authorised to access there has been no offence.
>>
>>    > <http://www.ddplus.co.uk/DDPlus_Website/News_Community/
>>    > Easynet_Story/Easynet_dont_shoot_the_messenger.htm>
>>
>> Not analogous at all.  In the article, "Certainly, he strayed into an
>> account (or accounts) other than his own, but wouldn't anyone with a
>> healthy sense of curiosity be tempted to do exactly the same?". Well,
>> no, not anyone who wants to stay out of prison..
>>
>> Notifying your ISP that the version of {sendmail, bind, mysql} that
>> they're running is insecure and exploitable *without* getting a root
>> shell from it yourself can never be against the Computer Misuse Act,
>> which classifies against unauthorised access and modification, as
>> Jason said.
>>

>Surely if the ISP has set 755 permission on a directory they are saying the
>owner can read, write and execute this file and group and other can read
>and execute.  If they have got this wrong then they should own up and fix
>the problem not attack the person who quite rightly explored the limits of
>his account and when feeling that some of the areas he was allowed into
>should in fact be closed off to him and others advises them of this fact.
>They should be thankful that someone as decent as Gary found this and not
>some spotty 14 year old 733t with an attitude problem.

>Peace Jim

It wasn't so much curiosity. The only way I could determine if my own
directories and files were group-readable was to browse another user's
directory. Once I realised all files were group/world-readable by default I
scarpered and set all mine to 604/705 as required. The security of my own
data was the issue and I had a feeling that  an ISP as lax as this might
indeed shoot the messenger rather than fix the problem. I couldn't test
security on my own directories and files as their owner.

While inside the shared CGI directory a simple:

ll | grep drwx-

.... revealed that only 17 of the 1800 users had protected their directory
from being group-readable. I still find it hard to believe.

In response to the question as to why give users telnet accounts, the
accounts at PlusNet are also a gateway into the MySQL server and without the
command-line access you're limited to whatever features are built into the
average HTML-based MySQL admin interface.

No, I don't think I'll be contacting PlusNet as their response to my request
for a more up-to-date MySQL was pretty lame. Alas, I'm shackled to them for
a year but the ADSL is pretty good.

Garry



-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list