Current time: 04-19-2014, 06:19 PM Hello There, Guest! (LoginRegister)

Post Reply 
password recovery: is anyone happy?
05-27-2011, 12:33 PM (This post was last modified: 05-27-2011 12:42 PM by Cyclical.)
Post: #28
RE: password recovery: is anyone happy?
(05-27-2011 08:30 AM)tomtavoy Wrote:  I've been thinking more about this, and reading those interesting articles in about how even 'experts' re-use their passwords, and I've changed my mind;
I would now say that any web hosting company is automatically a potentially big fish,

Being secure is what's important, not finding excuses for why being insecure is ok. I'm sure Sony is now wishing they had been more diligent about security, but who would want to hack some useless video game accounts?

I've seen lax security take down at least one other "small fish" service provider I was using a few years ago (ezboards). I doubt the "don't worry, nobody will notice you" would console that company now as it put them out of business.

Obviously encrypting it would take money, time and effort, and lots of debugging because changing user authentication can affect everything everywhere. Maybe they think this is ideal, but I think it's more likely that they think it would be too costly.

Edit: nvm, I see an admin posting here so I guess they do read the forums.

(05-24-2011 05:30 PM)bobocat Wrote:  Just for the record, to see what domains are hosted on your machine, you can type:
$ cat @
and hit tab twice for autocomplete. According to DH support, it's trying to guess which email address you want, so it lists all of the available domains.

To see most of the usernames on your machine, type:
$ ls -l /tmp/sess_a* | awk '{print $3}' | sort -u
You can change the final a of 'sess_a' to be 0-9 or a-z. Leaving it off will produce a list too big to process. But basically, all PHP session files seem to be stored in /tmp, so it's pretty easy to see the owner's account names. Granted, you can't actually read the contents of any PHP session files which you do not own, but it's just interesting that DH has blocked:
$ ls /home/
perhaps in an attempt to maintain privacy, but then allowed that information to be seen by anyone in /tmp.

Anyway, as I said, I'm new to Linux and security, so I don't know if these are standard practices or not, but after reading the account of HBGary's break-in, I'm much more cautious and suspicious than I use do to be. I'm also eagerly awaiting an account of the Sony break-in... Could it happen at DH as well?

It sounds like fun to poke around and see who's sharing your machine. I'll have to try... No idea if it has to be like this or what best practice is but you'd think they could hide that.
Find all posts by this user
Quote this message in a reply
Post Reply 

Messages In This Thread
RE: password recovery: is anyone happy? - Cyclical - 05-27-2011 12:33 PM

Forum Jump: