Just to give you advance notice that the continual problem with the renewal of SSL certificates is due to occur on Monday 5 Aug.
Nobody in the new team has the necessary access nor knowledge of the current hardware configuration, and control remains with NCommander. The transfer of assets has been initiated but as one of the two members of the current Board is out of the country everything has temporarily ground to a halt. We cannot reconfigure the existing structure as legally we do not yet 'own' the database or existing hardware assets.
I have requested that NCommander assist by renewing the certificates but that depends upon his availability. He has been kind enough to help in the past. There is nothing more I can do at the moment.
I know that this is easily fixed - but until the formal exchange of the assets takes place we are on very shaky ground with regards to liabilities and responsibilities.
(Score: 5, Informative) by janrinok on Friday August 02, @03:20PM (3 children)
Opening up a potential security hole which might allow someone to get access to the database would not be protecting your personal information. We have promised to protect the data and for the last 10 years have been successful in keeping your personally identifiable information private.
If somebody can get your password then they can also get an administrator's password. If they compromise the account of certain admins (e.g a sysadmin) then they have the keys to the castle - everything!
I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
(Score: 2) by Username on Friday August 02, @05:22PM (2 children)
Chmod the admin pages 700. That should solve it.
(Score: 3, Informative) by janrinok on Friday August 02, @05:33PM (1 child)
If they get inside with an Administrator's password, what good would that do?
It would, I think, also break the current software. Probably best that we don't do that. Remember that this is late 1990s software technology, originally used in in 2000's hardware, and significantly modified in 2014 for its current role.
Once someone is inside the system - as any user - they have a much better chance of getting where they shouldn't be. They can also see where other vulnerabilities might be lurking. Not that we have any of course, certainly not, safe as houses.....
I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
(Score: 2) by Username on Monday August 05, @02:16PM
With 700 no one can access it remotely via http. You would have to ssh or whatever solution you use in with whatever account to access it. You will be using the os encryption, not apache or whatever you got.