Administrator access: Right or privilege?

A cautionary tale


Workshop Here’s a story, which may or may not be true. A long, long time ago, a UNIX sys admin was having a problem with some of his users, who thought it was really funny to download explicit photos from the then still-fledgling Internet and pop them up on other people’s screens.

It wasn’t funny of course, but when the administrator deleted the photos, the users simply found clever ways of hiding them – for example creating directories called ‘ .’ (space-dot) or ‘. ‘ (dot-space) so they wouldn’t appear obvious on a manual search. When the administrator started to get wise to this, the users created directory paths such as ‘. / .’ and so on. How very cunning.

It wasn’t long before the exasperated administrator was writing scripts to delete such directories. But there is a twist to this tale. Not only had the file servers been set up (using ‘.rhosts’ etc) to allow privileged commands to be executed by remote machines, for example from the administrator’s own workstation, but also, and unfortunately, the scripts had been written without taking into account that command lines would be modified when they were run remotely.

And how. Quite simply, the command line ‘find –R “. / .” –rm –f’ was translated into ‘find –R . / . –rm –f’ when remotely executed, stripping off the quotes. For you normal people, what that means is that the ‘find’ command would first look for the current directory and delete it; then it would look for the top-level directory and delete that as well; then it would look for the current directory again and try to delete it – but of course it would fail, leaving a string of ‘directory not found’ errors.

You’ll no doubt be pleased to know that the administrator had been taking regular backups, so little information was lost. But this cautionary tale does beg a number of questions. Top of the list is one for administrators worldwide – is there such a thing as too much power?

I know I’m being a party pooper, just as I know there’s all kinds of reasons why you do need super-user access. But isn’t it a bit of a blunt weapon to say either you are treated as a general user with limited access rights, or you get the keys to the electronic city in its entirety?

In this (ahem) hypothetical example, the problem could be said to have been exacerbated by three factors: a lack of training in terms of what the commands would do; inadequate testing when it came to running a pretty high-risk script; and a poorly configured environment which was set up for ease of maintenance, at the expense of risk.

All of these are solvable problems, at least for the future. At least, they would be, if it weren’t for the fact we live in the real world. IT environments can be complex, fragmented and full of historical baggage that doesn’t fit with ideas of ‘doing the right thing’. The result – increased dependency on administrators, both in terms of what they hold in their heads about how things really work, and their reach and ability to fix things wherever they may be going wrong.

In other words, removing rights for administrators may seem like a good idea in principle – but in practice, it would be impossible to implement in many organisations without limiting the ability of administrators to do their jobs. This doesn’t rule out working in a reduced-access mode of course, where administrators log in with minimum access rights for routine work and only use additional privileges when required (eg by using the ‘su’ command in UNIX/Linux). But that wouldn’t have prevented the above scenario.

Perhaps, then, it would be a good idea to be more careful about who we have as administrators in the first place, for example through pre-vetting and subsequent training and certification. Training should be relatively easy to enact – apart from the fact that training budgets are the first things to go when the going gets tough.

And as for vetting – this is more of a human resources issue, in that IT management can’t really be expected to conduct background checks on its staff. It wouldn’t be appropriate even if they knew what they were looking for, and of course, our increased reliance on contractors and external suppliers makes things more complicated still.

Perhaps matters will be taken out of everyone’s hands through the encroaching demands of compliance. Already, the likes of security standards ISO 27001 and PCI DSS require a level of vetting aimed at protecting sensitive data such as customer records. And to be fair, the UK data protection act does have an implicit requirement on staff managing information.

But for reasons already given, not least the complexity of IT today, it is unlikely that regulation will ever be sufficient to guard against examples such as this one. Which means that administrator access privileges look set to remain a thorny topic.

Should privileged access be kept for all but a highly trusted core of administrators, or would this cause the whole of IT to grind to a halt? If you do have any counterpoints, or indeed anecdotes, we’re all ears.


Other stories you might like

  • Venezuelan cardiologist charged with designing and selling ransomware
    If his surgery was as bad as his opsec, this chap has caused a lot of trouble

    The US Attorney’s Office has charged a 55-year-old cardiologist with creating and selling ransomware and profiting from revenue-share agreements with criminals who deployed his product.

    A complaint [PDF] filed on May 16th in the US District Court, Eastern District of New York, alleges that Moises Luis Zagala Gonzalez – aka “Nosophoros,” “Aesculapius” and “Nebuchadnezzar” – created a ransomware builder known as “Thanos”, and ransomware named “Jigsaw v. 2”.

    The self-taught coder and qualified cardiologist advertised the ransomware in dark corners of the web, then licensed it ransomware to crooks for either $500 or $800 a month. He also ran an affiliate network that offered the chance to run Thanos to build custom ransomware, in return for a share of profits.

    Continue reading
  • China reveals its top five sources of online fraud
    'Brushing' tops the list, as quantity of forbidden content continue to rise

    China’s Ministry of Public Security has revealed the five most prevalent types of fraud perpetrated online or by phone.

