Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security IT

GoDaddy Wants Your Root Password 236

Johnny Fusion writes "The writer of the Securi Security Blog had an alarming awakening when a honeypot on port 22 on a GoDaddy-hosted VPS recorded login attempts using his GoDaddy username and password and even an attempt to login as root. It turns out the attempt was actually from within GoDaddy's network. Before he could 'alert' GoDaddy about the security breach, he got an email from GoDaddy Demanding his root login credentials. There is an update where GoDaddy explains itself and says they will change policy."
This discussion has been archived. No new comments can be posted.

GoDaddy Wants Your Root Password

Comments Filter:
  • by SpazmodeusG ( 1334705 ) on Wednesday February 24, 2010 @07:27PM (#31266956)
    You already trust them 100% if you let them have access to your box

    /That sounded wrong somehow
    • Yep. Reminds me of when I tried to set up a firewall password for a software vendor, only to find my boss constantly deleting it. He wanted to make a big deal out of every time they wanted to log in... I had problems that only they could solve so I needed them in frequently. He was basically wasting my time.

    • by mrsteveman1 ( 1010381 ) on Wednesday February 24, 2010 @07:31PM (#31266998)

      I've said it before, i'll say it again.

      Always use protection when VPS'ing.

    • by WrongSizeGlass ( 838941 ) on Wednesday February 24, 2010 @07:42PM (#31267098)
      It's simple: All your passwords are belong to us.
    • I don't mind them having my password

      It's SAGAPO [youtube.com]
    • by Futurepower(R) ( 558542 ) on Wednesday February 24, 2010 @08:01PM (#31267224) Homepage
      That's not the question. The question is if GoDaddy is trustworthy.

      Judge for yourself. Here are some stories about GoDaddy on Slashdot, in order by date:
      Go Daddy Usurps Network Solutions [slashdot.org] (2005-05-04)
      GoDaddy Serves Blank Pages to Safari & Opera [slashdot.org] (2005-12-08)
      GoDaddy.com Dumps Linux for Microsoft [slashdot.org] (2006-03-23)
      GoDaddy Holds Domains Hostage [slashdot.org] (2006-06-17)
      GoDaddy Caves To Irish Legal Threat [slashdot.org] (2006-09-16)
      MySpace and GoDaddy Shut Down Security Site [slashdot.org] (2007-01-26) That incident prompted this web site:
      Exposing the Many Reasons Not to Trust GoDaddy with Your Domain Names [nodaddy.com].
      Alternative Registrars to GoDaddy? [slashdot.org] (2007-02-03)
      GoDaddy Bobbles DST Changeover? [slashdot.org] (2007-03-11)
      850K RegisterFly Domains Moved To GoDaddy [slashdot.org] (2007-05-29)
      According to this March 11, 2008 story in Wired, GoDaddy shut down an entire web site of 250,000 pages because of one archived mailing list comment: GoDaddy Silences Police-Watchdog Site RateMyCop.com [wired.com]. See below for Slashdot's story about RateMyCop.com.
      GoDaddy Silences RateMyCop.com [slashdot.org] (2008-03-12)
      ICANN Moves Against GoDaddy Domain Lockdowns [slashdot.org] (2008-04-08)
      GoDaddy VP Caught Bidding Against Customers [slashdot.org] (2008-06-29)

      Those are just the stories until July of 2008.

      GoDaddy's reputation is not just one of extremely negative stories. In my opinion, GoDaddy tries to confuse non-technical people by offering services they don't need and presenting them as valuable.

      Here are some of the opinions of Bob Parsons, the owner of GoDaddy. He is pro-violence: Close Gitmo? No way!! [archive.org]

      He uses women's bodies to advertise: Bob Parson's Video Blog [bobparsons.tv].
      • by Futurepower(R) ( 558542 ) on Wednesday February 24, 2010 @08:17PM (#31267324) Homepage
        Quote from the story, Registrars Still Ignoring ICANN Rules [slashdot.org]: "Over a year ago ICANN moved to clean up misbehaving registrars like GoDaddy..." (2009-07-22)

        Another quote from that Slashdot story: "GoDaddy (and their reseller arm, Wild West Domains) have a different problem: They still block transfers for 60 days after a registrant's contact update, even after the ICANN update specifically prohibited doing so."
        • Sounds like a breach of contract between Godaddy and whoever gave them their "regisrar license", yes?

