Weblog entry #6 for kaerast
#6
Responsibilities of upstream providers
Posted by kaerast on Wed 20 Jun 2007 at 11:02
I take a very dim view of upstream providers logging into my systems without permission. Upstream providers are there to provide upstream support, and should have no reason to log into my system unless I ask them to. Simply questioning the connectivity issues we've been facing the past few hours does not require them to log in to my system locally as root, and what's more they shouldn't even be able to do that - they don't know the root password. If I had the money I'd move from a VPS to a dedicated server.
Still, it's not quite as bad as the time we had the vendors of a commercial database system in the office, and one of their marketing people logged into our server through an unpublished SQL injection vulnerability in order to check database size without first asking permission. Tech support, I could almost have forgiven for this, but marketing people knowing about this vulnerability and blatantly using it in front of me?! That to me is completely unacceptable.
Still, it's not quite as bad as the time we had the vendors of a commercial database system in the office, and one of their marketing people logged into our server through an unpublished SQL injection vulnerability in order to check database size without first asking permission. Tech support, I could almost have forgiven for this, but marketing people knowing about this vulnerability and blatantly using it in front of me?! That to me is completely unacceptable.
Comments on this Entry
I never touch a co-lo until contact is made via telephone or other means if I'm having an issue with it for whatever reason that may be. I don't even entertain the thought of logging in either as a normal user or as uid0 prior to contacting the co-lo administrator and discussing any issues. If it is such an emergency, firewalling works to stop things from "getting" through the "pipes" vs. logging in as root and playing God.
And if this was in the sense of networking, as I too had thought originally, I'd hand ATT their ass if they ever logged into our edge router without my knowledge, as they are my upstream.
/2cents
And if this was in the sense of networking, as I too had thought originally, I'd hand ATT their ass if they ever logged into our edge router without my knowledge, as they are my upstream.
/2cents
[ Parent | Reply to this comment ]
[ Send Message | View dkg's Scratchpad | View Weblogs ]
By "upstream providers" do you mean hosts of a colocation facility, or something like that?
When i think of upstream providers, it's usually in the network sense (i.e. "the network i connect to through which i reach the rest of the 'net"). If it's in this latter sense, they really should not have root access on your machine!
Do you have an agreement with your provider about what sort of interactions they should have with your machines? An Acceptable Use Policy or something like that can cut both ways, sometimes, though your final recourse (canceling service) is probably the same no matter what the AUP.
[ Parent | Reply to this comment ]