    The e-commerce scam known as “brushing” topped the list and accounted for around a third of all internet fraud activity in China. Brushing sees victims lured into making payment for goods that may not be delivered, or are only delivered after buyers are asked to perform several other online tasks that may include downloading dodgy apps and/or establishing e-commerce profiles. Victims can find themselves being asked to pay more than the original price for goods, or denied promised rebates.

    Brushing has also seen e-commerce providers send victims small items they never ordered, using profiles victims did not create or control. Dodgy vendors use that tactic to then write themselves glowing product reviews that increase their visibility on marketplace platforms.

    Continue reading
  • Oracle really does owe HPE $3b after Supreme Court snub
    Appeal petition as doomed as the Itanic chips at the heart of decade-long drama

    The US Supreme Court on Monday declined to hear Oracle's appeal to overturn a ruling ordering the IT giant to pay $3 billion in damages for violating a decades-old contract agreement.

    In June 2011, back when HPE had not yet split from HP, the biz sued Oracle for refusing to add Itanium support to its database software. HP alleged Big Red had violated a contract agreement by not doing so, though Oracle claimed it explicitly refused requests to support Intel's Itanium processors at the time.

    A lengthy legal battle ensued. Oracle was ordered to cough up $3 billion in damages in a jury trial, and appealed the decision all the way to the highest judges in America. Now, the Supreme Court has declined its petition.

    Continue reading
  • Infusion of $3.5bn not enough to revive Terra's 'stablecoin'
    Estimated $42bn vanished with collapse of UST, Luna – we explain what all this means

    TerraUSD, a so-called "stablecoin," has seen its value drop from $1 apiece a week ago to about $0.09 on Monday, demonstrating not all that much stability.

    The cryptocurrency token, abbreviated UST, is supposed to be pegged to the price of the US dollar. Hence the "stable" terminology.

    But UST is not a "centralized stablecoin" that's exchangeable for a fiat currency; UST for USD (US dollars). Rather, it's a "decentralized stablecoin," meaning it can be exchanged for Luna (LUNA) tokens, another cryptocurrency tied to the Terra blockchain.

    Continue reading
  • DigitalOcean tries to take sting out of price hike with $4 VM
    Cloud biz says it is reacting to customer mix largely shifting from lone devs to SMBs

    DigitalOcean attempted to lessen the sting of higher prices this week by announcing a cut-rate instance aimed at developers and hobbyists.

    The $4-a-month droplet — what the infrastructure-as-a-service outfit calls its virtual machines — pairs a single virtual CPU with 512 MB of memory, 10 GB of SSD storage, and 500 GB a month in network bandwidth.

    The launch comes as DigitalOcean plans a sweeping price hike across much of its product portfolio, effective July 1. On the low-end, most instances will see pricing increase between $1 and $16 a month, but on the high-end, some products will see increases of as much as $120 in the case of DigitalOceans’ top-tier storage-optimized virtual machines.

    Continue reading
  • GPL legal battle: Vizio told by judge it will have to answer breach-of-contract claims
    Fine-print crucially deemed contractual agreement as well as copyright license in smartTV source-code case

    The Software Freedom Conservancy (SFC) has won a significant legal victory in its ongoing effort to force Vizio to publish the source code of its SmartCast TV software, which is said to contain GPLv2 and LGPLv2.1 copyleft-licensed components.

    SFC sued Vizio, claiming it was in breach of contract by failing to obey the terms of the GPLv2 and LGPLv2.1 licenses that require source code to be made public when certain conditions are met, and sought declaratory relief on behalf of Vizio TV owners. SFC wanted its breach-of-contract arguments to be heard by the Orange County Superior Court in California, though Vizio kicked the matter up to the district court level in central California where it hoped to avoid the contract issue and defend its corner using just federal copyright law.

    On Friday, Federal District Judge Josephine Staton sided with SFC and granted its motion to send its lawsuit back to superior court. To do so, Judge Staton had to decide whether or not the federal Copyright Act preempted the SFC's breach-of-contract allegations; in the end, she decided it didn't.

    Continue reading
  • US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
    Citizen allegedly moved $10m-plus in BTC into banned nation

    US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.

    It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.

    Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action. 

    Continue reading
  • Meta hires network chip guru from Intel: What does this mean for future silicon?
    Why be a customer when you can develop your own custom semiconductors

    Analysis Here's something that should raise eyebrows in the datacenter world: Facebook parent company Meta has hired a veteran networking chip engineer from Intel to lead silicon design efforts in the internet giant's infrastructure hardware engineering group.

    Jon Dama started as director of silicon in May for Meta's infrastructure hardware group, a role that has him "responsible for several design teams innovating the datacenter for scale," according to his LinkedIn profile. In a blurb, Dama indicated that a team is already in place at Meta, and he hopes to "scale the next several doublings of data processing" with them.

    Though we couldn't confirm it, we think it's likely that Dama is reporting to Alexis Bjorlin, Meta's vice president of infrastructure hardware who previously worked with Dama when she was general manager of Intel's Connectivity group before serving a two-year stint at Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022