back to article SPICEWORKS FAIL: Are we ready for ‘social’ network administration?

Yesterday, a security screw up with the Spiceworks application was noticed, and reported a little earlier by our good selves. Anyone with a Facebook or LinkedIn account could log in to Spiceworks installs running the latest version and it would create an administrative account for them. This is not OK, not at all. Many …

  1. This post has been deleted by its author

    1. This post has been deleted by its author

  2. John G Imrie
    Holmes

    If it's not on your network ...

    Then it's not your data.

    1. lsces

      Re: If it's not on your network ...

      If you don't have your own physical backup of your data where do you go when a section of the cloud gets fried? I still get regular loss of broadband so loose backup to the off site servers, but at least I know where that data is physically and can recover later.

    2. nilfs2
      FAIL

      Re: If it's not on your network ...

      Where do you store your money, under your pillow?

      1. John G Imrie

        Re: If it's not on your network ...

        Where do you store your money, under your pillow?

        I store some of it in my pocket, some is in the bank, and some is invested in stocks and shares.

        However that's not the point as there are known checks and balances you can put in place to mitigate the losses such as not walking down dark alleyways keeping less money in the bank than the government will cover you if the bank fails and not gambling on the stock market more than you are prepared to loose.

        Where do you store your data and who's covering you when the data centre closes.

        1. lsces

          Re: If it's not on your network ...

          fscs protects our money ... who protects our data?

          1. Doctor Syntax Silver badge

            Re: If it's not on your network ...

            "fscs protects our money ... who protects our data?"

            fsck?

      2. Trevor_Pott Gold badge

        Re: If it's not on your network ...

        "Where do you store your money, under your pillow?"

        RAIDed across multiple banks as tax free savings accounts and RRSPs as well as precious metals in safe deposit boxes so that no one bank failure can take out my retirement. Doesn't everyone?

        1. Naselus

          Re: If it's not on your network ...

          I did have a system where my money was duplicated on an off-site account, but then the FEC had words with me about it. Seems that drawing too close an analogy between money and data is frowned on, for some reason...

        2. nilfs2
          FAIL

          Re: If it's not on your network ...

          Your money is just data on someone elses's hands, out of your control.

        3. razorfishsl

          Re: If it's not on your network ...

          No.....

          bitcoins the currency of the future.... (if you are dumb enough to trust it)

  3. Anonymous Coward
    Anonymous Coward

    Hmm allowing access to a web application that knows everything about your network might not be the best idea...

  4. chivo243 Silver badge
    Headmaster

    Just lazy

    Too lazy to create an account with service X so, just use your MyFace or SpaceBook login? Cool, we love your data... gimme gimme gimme slurp slurp

    Even if I had any of these accounts, I would never link them with something like SpiceWorks.

  5. TaabuTheCat

    Why do we act surprised when this happens?

    People want free/cheap, and then complain when the very model that gives them free/cheap comes with decisions made in the best interests of those providing free/cheap. That you would expect anything else is what's surprising.

  6. Anonymous Coward
    Anonymous Coward

    Just saw

    Just saw a slide through a window saying we aren't going to have a datacenter in 3 years.

    Also pretty sure they've found unicorns and are travelling the rainbow highway.

  7. Peter2 Silver badge

    •What is the necessity of integrating any given application with services hosted on the internet?

    Generally very little, but a lot of the things in spiceworks (eg checking warranties etc) don't work well if they can't use the net.

    This is a huge security screwup by spiceworks, which should have zero impact for paranoid users of it, which to be fair is going to be the majority of it's userbase. I mean, who puts total trust in any software package being 100% secure? A few years reading daily horror stories of disasters on El Reg from top tier suppliers should have put paid to that for even the newest IT bods, let alone the older paranoid cynics amongst us.

    At the end of the day though, unless your firewall rules read:-

    ALLOW INCOMING TRAFFIC FROM *.external to *.internal

    ALLOW OUTGOING TRAFFIC FROM *.internal to *.external

    Then you already looked into what the program wanted to send, decided this was ok and then set rules to allow the program to do it.

    •What must be best practices regarding this sort of implementation, both at a code level and at a systems administration level?

    Maybe it's just me having deep trust issues, but I consider that the outside of my network is an extremely hostile environment that will be hacked mercilessly from the second it's discovered by one of the port scans my firewall shows being run against my network on a near 24/7 basis. On that basis, I assume that *nothing* should be directly available on the internet, apart from port 25. (which on my network gets a huge number of people connecting and running directory scans for email addresses I accept, which they then send spam. This keeps the honeypot on my anti spam system busy collecting IP's which are then used against the spammers.)

