HPE Community
Operating System - HP-UX
1832979 Members
3591 Online
110048 Solutions
New Discussion

Forums and Security

 
Martin Burnett_2
Trusted Contributor

‎03-11-2002 08:28 AM

‎03-11-2002 08:28 AM

Forums and Security

Hello Everyone,

Just a friendly reminder to make sure that you "scrub" any system specific information that might be considered a security risk from your posts and submissions to the forums.

This is particularly important when posting error messages from logs, many of which contain system specific information. In almost all instances this information is not required to try and resolve your issue by the forum members.

This includes but is not limited to IP addresses, system hostnames, HP support agreement identifiers, as well as User Identification codes (User IDs), passwords, product serial numbers, etc. All of these important information elements should be protected.

If you have any questions review the Terms of Use under User Submissions and Customer Responsibilities sections. A weblink is located at the bottom of the Forums home page.

As always, thanks for participating in the forums and let's all practice "safe submissions".

Martin
0 Kudos
Reply
20 REPLIES 20
Wodisch
Honored Contributor

‎03-11-2002 09:58 AM

‎03-11-2002 09:58 AM

Re: Forums and Security

Hello Martin,

a well-meant point, which I would completly agree with, but (istn't there always a "but" ;-) taking the growth of the forums and the recent level of questions into consideration, I am afraid many will not be able to this, as they do simply not know enough to decide which information they have to hide, and what they have to substitute with *safe* values...
That could be a place for the forums' team to step in - those of you, who are able to decide when to *move* postings to another forum, might be able to do the *substitution*, perhaps?

Just my $0.02,
Wodisch
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎03-11-2002 10:06 AM

‎03-11-2002 10:06 AM

Re: Forums and Security

Martin,

I agree with everything except for IP's, especially when someone is talking about routing and subnet masks. Most people don't understand IP's, subnet masks, and routing. By having them "scrub" them, will lead to erroneous postings and erroneous answers.

live free or die
harry
Live Free or Die
0 Kudos
Reply
Martin Burnett_2
Trusted Contributor

‎03-11-2002 10:10 AM

‎03-11-2002 10:10 AM

Re: Forums and Security

Hello Wodisch,

Excellent point and we (I) do. In fact, this is precisely what I was doing this morning for one of our forum users and is also what prompted me to write and post this little security reminder blurb. My concern is that as hard as we try we may still miss one or two posts out there that contain sensitive information. I would hate to see anyone get "cracked" because of information they posted in our forums. This was simply intended as a gentle reminder to us all. Thanks for the feedback.

Martin

0 Kudos
Reply
Mark Greene_1
Honored Contributor

‎03-11-2002 10:15 AM

‎03-11-2002 10:15 AM

Re: Forums and Security

scrubbing IP's is superfluous. using nslookup one can aquire a list of IP's for any system with internet access, and there is the freely available whois registration information for the domain.

obviously login ID's, passwords, serial numbers and other types of "access" information is crucial not to post. Think of the IP address as the roadmap, which one cannot hide, and the other info as they keys to the door.

just a thought,
mark
the future will be a lot like now, only later
0 Kudos
Reply
Craig Rants
Honored Contributor

‎03-11-2002 10:15 AM

‎03-11-2002 10:15 AM

Re: Forums and Security

Martin,
I do agree to a point, I certainly have seen information in a post that I would not not have posted. But it also would not take long for someone to gather information about a postee and put two and two together. I could do this by getting the domain of the company from the postee's profile, checking dns records for that domain, finding the ip block assigned to that domain, etc... Pretty soon I have all the info I want and more.

Keeping your messages sanitized should always be a priority, but a smart person could easily gain all that info and more if they wanted.

Just my thoughts,
Craig
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎03-11-2002 10:18 AM

‎03-11-2002 10:18 AM

Re: Forums and Security

Martin,

I finally beat my network boy's into submission. They were always so secretive about anyone knowing our IP numbers and host names, and my reply was this: Security based upon lack of information is security based upon ignorance.

It's like having an encryption routine where the formula is secret, and there are no "keys", just a formula.

live free or die
harry
Live Free or Die
0 Kudos
Reply
Martin Burnett_2
Trusted Contributor

‎03-11-2002 10:23 AM

‎03-11-2002 10:23 AM

Re: Forums and Security

Hello Harry,

Also a good point, and you are correct if the issue requires it. This is why I stated in the original posting that "...almost all instances this information is not required ..." This is just intended to get people thinking about whether the information they post is necessary and relevant to the issue, does it pose a security problem, and having thought about the issue then they can make their own "informed" decision about whether or not to post this type of info. Thanks for the feedback.

Martin
0 Kudos
Reply
Mark Greene_1
Honored Contributor

‎03-11-2002 10:23 AM

‎03-11-2002 10:23 AM

Re: Forums and Security

Harry,

funny you should mention that. my boss at my very first job out of college would say "security based on ignorance is not secure, just ignorant!"

