Weblog entry #6 for kaerast

See all weblog entries made by kaerast.

XML logo

#6
Responsibilities of upstream providers
Posted by kaerast on Wed 20 Jun 2007 at 11:02
Tags: none.
I take a very dim view of upstream providers logging into my systems without permission. Upstream providers are there to provide upstream support, and should have no reason to log into my system unless I ask them to. Simply questioning the connectivity issues we've been facing the past few hours does not require them to log in to my system locally as root, and what's more they shouldn't even be able to do that - they don't know the root password. If I had the money I'd move from a VPS to a dedicated server.

Still, it's not quite as bad as the time we had the vendors of a commercial database system in the office, and one of their marketing people logged into our server through an unpublished SQL injection vulnerability in order to check database size without first asking permission. Tech support, I could almost have forgiven for this, but marketing people knowing about this vulnerability and blatantly using it in front of me?! That to me is completely unacceptable.
[ 2 Comments | Add Comment | XML logo ]
<<< Previous Next >>>

 

Comments on this Entry

#1
Re: Responsibilities of upstream providers
Posted by dkg (216.254.xx.xx) on Wed 20 Jun 2007 at 16:35
[ Send Message | View dkg's Scratchpad | View Weblogs ]
Ugh. Unauthorized root access is really not OK. Would you mind mentioning who this was? I wouldn't want to do business with a company who behaves this way without prior arrangements.

By "upstream providers" do you mean hosts of a colocation facility, or something like that?

When i think of upstream providers, it's usually in the network sense (i.e. "the network i connect to through which i reach the rest of the 'net"). If it's in this latter sense, they really should not have root access on your machine!

Do you have an agreement with your provider about what sort of interactions they should have with your machines? An Acceptable Use Policy or something like that can cut both ways, sometimes, though your final recourse (canceling service) is probably the same no matter what the AUP.

[ Parent | Reply to this comment ]

#2
Re: Responsibilities of upstream providers
Posted by rkreider (12.156.xx.xx) on Thu 21 Jun 2007 at 00:07
[ Send Message | View Weblogs ]
I never touch a co-lo until contact is made via telephone or other means if I'm having an issue with it for whatever reason that may be. I don't even entertain the thought of logging in either as a normal user or as uid0 prior to contacting the co-lo administrator and discussing any issues. If it is such an emergency, firewalling works to stop things from "getting" through the "pipes" vs. logging in as root and playing God.


And if this was in the sense of networking, as I too had thought originally, I'd hand ATT their ass if they ever logged into our edge router without my knowledge, as they are my upstream.

/2cents

[ Parent | Reply to this comment ]

User Login

Username:

Password:

[ Advanced Login ]

Register Account

Quick Site Search