Slashdot Mirror

← Back to Stories (view on slashdot.org)

GoDaddy Wants Your Root Password

Posted by samzenpus on from the seems-fair dept.

Johnny Fusion writes "The writer of the Securi Security Blog had an alarming awakening when a honeypot on port 22 on a GoDaddy-hosted VPS recorded login attempts using his GoDaddy username and password and even an attempt to login as root. It turns out the attempt was actually from within GoDaddy's network. Before he could 'alert' GoDaddy about the security breach, he got an email from GoDaddy Demanding his root login credentials. There is an update where GoDaddy explains itself and says they will change policy."

21 of 236 comments (clear)

  1. They physically own the box by SpazmodeusG · · Score: 5, Insightful

    You already trust them 100% if you let them have access to your box

    /That sounded wrong somehow

    1. Re:They physically own the box by WrongSizeGlass · · Score: 3, Insightful

      It's simple: All your passwords are belong to us.

    2. Re:They physically own the box by Hurricane78 · · Score: 4, Insightful

      Yes and no. It’s like having an apartment. The landlord might own it. But it’s still highly illegal for him to go into your apartment without you allowing it. It’s the same thing as breaking it.

      The question of trust was not the point. The point is, that the landlord is telling you, to give you a copy of keys of the apartment, or he’d throw you out.
      In Germany, he would get dragged to court, and lose big time, when trying this on anyone.

      The same should be true for GoDaddy. Everything else would be laws not keeping up with progress.

      --
      Any sufficiently advanced intelligence is indistinguishable from stupidity.
    3. Re:They physically own the box by cayenne8 · · Score: 2, Insightful
      "Yes and no. It's like having an apartment. The landlord might own it. But it's still highly illegal for him to go into your apartment without you allowing it."

      Interesting...maybe it varies from state to state, but pretty much every lease I've ever signed specifically states the landlord can enter your premise pretty much any time they wish for whatever reason....without notice.

      You might wanna check your lease..or local state regulations, this certainly isn't a national thing that you stated.

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    4. Re:They physically own the box by Anonymous Coward · · Score: 1, Insightful

      I know in CA (pretty sure NY too) it either has to be an emergency (house was on fire, bathroom was flooding) or they have to give you at least 24 hours notice. By leasing the apartment the landlord releases their right to access to the lessee. I'm not sure what constitutes a valid request for access and I'm sure that varies from place to place, but no place I know of allows free access to a private dwelling just because you own the building. So my landlord walks in on my wife in the shower and that's ok because he owns the building? If that's the case where you live please let me know so I can cross that off my list of places to live...

    5. Re:They physically own the box by Anonymous Coward · · Score: 1, Insightful

      You don't change locks when you move in somewhere? Stupid, stupid, stupid.

    6. Re:They physically own the box by mpe · · Score: 3, Insightful

      You should get familiar with your rights, then. Landlords have to give 24 hour notice before entering your apartment. Failure to do this constitutes breaking and entering and I have taught one of my landlords this lesson the hard way.

      The "hard way" can be very hard in certain parts of the US where the intruder can face summery execution...

    7. Re:They physically own the box by Anonymous Coward · · Score: 1, Insightful

      I'm wasting my time posting this.

  2. Re:Feature, not a bug. by Neil+Blender · · Score: 5, Insightful

    Why not just create an alternate account with sudo for them? Why give them root?

  3. I'd have thought it was obvious, but... by straponego · · Score: 5, Insightful

    Pro tip: never trust your domain or your business to a company who got its name from a Thrill Kill Kult song and advertises its services with soft-core porn.

  4. I always wondered what use GoDaddy is by beakerMeep · · Score: 4, Insightful

    They only seem to market themselves by objectifying women and their services don't seem low priced or high quality. Frankly I think they are an embarrassment to the tech world.

    --
    meep
  5. Re:Feature, not a bug. by lymond01 · · Score: 5, Insightful

    Why not just create an alternate account with sudo for them?

    If I had mod points, I'd bump you up. Your password is your password. Who knows what else a person uses that password for...trying to gain access by using it is tantamount to a phishing scheme. Get your own damn password.