I've not thought about him in a while, thanks for the reminder. :-)

mark
the future will be a lot like now, only later
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎03-11-2002 10:29 AM

‎03-11-2002 10:29 AM

Re: Forums and Security

Martin,

Are you a newcommer to the Forum and HP, or just the Forum? If so, welcome, and thanks for the info on the Dec2001 release!

live free or die
harry
Live Free or Die
0 Kudos
Reply
Martin Burnett_2
Trusted Contributor

‎03-11-2002 10:36 AM

‎03-11-2002 10:36 AM

Re: Forums and Security

Well, just new to the forums in this capacity. Sort of an additional duty due to the rapid growth in the ITRC we are experiencing thanks to all you guys and gals (experts) out there and your active participation.

I bow to all of you and your expertise in this area. I give, uncle on the IP addresses. 8-)

But you have to admit that this got all of you thinking about the security issues and that was my whole intent.

Martin
0 Kudos
Reply
Carlos Fernandez Riera
Honored Contributor

‎03-12-2002 12:46 AM

‎03-12-2002 12:46 AM

Re: Forums and Security

Go top...
unsupported
0 Kudos
Reply
Bill McNAMARA_1
Honored Contributor

‎03-12-2002 12:54 AM

‎03-12-2002 12:54 AM

Re: Forums and Security

I've noticed that some posters don't understand that the forums are public support.. they believe that it is an official hp support site.

There's no doubt that you'll end up with

telnet myserver
root password root

one of these days!

It is important to keep this tread alive somehow..

Later,
Bill
It works for me (tm)
0 Kudos
Reply
Kenny Chau
Trusted Contributor

‎03-12-2002 12:58 AM

‎03-12-2002 12:58 AM

Re: Forums and Security

Hi Martin,

Absolutely agree what you said. I always hide the information and post as much information as possible to the forum so that the experts here can solve my problem.

If I expose any company's information here, I will be fired by my boss.

Regards,
Kenny.
Kenny
0 Kudos
Reply
K.Vijayaragavan.
Respected Contributor

‎03-12-2002 12:58 AM

‎03-12-2002 12:58 AM

Re: Forums and Security

Hi Martin.

I fully agree with you.

When no one wants to leave all these precious information on their workpalce itslef, obviously it is dangerous to leave all thess info in the forum.

A warning message consisting of the points mentioned in you note can be displayed whenever a new user is registering in this forum as new user.

Thanks!

Regards,

K.Vijay
"Let us fine tune our knowledge together"
0 Kudos
Reply
Justo Exposito
Esteemed Contributor

‎03-12-2002 01:49 AM

‎03-12-2002 01:49 AM

Re: Forums and Security

Hello Martin,

Yes this is very important information for all the forum members and it's needed for the new users as well.

Perhaps it's a good practice that this thread or similar appears all the months and if somebody had an attack because the information showed in the forum can explain to everybody. Something like the forums issues thread for the month.

Regards and thanks for the advertising,

Justo.
Help is a Beatiful word
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎03-12-2002 01:57 AM

‎03-12-2002 01:57 AM

Re: Forums and Security

Hi,

I agree with you indeed.

On occasions, I have seen posters who cut and paste their unshadowed /etc/passwd files straight onto their posting. Someone could potentially run crack on these password files.

Such postings need to be sanitized.

Steven Sim Kok Leong
0 Kudos
Reply
Roger Baptiste
Honored Contributor

‎03-12-2002 05:30 AM

‎03-12-2002 05:30 AM

Re: Forums and Security


Good point. I dont think it is too difficult to mask information before posting it.
Put the output in a editor and do a find/replace all. Ofcourse, even with all care, i have occasionally had slips.

The reason for masking has less to do with it being misused, but more to do with company guidelines etc etc..
Afterall, what is anybody going to do with IPs or hostnames etc; as for people who post password file, well they shouldnt be admins in the first place ;-)

cheers
-raj
Take it easy.
0 Kudos
Reply
John Bolene
Honored Contributor

‎03-12-2002 05:34 AM

‎03-12-2002 05:34 AM

Re: Forums and Security

Help is help, but security must take first priority.

Posting password files or any other sensitive information like this is a real bad thing, but then a lot of our systems are behind firewalls or not even connected to the internet and even if I gave you root passwords, you would not know which machine they go to, and could not get to them if you tried.

More information is better than less information, but as you said, you can go too far. Most folks don't know what information to give to solve problems and we have to ask for more anyway.

We get all the time at work, "My computer is broke", well they don't really have a computer, they have an X-terminal, which is a computer but in a very limited way.

The other problem is "My terminal is slow today". That is a very hard one to solve.

My 2 cents.
It is always a good day when you are launching rockets! http://tripolioklahoma.org, Mostly Missiles http://mostlymissiles.com
0 Kudos
Reply
Justo Exposito
Esteemed Contributor

‎03-12-2002 08:55 AM

‎03-12-2002 08:55 AM

Re: Forums and Security

back to top.

Regards,

Justo.
Help is a Beatiful word
0 Kudos
Reply
Martin Burnett_2
Trusted Contributor

‎03-13-2002 03:48 AM

‎03-13-2002 03:48 AM

Re: Forums and Security

Hello Everyone,

Thanks everyone for the suggestions and support. I'm going to submit a couple of them to Dan and maybe renew this subject occassionally to try to remind everyone once and a while about this information.

Martin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.