Readable backups? Options

[webmaster128]

Hi all,

in my opinion a software that I BUY and install must be secure "out of the box".

So I think it is irresponsible that all people out there can download my backups including usernames and unsalted passwords by just opening http://myhost.com/backups/tng_users.bak.

Even renaming these folders does not enhance security at all. That's security through obscurity.

Please don't tell me that there is a warning somewhere in some README file.

There are at least 2 ways of fixing that issue.
(1) include a .htaccess file containing "Deny from all"
(2) saving backups with .php extension and adding <?php die(); ?> in the first line.

Best regards,

webmaster128

[arnold]

Even renaming these folders does not enhance security at all. That's security through obscurity.

webmaster128,

I rename the TNG directories/folders which contain valuable information. For example. the backups directory/folder can be renamed to
1Z618wspOebACkuPs
BAckUPS1Z618wspOe
BACd1Z618wspOekups

I felt safe doing this for years and have not questioned what I have done until your post.

Please help me understand why a strong directory/folder name which includes a set of characters, such as 1Z618wspOe, would not provide all the security we need. I suspect that 1Z618wspOe , for example, is far stronger than most of the passwords we use to log into our TNG websites.

Thanks,

Arnold

[webmaster128]

It is not the length of the "secret" itself.

But what you do is the same as hiding your house somewhere in the Antarctic instead of locking the door. Well, no one finds it there but you have to tell the postman, your friends and you mum: "keep the position secret". And then there is Google maps and finds you because they think, that house position is no secret information.

You have the same problem when you use URLs instead of passwords. A URL is not secret by definition. Serverlogs, proxys, counters, browser history and browser cache store URLs. For passwords we have several mechanisms to hide them. We have starts when entering them, programs that remove them if you have them in your URL (http://user:passwort@host.com/ changes to http://host.com/ in firefox) and keyrings in Linux to store them securely. And a (friendly) proxy server would never store HTTP passwords.

Another point is that in my opinion a user should be able to install a software without complete knowledge of how it works. Standard settings must be secure. When I install a program on windows I don't want to change program code or rename folders to hide my data.

[theKiwi]

The Readme.html/Install process for TNG has this paragraph at the top of the page about Folders

Now you will need to create a few additional subfolders inside the genealogy folder on your remote site. The names listed below are only suggested, as you can select whatever names you want. In fact, it is HIGHLY RECOMMENDED that you name your backups and gedcom folders something else besides "backups" and "gedcom" to protect your data from others who may know the TNG folder structure.

No, it's not as secure as you're suggesting, but it is telling people to implement the system that Arnold described right there at the top of the page.

Roger

[bsl20b50]

It is not the length of the "secret" itself.

But what you do is the same as hiding your house somewhere in the Antarctic instead of locking the door. Well, no one finds it there but you have to tell the postman, your friends and you mum: "keep the position secret". And then there is Google maps and finds you because they think, that house position is no secret information.

You have the same problem when you use URLs instead of passwords. A URL is not secret by definition. Serverlogs, proxys, counters, browser history and browser cache store URLs. For passwords we have several mechanisms to hide them. We have starts when entering them, programs that remove them if you have them in your URL (http://user:passwort@host.com/ changes to http://host.com/ in firefox) and keyrings in Linux to store them securely. And a (friendly) proxy server would never store HTTP passwords.

Another point is that in my opinion a user should be able to install a software without complete knowledge of how it works. Standard settings must be secure. When I install a program on windows I don't want to change program code or rename folders to hide my data.

Most users of TNG are 'small time' website operators using a relatively 'small time' tool. TNG was not written by a team of software engineers at Microsoft or Google. It was written by one person, Darrin Lythgoe, with TNG users contributing to its further development.

Using your analogy, my house is small and resides in a small rural town. When I bought this house, it came with basic instructions, but when something breaks, I just have to figure out how to fix it; often I ask a neighbor for help or I help a neighbor in need. I have a few visitors, some of them strangers, but in my small town we leave our doors unlocked and trust each other to some extent. Some of my more important things are hidden in a box in a closet that is hidden from general view. If someone broke into my house and they REALLY wanted to steal or damage my important files they could, with some effort. I have copies of everything in those boxes stored in a locked storage facility somewhere else, so after I discovered a break in I would have some hassle but the damage would be small in the long run. The files stolen would be of little value to the intruder because most of the information could be found somewhere else as public information.