  6. I wonder... by fuzzyfuzzyfungus · · Score: 4, Insightful

    My understanding is that "VPS" usually implies that you are living in a VM on somebody else's box.

    How robust are the various common server operating systems against an attacker breaching the system by either reading or manipulating the VM's state? When your "hard drive" is just a file on somebody else's system, and your RAM is just a block of memory reserved for you by whatever virtualization mechanism is being employed, either could conceivably be read or written without any access to your system through the usual channels(ssh, admin passwords, etc.) If, say, you are using public key authentication, to avoid password attacks entirely, what would stop the VM host from just scribbling their own public key onto the list of approved public keys stored on your filesystem? Or doing something subtler, like scanning your block of RAM to find your SSH daemon, and flipping a few bits to make it interpret your login attempt as valid rather than failed?

    Obviously, in theory, you can never win against somebody who controls the hardware(and, with VMs, they don't even need EE skills and an expensive oscilloscope to poke at the hardware, since the "hardware" is actually software). However, theoretical viability and practical doability can be very different animals. In this case, they tried a clumsy password guess, followed by a demand, obviously not uber-hacker material. Has there been any work done, though, on the strengths, weaknesses, and limits of what a VM that doesn't trust its host can do?

  7. Double take by syousef · · Score: 4, Insightful

    We've got a security expert gets an email demanding his root password, and it's all good because they called and said sorry we'll change our policy? HUH? No wonder people are commenting that he's been paid off!!!

    --
    These posts express my own personal views, not those of my employer
  8. Re:Thats scary.... by sakdoctor · · Score: 4, Insightful

    They store all the passwords encrypted, and they can only be retrieved and reversed after a member of the security team opens a ticket and explains the reason for using the password (like to investigate malware)

    Look at this epic fail right here. All security bets, are off.

  9. Re:No Surprises Here by Thinboy00 · · Score: 2, Insightful

    They can't take his domain, regardless of the TOS, if I understand his post correctly. IANAL and IANFamiliarWithICANN'sRulesOrTheTOS.

    --
    $ make available
  10. Re:Feature, not a bug. by TubeSteak · · Score: 4, Insightful

    Give them sudo and they can grab root whenever they want:

    I think the point is that they should never have access to your password.
    (Which is why TFA mentions that GoDaddy encrypts the passwords instead of using a one way hash)
    If they have sudo and reset your root password, they're going to have to explain themselves later.

    --
    [Fuck Beta]
    o0t!
  11. Re:No Surprises Here by shentino · · Score: 2, Insightful

    Who exactly would spank them if they did?

    Rules are no good unless they can be enforced.

  12. Re:Christian morality by couchslug · · Score: 1, Insightful

    "*The distorted Protestant American version of the faith."

    Religions should be judged by practice, not theory.

    Besides the obvious fact they are fantastic nonsense, the superstitions of the desert are only useful for facilitating oppression and violence.

    --
    "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
  13. Re:Feature, not a bug. by dissy · · Score: 4, Insightful

    If I had mod points, I'd bump you up. Your password is your password. Who knows what else a person uses that password for...trying to gain access by using it is tantamount to a phishing scheme. Get your own damn password.

    Ironically, the very last sentence is exactly the solution one should use when choosing what password to set on a machine you do not own that others have full and total access to, physically, electronically, and legally.

    If you use the same password on two things, a password being a shared secret, clearly both of those things now have that secret and can use it between each other.

    Solution? Get your own damn password! :D

  14. Re:The question is if GoDaddy is trustworthy. by Darkness404 · · Score: 2, Insightful

    Don't they know there are other hosts that don't use such tactics or resort to ridiculous tv commercials?

    Chances are, they don't. For a middle-aged tech-illiterate person, seeing their commercials during a Super Bowl might be enough to make them wonder if they should have a website. And I don't see eNom, or Network Solutions making any prime-time ads.

    Due to the relatively low cost of GoDaddy domains and plans at least to the average person, there seems to be no need for them to search around. Mix that with plans to appeal to the average person and you have a situation where no one really wants to shop around.

    --
    Taxation is legalized theft, no more, no less.