          Or is it Verisign's job to police godaddy?

        • Sounds like business as usual to me. I've written about this on /. before; I've had personal dealings with people associated with GoDaddy and a few of their own employees. Jay Westerdahl (google the jerk) runs (ran?) a company that was very tight with GoDaddy. I never got a very warm feeling from the man and heard interesting thing from his associates about the people who run GoDaddy. All I can do is makes accusations; but if you ever find yourself looking for work or isp partnerships in Seattle don't do th
        • Re: (Score:2, Informative)

          by Anonymous Coward

          Another quote from that Slashdot story: "GoDaddy (and their reseller arm, Wild West Domains) have a different problem: They still block transfers for 60 days after a registrant's contact update, even after the ICANN update specifically prohibited doing so."

          It gets worse. GoDaddy forces an update of 'invalid' contact details (which may have been inherited from a previous transfer) when trying to change an admin address (to transfer the domain out). GoDaddy then forces you to agree to a 60 day transfer hold via a checkbox because the said details were changed. Online support refuses to change just the admin email. This isn't just against the ICANN rules, this is thuggery.

      • Quote from the Slashdot story, KnujOn Updates Top 10 Spam-Friendly Registrars List [slashdot.org]: "Network Solutions and GoDaddy sister company Wild West domains - have popped up on the [spammer-friendly] list." (2009-02-06)
      • by Anonymous Coward on Wednesday February 24, 2010 @08:30PM (#31267412)

        "GoDaddy's reputation is not just one of extremely negative stories. In my opinion, GoDaddy tries to confuse non-technical people by offering services they don't need and presenting them as valuable. "

        This is quite an understatement. I do occasional web development on the side, and I recently had my first client in a while. I told her to go ahead and sign up for the domain with GoDaddy, but she said she couldn't figure out what to do. So I helped her out in person and I couldn't *believe* the amount of crap they try to push on you. Pages full of options and "upgrades" and packages on every step ... even after you finish your purchase! It's a tremendously confusing experience for someone who doesn't know how to filter out the signal from the noise.

        • by pushf popf ( 741049 ) on Wednesday February 24, 2010 @11:38PM (#31268560)
          This is quite an understatement. I do occasional web development on the side, and I recently had my first client in a while. I told her to go ahead and sign up for the domain with GoDaddy, but she said she couldn't figure out what to do. So I helped her out in person and I couldn't *believe* the amount of crap they try to push on you. Pages full of options and "upgrades" and packages on every step ... even after you finish your purchase! It's a tremendously confusing experience for someone who doesn't know how to filter out the signal from the noise. That's why I use ChangeIP.com for domain registrations.

          You pick the name, give them a credit card, press the button and get on with your life. They won't hijack it, hold it hostage, try to sell you anything (except DDNS if you want it). You pay, they register. As it should be.

          I now have three (count'em 3) clients that have lost their domains to GoDaddy. However, for only $400 or so, GoDaddy will sell you back your own domain.

          I wouldn't use GoDaddy if my ass was on fire and they had free water.
      • That's not the question. The question is if GoDaddy is trustworthy.

        [Huge list of news, showing GoDaddy’s questionable trustworthiness]

        I think you just answered that question. ;)

        Also, (I know that looks are not really relevant) why does he look like a cross of Hannibal Lecter and a child molester? (I swear, looks can’t be that irrelevant, considering [statistically significantly] how often they fit. ;)

      • "GoDaddy tries to confuse non-technical people by offering services they don't need and presenting them as valuable."

        I work nights. Sometimes, I'm actually in the shop to listen to the radio. It seems that every 15 minutes, one company or another is pitching some worthless product, trying to scare the dumb consumer into purchasing some "security" product.

