[sudo-sys] New Calendar w/ Booking, Recurring Events, and Feeds (ical)
Matthew Senate
mattsenate at gmail.com
Tue Apr 29 18:06:57 PDT 2014
On Tue, Apr 29, 2014 at 5:42 PM, Yar <yardenack at gmail.com> wrote:
> On Tue, Apr 29, 2014 at 12:50 AM, Matthew Senate <mattsenate at gmail.com>
> wrote:
> > create your own account on the dev.sudoroom.org site using:
> >
> > user: sudoer
> > pass: superuserdoroom
>
> I appreciate all your hard work on this, but I would advocate for a
> more security-conscious approach to this. My two concerns are:
>
> 1) We should not share a wordpress admin account passwords on a public
> mailing list. Admin accounts are able to modify files on the server
> and execute arbitrary code. This creates a very easy way for anybody
> on the internet to pwn our entire web server and attack our users.
>
password changed
> 2) We should not serve the dev site on http or encourage users to
> create accounts in cleartext. I can move it seamlessly to
> https://sudoroom.org/dev/ with your consent.
>
We already have wordpress installed on sudoroom.org and this will cause
redirection issues. I think it's better to have a dev.sudoroom.org to
maintain total independence. Maybe we can get another SSL cert or use a
self-signed?
>
> I think we owe our users better than this, especially since we've
> taught some of them to use Tor at our cryptoparties. They have trusted
> us with email addresses and passwords in (among other things) the
> blog, wiki, and mailman. This puts them and us at risk. It also
> nullifies a lot of past time and effort that's gone into keeping our
> server secure.
>
I should have told folks to only use demo / test / fake accounts. I hope no
one thought they were signing up for anything other then a development site
(that will be trashed in the future). I'll just set up demo accounts myself
in the future and hand those out.
> _______________________________________________
> sudo-sys mailing list
> sudo-sys at lists.sudoroom.org
> https://lists.sudoroom.org/listinfo/sudo-sys
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sudoroom.org/pipermail/sudo-sys/attachments/20140429/2dbd37e7/attachment-0001.html>
More information about the sudo-sys
mailing list