On 6/30/05, Chadley Wilson
Greetings,
Friends, I am in a situation with my one clients who use - (Yes that one again!!), uucp.
Now their previous techies set all the user id's for the system to 0 (zero) Oh! and all the GID's as well. Now I have come in and had to fix this, but I get resistance.
I have only one good reason why not to right now,
with uucp on one site all the files are transfered but not removed from the queue, only when I set the user id to 14 (IIRC) and the GID to 512, and of course changed all the on the relevant configs and files, would it clean the remote queue. This reason however has been flawed as we have other sites that work properly with all the UID's and GID's set to 0 (zero).
I need more reasons, explaining how this affects the system integrity, and functionality, the trick here is they don't give two hoots about the security aspect. So to win my case professionally and cleverly, I ask for real opinions and reasons.
Could you please assist.
-- -- Chadley Wilson Production Line Superintendant Pinnacle Micro Manufacturers of Proline Computers ==================================== Exercise freedom, Use LINUX =====================================
The moment they get a letter in the mail from the ISP and/or lawyer informing them that their server contains copyrighted material, questionable content, etc, etc, they'll care. And all the we didn't know won't help bad PR in the news. Especially when the news reports that it was due to sloppy and lazy security practices. Of course, they'll try to blame someone else, "It's the consultant's fault.", so get some CYA documentation with signatures and a few emails for added weight and evidence to at least absolve yourself if/when it hits the fan. Oh, and gently remind them that around 80 percent (last I checked anyway) of all security breaches take place inside, not outside, the company network; and then ask just how important the data is to the company and its revenue. Would the cost of lost data (maybe the next big widget or gizmo that makes millions) be more that the cost of proper security best practices? Is it worth losing a competitive edge to your competition? Black hats don't waste time with website defacements anymore. Corporate espionage is big business. If the black hat owns the server, he owns the data and is free to bend the contents of the data to his amusement, or sell it or make it available to whom he pleases. John