        "Hi, I'm former Police Chief Frazzle Brain. Did you know that online indentity theft is the fastest growing crime in America? Send me $100 and I'll pro

      • That's not the question. The question is...

        ...why does anyone use them? Don't they know there are other hosts that don't use such tactics or resort to ridiculous tv commercials?
        • Re: (Score:3, Insightful)

          Don't they know there are other hosts that don't use such tactics or resort to ridiculous tv commercials?

          Chances are, they don't. For a middle-aged tech-illiterate person, seeing their commercials during a Super Bowl might be enough to make them wonder if they should have a website. And I don't see eNom, or Network Solutions making any prime-time ads.

          Due to the relatively low cost of GoDaddy domains and plans at least to the average person, there seems to be no need for them to search around. Mix that with plans to appeal to the average person and you have a situation where no one really wants to shop ar

      • to confuse non-technical people by offering services they don't need and presenting them as valuable.

        Congratulations, you just described Marketing's purpose in life...

    • by Hurricane78 ( 562437 ) <deleted@slashdo[ ]rg ['t.o' in gap]> on Wednesday February 24, 2010 @08:36PM (#31267444)

      Yes and no. It’s like having an apartment. The landlord might own it. But it’s still highly illegal for him to go into your apartment without you allowing it. It’s the same thing as breaking it.

      The question of trust was not the point. The point is, that the landlord is telling you, to give you a copy of keys of the apartment, or he’d throw you out.
      In Germany, he would get dragged to court, and lose big time, when trying this on anyone.

      The same should be true for GoDaddy. Everything else would be laws not keeping up with progress.

      • It's unethical and definitely borders on breach, not to mention access laws in many jurisdictions.

        It's bad behavior, and given their track record, they'll pull something like this again. Just loved those cuties at CES this year....

      • Re: (Score:3, Insightful)

        by cayenne8 ( 626475 )
        "Yes and no. It's like having an apartment. The landlord might own it. But it's still highly illegal for him to go into your apartment without you allowing it."

        Interesting...maybe it varies from state to state, but pretty much every lease I've ever signed specifically states the landlord can enter your premise pretty much any time they wish for whatever reason....without notice.

        You might wanna check your lease..or local state regulations, this certainly isn't a national thing that you stated.

    • by icebike ( 68054 )

      Define "Your Box".

      The guy was running "Virtual Private Servers". In effect, renting a virtual machine on a GoDaddy box.

      That is slightly different than running his own box, because when malware is served or spam sent from that box it is GoDaddy that is on the hook.

      His big mistake was assuming a VPS was HIS. Its really just a rented room, and just like a landlord can take steps to make sure meth is not brewed in his building, GoDaddy can protect their network.

  • Feature, not a bug. (Score:5, Interesting)

    by LostCluster ( 625375 ) * on Wednesday February 24, 2010 @07:27PM (#31266960)

    When my trivia game was hosted at EV1Servers (now part of The Planet company) I kept my root password on file with them at all times, and quite a few times support logged in and helped me with a problem, like telling me the reason my webserver went down was that the Warnings file in Apache had hit the Linux system limit.

    This isn't GoDaddy the domain registrar looking for your passwords, this is GoDaddy the hosting provider wanting to log in to a customer's VPS that's running on their hardware, and most likely is calming down a paranoid admin if he's yelling at Slashdot about a "security breach" when support wanted to log in.

    Nothing to see here... move along.

    • by Neil Blender ( 555885 ) <neilblender@gmail.com> on Wednesday February 24, 2010 @07:30PM (#31266988)

      Why not just create an alternate account with sudo for them? Why give them root?

      • If you give them a non-root user with all of the privileges of root, there's no way for them to know if you've really given them root. You're trying rule-out possible problems, you don't want to give support a false answer they can hang their hat on.

        • Re: (Score:3, Informative)

          If you give them a non-root user with all of the privileges of root, there's no way for them to know if you've really given them root.

          sudo su

          • Re: (Score:3, Informative)

            sudo su -

            • by Minwee ( 522556 )

              sudo -i

              Why waste characters?