    As far as these applications are available then i'd say:-

    Available on LAN: Yes.

    Available on VPN: If business requirement.

    Available on WLAN: I don't have one because we don't have a business requirement for it, but if I did then i'd say "if business requirement, and if adequately secured from public access"

    Available on WAN: Hell no.

    •How comfortable are any of us, really, with "hybrid cloud" applications such as Spiceworks?

    Reasonably. I like spiceworks, but I don't trust it security wise. Then again, I don't trust anything security wise enough to leave it open to the WAN. Excepting the firewall, which only accepts SSLVPN logins from things with the right security certificate and connection details, the right user & pass and authentication via 2FA.

  8. No. Really!?
    FAIL

    Can I have bigger all caps for my WTF please

    Even if the security flaw didn't exist, why would unrelated third party logins ever be allowed for admin access?? particularly this kind of admin access???

    There is so much Fail in just the _concept_ of what Spiceworks implemented.

    My opinion of Spiceworks has been quite high, however, as I have reflected on this debacle I realise the greater part of this is the community of knowledgeable, helpful members.

  9. Anonymous Coward
    Anonymous Coward

    An administrator accepts that they could potentially pour a lot of time into customising the application, the plug-ins and add-ons. Years of work can go into such a management framework.

    What if it has to be ready by next Friday because "It ain't that much work, now, innit?"

  10. Anonymous Coward
    Anonymous Coward

    Spiceworks is news?

    Wow. I didn't think anyone over the age of 12 used Spiceworks.

    1. InfiniteApathy
      Thumb Down

      Re: Spiceworks is news?

      >Wow. I didn't think anyone over the age of 12 used Spiceworks.

      You would be incorrect.

  11. Robert Helpmann??
    Childcatcher

    A Very Serious Discussion

    The issue at hand, however, is so grievous that it should be triggering a very serious discussion amongst developers and systems administrators alike about the entire concept of social sign-on.

    OK, here's how I think the discussion should go:

    "Why don't we entrust the ability to access everything we control to a third party, such as FaceBook?"

    "What?! Are you stupid or just plain nuts? No!"

    "Look, I know that on the face of it, it might not sound like a good.."

    "DIE!"

    "No! Argh! no.. please stop..." gurgle

    And we should never have to have this discussion again.

    Note: I don't advocate violence of this nature, but this situation makes me think about it... out loud... Perhaps we could throw some canned vegetables at the situation?

    1. Peter2 Silver badge

      Re: A Very Serious Discussion

      Hmm. I do find the Roman solution to this sort of problem attractive. Once upon a time they had a serious problem with structures (bridges etc) collapsing when the supports used in it's construction were removed.

      They made the architects stand under the bits they were removing the supports from. There was a breif adjustment period, followed by construction being performed to such a standard that two thousand years later many of the buildings and bridges are still standing.

      You can't argue with the results! (I'm not sure how you could apply this to IT Development though)

  12. Tweets

    Well, it looks like Spiceworks are being very transparent about this matter...

    http://community.spiceworks.com/topic/1027590-desktop-social-signup-security-vulnerability

    1. Trevor_Pott Gold badge

      After the news article went up and the original thread filled with a few other upset folks, yes. The real issue, however, is that this wasn't broadcast immediately via e-mail. Lastpass suffers a breach and I know about it via e-mail before it's made known to the press.

      In the case of the Spiceworks breach, I was informed, then went to bed, woke up, had breakfast, coffee and then wrote the article. And there still was no e-mail from Spiceworks by this point!

      I did not jump down Spiceworks' throat on this immediately. I'm sure my editors would have preferred it, but I had been up for 32 consecutive hours and couldn't write a thing without at least 8 hours sleep.

      Spiceworks had been given time to do the right thing and to come up with a proper response. They failed. Miserably.

      That Spiceworks chose to be a little more transparent after the issue was published and then broadcast over every social media channel available is closing the barn door after the horse frelled off, nothing more.

  13. SnowCrash

    Our Spiceworks server has been permanently switched off now.

  14. razorfishsl

    Seriously ,

    if you consider , that this guy had not been honest and reported it to spiceworks, things could have taken a whole different turn.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like