Someday, if I become wealthy and move to Manhattan, I will take greater steps to secure my valuables.


I don't really live in a small town, but the analogy above describes our small town of TNG and the situation we are in. We do live with some level of risk, but most of us are aware of that risk and tolerate it.

[webmaster128]

Okay guys it seams as you are happy with the status quo and have no intention to improve the software.

Sorry for stealing your time.

[bsl20b50]

Okay guys it seams as you are happy with the status quo and have no intention to improve the software.

Sorry for stealing your time.

If you have some good programming skills or ideas for implementing better security, I think it would be a valued contribution. Personally, I don't have the skills to do that yet.

[svoght]

Okay guys it seams as you are happy with the status quo and have no intention to improve the software.

Sorry for stealing your time.

I think you misread the response. Your initial post was somewhat inflammatory regarding the quality of TNG, and people tend to get defensive about products they like, and now you're getting huffy because they got huffy at your initial comment.

I agree that there could certainly be some improvements to the way TNG handles backup files, and would encourage you to contact Darrin directly to suggest this to him (it's my understanding that he rarely reads the forums, so he might otherwise never hear this suggestion.)

That said, generally speaking a similar security concern is true of the gedcom folder, and that's why the installation readme script explicitly suggests obscuring those folder names by picking something other than the default.

Yes, that's simply security through obscurity, but at the same time I also wouldn't keep my backups on the server just as I always delete my GEDCOM files immediately after I've imported them into my database for privacy reasons, not just because there are TNG login passwords there. That's simply good administrative practice for anyone running a website, and it falls into the same category of basic maintenance as maintaining the most updated versions of any software that's being used on your website.

[arnold]

Okay guys, it seams as you are happy with the status quo and have no intention to improve the software.
Sorry for stealing your time.

.
This is really not a fair assessment and is why we try so hard to respond gently to a newbie.

Yes, we are happy with the status quo. Most of the time. There have been occasions when we wanted to make improvements and brought them up here. Some are implemented and some are not. My batting average is better than yours, as you are now 0-1, but I am certainly not doing much better.

And no, we are not coming down on you like a ton of bricks. It may feel like it, but we aren't. Each person explained his/her rationale. There were no flames or attacks.

I would suggest that you hang around here longer and bring this topic back up later on if you still disagree with our position or go directly to Darrin now.

Arnold

[mFenger]

I agree, this is scary - I just went in and had a look at

http://mysite.org/backups/tng_users.bak

- there is all the information I have about the users of the website. I'm sure that if someone is clever enough, that someone could change the user rights and restore new data to the database... or what?

Cheers,
Mogens

[Ken Roy]

Hi all,

in my opinion a software that I BUY and install must be secure "out of the box".

So I think it is irresponsible that all people out there can download my backups including usernames and unsalted passwords by just opening http://myhost.com/backups/tng_users.bak.

Even renaming these folders does not enhance security at all. That's security through obscurity.

Please don't tell me that there is a warning somewhere in some README file.

There are at least 2 ways of fixing that issue.
(1) include a .htaccess file containing "Deny from all"
(2) saving backups with .php extension and adding <?php die(); ?> in the first line.

Best regards,

webmaster128

webmaster128,

If you have unsalted passwords in your backups, you should take a look at the following TNG Forum post for a solution provided by another user, assuming that unsalted means unencrypted.

Telling other TNG users that an .htaccess file containing "Deny from all" does not provide most of us sufficient information on how to implement this type of protection. Specific instructions should be included on how to create the .htaccess file or how to create it using the Control Panel. Better yet a TNG Wiki article in the Category:Security on the topic might help others to protect their data.

[webmaster128]

- there is all the information I have about the users of the website. I'm sure that if someone is clever enough, that someone could change the user rights and restore new data to the database... or what?

Not directly because the data is only readable.

But in a second step an attacker reads the admin's password hash. Let's say 5721c634b6c516e6b87417f1ca775be5. Than he submits this hash in a rainbow table http://passcracking.com/ or in Google http://www.google.de/search?q=5721c634b6c5...87417f1ca775be5 and gets the original password "James123". This is possible because the same password gives always the same hash, so they can be tabulated.

It is not that easy if you have stronger passwords, but possible.

I think the md5-passwords are not the main problem. The backups including the hashes should not be readable.

@arnold you can have your point. I don't want to argue with you. I did not offend anyone. I just pointed out a software issue and delivered a solutions how to fix it.