            • Re: (Score:3, Informative)

              by Tacvek ( 948259 )

              Don't you mean "sudo -i". That will launch a root login shell. Using "sudo su -" just makes it look like you never read the sudo manpage.

              • Few people RTFA, why would they read a manpage? Come on, this is EARTH, the place with upright monkeys walking around, claiming to be intelligent. No one reads manpages!

              • Why is sudo reimplementing partial (root user only) functionality of su? Sudo isn't emacs. Do one thing, and do it well. Let the users put the pieces together. "sudo su -" was good enough for RHEL, so it should be good enough for Fedora (or is that ancestry reversed?).
                • Re: (Score:2, Informative)

                  su simply switches the user, sudo -i actually starts up a new shell (as if you logged in) and parses the .input, etc files and set up the environment variables.
          • If you give them a non-root user with all of the privileges of root, there's no way for them to know if you've really given them root.

            sudo su

            Don't allow su for that account. Do we really need to spell it out? I was at amazon for 3.5 years, pretty much never had root (sudo only) and had zero problems as a result.

        • by mysidia ( 191772 ) on Wednesday February 24, 2010 @08:45PM (#31267502)

          Two things... (1) of course they can determine that after logging in with the credentials.

          (2) Godaddy is using fricking Virtuozzo as their VPS hosting platform right?

          They technically then don't NEED the root password at all if so.

          In theory, they could 'vzctl enter' a customer's VPS from the host node. To be clear: _entering_ a container, spawns a new shell child process with the customer's VZPID, such that the child shell is actually created inside the customer's VPS.

          Now there might be some reasons they wouldn't want to do this, or that they'd want to wrap that in additional layers.

          Well, the reason is entering a VPS from the host node potentially places the VPS they have entered in control of the user's terminal.

          That could in theory be a security risk to GoDaddy's own system.

          So by getting the VPS root password, they can enter the VPS over the network, instead of through the hardware node.... thus, not ensuring a VPS can never have control over a terminal logged into the hardware node.

          Basically, this is more sound security wise.

          Anyways... there definitely doesn't seem to be anything wrong with GoDaddy gaining access to a customer VPS on an official basis, for good reasons, to investigate possible customer abuse or malware.

          As long as they follow professional standards, respect customer privacy completely, do not conduct any abuses, such as stealing leaking info, or gratifying personal curiosities (IOW: no abuse whatsoever) -- basically everything you would expect from an admin of Gmail or Yahoo mail (as in not reading your e-mail and using it for personal uses, to satisfy curiosities, blackmail you, etc...).

          Oh yeah, and that they exclude any utilization they generate from the customers' bandwidth / resource bills.

      • by lymond01 ( 314120 ) on Wednesday February 24, 2010 @07:35PM (#31267044)

        Why not just create an alternate account with sudo for them?

        If I had mod points, I'd bump you up. Your password is your password. Who knows what else a person uses that password for...trying to gain access by using it is tantamount to a phishing scheme. Get your own damn password.

        • If they have root or sudo then they can change your password behind your back... unless you have a restrictive /etc/sudoers file.

          • by dissy ( 172727 )

            If they have root or sudo then they can change your password behind your back... unless you have a restrictive /etc/sudoers file.

            Change yes. View no.

            Me giving you root access to my machine does not necessarily give you my passwords.
            An easily brute forced hashing for passwords would, as would you installing some software to wait and log when i next typed in a password.

            But both of those are illegal, and one would assume a ligit company would not want to do that.

            This same legit company however OWNS that compu

            • This same legit company however OWNS that computer, so it is not illegal for them to log in as root.

              Dunno. I'd compare that to you renting a house. The landlord can't simply waltz in unannounced, even if he owns the house (with some caveats, of course). The same base concept should pretty much apply.

