GoDaddy Wants Your Root Password 236
Johnny Fusion writes "The writer of the Securi Security Blog had an alarming awakening when a honeypot on port 22 on a GoDaddy-hosted VPS recorded login attempts using his GoDaddy username and password and even an attempt to login as root. It turns out the attempt was actually from within GoDaddy's network. Before he could 'alert' GoDaddy about the security breach, he got an email from GoDaddy Demanding his root login credentials.
There is an update where GoDaddy explains itself and says they will change policy."
They physically own the box (Score:5, Insightful)
Re:Feature, not a bug. (Score:5, Insightful)
Why not just create an alternate account with sudo for them? Why give them root?
I'd have thought it was obvious, but... (Score:5, Insightful)
I always wondered what use GoDaddy is (Score:5, Insightful)
Re:Feature, not a bug. (Score:5, Insightful)
Why not just create an alternate account with sudo for them?
If I had mod points, I'd bump you up. Your password is your password. Who knows what else a person uses that password for...trying to gain access by using it is tantamount to a phishing scheme. Get your own damn password.
I wonder... (Score:5, Insightful)
How robust are the various common server operating systems against an attacker breaching the system by either reading or manipulating the VM's state? When your "hard drive" is just a file on somebody else's system, and your RAM is just a block of memory reserved for you by whatever virtualization mechanism is being employed, either could conceivably be read or written without any access to your system through the usual channels(ssh, admin passwords, etc.) If, say, you are using public key authentication, to avoid password attacks entirely, what would stop the VM host from just scribbling their own public key onto the list of approved public keys stored on your filesystem? Or doing something subtler, like scanning your block of RAM to find your SSH daemon, and flipping a few bits to make it interpret your login attempt as valid rather than failed?
Obviously, in theory, you can never win against somebody who controls the hardware(and, with VMs, they don't even need EE skills and an expensive oscilloscope to poke at the hardware, since the "hardware" is actually software). However, theoretical viability and practical doability can be very different animals. In this case, they tried a clumsy password guess, followed by a demand, obviously not uber-hacker material. Has there been any work done, though, on the strengths, weaknesses, and limits of what a VM that doesn't trust its host can do?
Double take (Score:5, Insightful)
We've got a security expert gets an email demanding his root password, and it's all good because they called and said sorry we'll change our policy? HUH? No wonder people are commenting that he's been paid off!!!
Re:They physically own the box (Score:4, Insightful)
Re:Thats scary.... (Score:5, Insightful)
They store all the passwords encrypted, and they can only be retrieved and reversed after a member of the security team opens a ticket and explains the reason for using the password (like to investigate malware)
Look at this epic fail right here. All security bets, are off.
Re:No Surprises Here (Score:3, Insightful)
They can't take his domain, regardless of the TOS, if I understand his post correctly. IANAL and IANFamiliarWithICANN'sRulesOrTheTOS.
Re:Feature, not a bug. (Score:5, Insightful)
Give them sudo and they can grab root whenever they want:
I think the point is that they should never have access to your password.
(Which is why TFA mentions that GoDaddy encrypts the passwords instead of using a one way hash)
If they have sudo and reset your root password, they're going to have to explain themselves later.
Re:No Surprises Here (Score:3, Insightful)
Who exactly would spank them if they did?
Rules are no good unless they can be enforced.
Re:They physically own the box (Score:5, Insightful)
Yes and no. It’s like having an apartment. The landlord might own it. But it’s still highly illegal for him to go into your apartment without you allowing it. It’s the same thing as breaking it.
The question of trust was not the point. The point is, that the landlord is telling you, to give you a copy of keys of the apartment, or he’d throw you out.
In Germany, he would get dragged to court, and lose big time, when trying this on anyone.
The same should be true for GoDaddy. Everything else would be laws not keeping up with progress.
Re:Christian morality (Score:2, Insightful)
"*The distorted Protestant American version of the faith."
Religions should be judged by practice, not theory.
Besides the obvious fact they are fantastic nonsense, the superstitions of the desert are only useful for facilitating oppression and violence.
Re:Feature, not a bug. (Score:5, Insightful)
If I had mod points, I'd bump you up. Your password is your password. Who knows what else a person uses that password for...trying to gain access by using it is tantamount to a phishing scheme. Get your own damn password.
Ironically, the very last sentence is exactly the solution one should use when choosing what password to set on a machine you do not own that others have full and total access to, physically, electronically, and legally.
If you use the same password on two things, a password being a shared secret, clearly both of those things now have that secret and can use it between each other.
Solution? Get your own damn password! :D
Re:The question is if GoDaddy is trustworthy. (Score:3, Insightful)
Don't they know there are other hosts that don't use such tactics or resort to ridiculous tv commercials?
Chances are, they don't. For a middle-aged tech-illiterate person, seeing their commercials during a Super Bowl might be enough to make them wonder if they should have a website. And I don't see eNom, or Network Solutions making any prime-time ads.
Due to the relatively low cost of GoDaddy domains and plans at least to the average person, there seems to be no need for them to search around. Mix that with plans to appeal to the average person and you have a situation where no one really wants to shop around.
Re:They physically own the box (Score:3, Insightful)
Interesting...maybe it varies from state to state, but pretty much every lease I've ever signed specifically states the landlord can enter your premise pretty much any time they wish for whatever reason....without notice.
You might wanna check your lease..or local state regulations, this certainly isn't a national thing that you stated.
Re:They physically own the box (Score:1, Insightful)
I know in CA (pretty sure NY too) it either has to be an emergency (house was on fire, bathroom was flooding) or they have to give you at least 24 hours notice. By leasing the apartment the landlord releases their right to access to the lessee. I'm not sure what constitutes a valid request for access and I'm sure that varies from place to place, but no place I know of allows free access to a private dwelling just because you own the building. So my landlord walks in on my wife in the shower and that's ok because he owns the building? If that's the case where you live please let me know so I can cross that off my list of places to live...
Re:They physically own the box (Score:1, Insightful)
You don't change locks when you move in somewhere? Stupid, stupid, stupid.
Re:They physically own the box (Score:4, Insightful)
The "hard way" can be very hard in certain parts of the US where the intruder can face summery execution...
Re:They physically own the box (Score:1, Insightful)
I'm wasting my time posting this.