          • by bsDaemon ( 87307 )
            :w! :q
            the sure-fire way to edit /usr/local/etc/sudoers without using bitch-ass visudo (still must be root, or `sudo vi`, but that should be self-evident).
        • by dissy ( 172727 ) on Wednesday February 24, 2010 @08:50PM (#31267542)

          If I had mod points, I'd bump you up. Your password is your password. Who knows what else a person uses that password for...trying to gain access by using it is tantamount to a phishing scheme. Get your own damn password.

          Ironically, the very last sentence is exactly the solution one should use when choosing what password to set on a machine you do not own that others have full and total access to, physically, electronically, and legally.

          If you use the same password on two things, a password being a shared secret, clearly both of those things now have that secret and can use it between each other.

          Solution? Get your own damn password! :D

      • by Thinboy00 ( 1190815 ) <.moc.liamg. .ta. .00yobniht.> on Wednesday February 24, 2010 @07:50PM (#31267144) Journal

        Why not just create an alternate account with sudo for them? Why give them root?

        Give them sudo and they can grab root whenever they want:
        sudo -i
        passwd
        [input new password twice]
        exit

        • by TubeSteak ( 669689 ) on Wednesday February 24, 2010 @08:02PM (#31267232) Journal

          Give them sudo and they can grab root whenever they want:

          I think the point is that they should never have access to your password.
          (Which is why TFA mentions that GoDaddy encrypts the passwords instead of using a one way hash)
          If they have sudo and reset your root password, they're going to have to explain themselves later.

          • by lawpoop ( 604919 )

            If they have sudo and reset your root password, they're going to have to explain themselves later.

            Forgive me newbishness. What evidence would you have that *they* did this? If they were unscrupulous, couldn't they just say, "LOL Sorry you got rooted. No way it was us. Make sure you don't have a keylogger on your system n00b"

          • If they have sudo and reset your root password, they're going to have to explain themselves later.

            Or they could just restore it back to what it was..

        • But they won’t be able to know your actual password. Which was the point.
          (Of course that ends, as soon as they install a different “passwd” program, and you use it to enter your new password.)

        • Re: (Score:3, Informative)

          by deblau ( 68023 )
    • by batrick ( 1274632 ) on Wednesday February 24, 2010 @07:51PM (#31267148)
      A VPS is rented space on hardware in the same way you rent an apartment. You don't own the hardware, but that doesn't mean the host can break into your box whenever he wants. Maybe the contract asserts they have that right (you would be an idiot to contract with them). Use Linode (arguably the best VPS provider in the industry): http://linode.com/ [linode.com] (I am not affiliated with Linode.)
    • When my trivia game was hosted at EV1Servers (now part of The Planet company) I kept my root password on file with them at all times, and quite a few times support logged in and helped me with a problem, like telling me the reason my webserver went down was that the Warnings file in Apache had hit the Linux system limit.

      This isn't GoDaddy the domain registrar looking for your passwords, this is GoDaddy the hosting provider wanting to log in to a customer's VPS that's running on their hardware, and most likely is calming down a paranoid admin if he's yelling at Slashdot about a "security breach" when support wanted to log in.

      Nothing to see here... move along.

      That would make sense if this was a dedicated server, but this is a VPS. With the two different VM systems I've administered VPSes with (OpenVZ and Xen), you're able to log into any virtual machine as root from the hardware node without a password, negating the need for any of the user's passwords. With OpenVZ it's just `vzctl enter [vpsid]`. There is no reason GoDaddy should be asking for passwords, let alone be automatically probing the VPSes to make sure the passwords on file are correct.

    • by Eil ( 82413 ) on Wednesday February 24, 2010 @09:11PM (#31267668) Homepage Journal

      I was just about to write the same thing. This was something that was already brought up weeks ago in an Ask Slashdot. People who who don't have much exposure to the web hosting business (and that includes most Slashdotters) don't understand that web hosting falls into two major categories:

      1) Unmanaged

      2) Managed

      Unmanaged hosting means you have full control over all of the software on your machine. (And by "machine" I mean both a real machine and a VPS or cloud node.) Nobody touches your configuration in the slightest once control has been handed over to you. If something goes wrong, including hardware failure, it's the customer's responsibility to notice it and either fix it or get it fixed. Any technical support beyond typical datacenter stuff usually incurs an hourly fee. Unmanaged hosting is ideal for people who want to admin their setup 100% on their own.

      Managed hosting means the web hosting provider monitors the machine which can include external probes (checking for a response on various TCP ports) and internal metrics like system load and disk utilization. When a red flag pops up, a technician logs into the machine and tries to fix whatever is happening. You can call them up with all manner of ridiculous requests ("install WordPress for me and apply this theme") and they have to do it because, well, that's what the customers expect with a managed hosting account. Managed hosting is awesome for people who want a web server but don't have the expertise or will to actually configure and maintain it.

      What the submitter ran into is that he though he had unmanaged hosting but actually has managed hosting. I don't completely blame him, because a lot of hosting providers don't explicitly state which style they provide. Sometimes it's even hard to tell after you've purchased the product. But its something you have to figure out or else you're going to be deeply dissatisfied with the company's technical support, as the submitter was.

    • This isn't GoDaddy the domain registrar looking for your passwords, this is GoDaddy the hosting provider wanting to log in to a customer's VPS that's running on their hardware, and most likely is calming down a paranoid admin if he's yelling at Slashdot about a "security breach" when support wanted to log in.

      Why would, nay, should they log in when there are no indications your box is infected? Asking them for help is a bit different then them arbitrarily accessing it whenever they feel like it, 'we have a p

  • No Surprises Here (Score:5, Interesting)

    by neoform ( 551705 ) <djneoform@gmail.com> on Wednesday February 24, 2010 @07:29PM (#31266968) Homepage

    Not surprising at all.

    I had a domain with Godaddy a few years ago when they breached ICANN's rules by threatening to confiscate my domain unless I paid them $200, because I had supposedly breached their TOS.

    GoDaddy is not to be trusted.

    • by LostCluster ( 625375 ) * on Wednesday February 24, 2010 @07:32PM (#31267002)

      I had supposedly breached their TOS.

      What was your alleged offense and how do we know you didn't do it?

      • Re: (Score:3, Insightful)

        by Thinboy00 ( 1190815 )

        They can't take his domain, regardless of the TOS, if I understand his post correctly. IANAL and IANFamiliarWithICANN'sRulesOrTheTOS.

      • Re:No Surprises Here (Score:5, Interesting)

        by neoform ( 551705 ) <djneoform@gmail.com> on Wednesday February 24, 2010 @08:10PM (#31267282) Homepage

        Someone (falsely) accused me of spamming.

        However, even *if* I was a spammer, what right does godaddy have to confiscate my domain? I didn't even have any hosting with them, I just had a domain registered. This is clearly against ICANN policy. Registrars are not arbiters who get to take your domain away because they feel like it.

        • Re: (Score:3, Insightful)

          by shentino ( 1139071 )

          Who exactly would spank them if they did?

          Rules are no good unless they can be enforced.

        • Check the TOS. You agreed to pay the costs of investigating, and to give over your domain if you were truely spamming.
  • by straponego ( 521991 ) on Wednesday February 24, 2010 @07:31PM (#31266994)
    Pro tip: never trust your domain or your business to a company who got its name from a Thrill Kill Kult song and advertises its services with soft-core porn.
  • by beakerMeep ( 716990 ) on Wednesday February 24, 2010 @07:31PM (#31267000)
    They only seem to market themselves by objectifying women and their services don't seem low priced or high quality. Frankly I think they are an embarrassment to the tech world.
  • I wonder... (Score:5, Insightful)

    by fuzzyfuzzyfungus ( 1223518 ) on Wednesday February 24, 2010 @07:38PM (#31267072) Journal
    My understanding is that "VPS" usually implies that you are living in a VM on somebody else's box.

    How robust are the various common server operating systems against an attacker breaching the system by either reading or manipulating the VM's state? When your "hard drive" is just a file on somebody else's system, and your RAM is just a block of memory reserved for you by whatever virtualization mechanism is being employed, either could conceivably be read or written without any access to your system through the usual channels(ssh, admin passwords, etc.) If, say, you are using public key authentication, to avoid password attacks entirely, what would stop the VM host from just scribbling their own public key onto the list of approved public keys stored on your filesystem? Or doing something subtler, like scanning your block of RAM to find your SSH daemon, and flipping a few bits to make it interpret your login attempt as valid rather than failed?

    Obviously, in theory, you can never win against somebody who controls the hardware(and, with VMs, they don't even need EE skills and an expensive oscilloscope to poke at the hardware, since the "hardware" is actually software). However, theoretical viability and practical doability can be very different animals. In this case, they tried a clumsy password guess, followed by a demand, obviously not uber-hacker material. Has there been any work done, though, on the strengths, weaknesses, and limits of what a VM that doesn't trust its host can do?
    • by theJML ( 911853 )

      You know, This is the first thing I thought of.

      The second thing is that they REALLY didn't even need to ask. Seriously, it's a VM, they can copy and crack the vm. They can restart it single user. They can mount the vm disk to another vm, change the password to what they want, and then put the disk back. They could make themselves a nice little backdoor of some sort. Etc...

      In fact, the more I think about it, the nicer it was that they just asked for it. Once you trust someone to hold your entire machine in v

  • Double take (Score:5, Insightful)

    by syousef ( 465911 ) on Wednesday February 24, 2010 @07:39PM (#31267080) Journal

    We've got a security expert gets an email demanding his root password, and it's all good because they called and said sorry we'll change our policy? HUH? No wonder people are commenting that he's been paid off!!!

  • They have physical access which means they don't need the root password. The fact that they store the password just shows plain lack of skill or laziness to implement a better access method by their admins. Store the pass where they could potentially be accessed is the issue here. What happens if the database is hacked and the passwords stolen without their knowledge. Insider hacking is also an major issue. Having the root password could allow an attacker to log in and erase all traces easily. Of course it'
  • Heck, if their sysadmins are definitely like the chicks in the commercials, I'd definitely give them my "root".

  • by cenc ( 1310167 ) on Wednesday February 24, 2010 @08:20PM (#31267356) Homepage

    As someone that has been around the block with running a lot of web sites (well, a couple thousand at least) for say the last 10 years, I have learned the hard way to not put all your eggs in one basket. Registries come and go, even the big boys (at least service comes and goes, policies change), hosting providers can go bad for all kinds of reasons, and your DNS services are your keys to the castle in terms of just how much damage an outage can do to a buisness (backup DNS severs people).

    • by socsoc ( 1116769 )
      Not only should you have backups of DNS servers, you should have redundant ones from multiple providers. For example, slave ns1 at provider a, slave ns2 at provider b, master hidden somewhere else...
      • by cenc ( 1310167 )

        Totally agree. There are plenty of affordable backup dns services like dnsmadeeasy.com, that will give you global dns backup coverage for very little money and still allow you to maintain ns6.mydomain.com type servers.

        I don't think a lot of people with just a couple sites realize that if you can keep dns up, even really cheap hosting going up and down will keep those outages from doing real damage such as with mail not arriving. servers will keep trying normally for a long time as long as the DNS resolves.

  • by Hurricane78 ( 562437 ) <deleted@slashdo[ ]rg ['t.o' in gap]> on Wednesday February 24, 2010 @08:42PM (#31267484)

    Make a backup of your server, and then tell them that they won’t get it.

    If they switch off your server, sue them for extortion, trespassing (in case they entered the server) and damages. [Same rules as with a (business) apartment and a landlord.]

    But I personally already had hosters asking me for the root password. I refused. That was it. They did not do anything. (We still had a contract, after all.) Of course they told me that they wouldn’t give me support for the software. But I wouldn’t have wanted that anyway, since on the last managed server, they wrecked my database when one of their idiot admins did “fix” something.

    I don’t see the problem. Let them bitch. Tell them to fuck off or you’ll sue. Done.

  • all they need to do is send Danica over to ask for it.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...