Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20
  1. #11
    Untangle Ninja gotkimchi's Avatar
    Join Date
    Jan 2007
    Location
    Bay Area
    Posts
    2,106

    Default

    Support's viewpoint:
    Pending on the case, we usually can answer 90-95% of the cases without logging into the box.
    If we need to access the box, we can do gotomeeting (typically use this with phone calls).
    If it is an email case, we usually try to resolve the case via email.
    those other 5-10% cases, we might need to access the gui. You can create us a temp account.

    We all are in an agreement. We want to assist/solve your issues that best suites you. If you feel uncomfortable providing the login, we will try some other means. It might take more time and resources, at the end of the day, its about you as the customer getting the solution.
    to be understood, you must first understand. :)
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself. If you need Untangle support please call or email support@untangle.com

  2. #12
    Untangle Ninja mrunkel's Avatar
    Join Date
    Jul 2008
    Posts
    3,022

    Default

    Quote Originally Posted by arndawg View Post
    e.x MITM-attack (for e-mail) and dishonest worker being able to use it without your company properly logging it.

    Anyways i've created a user for support and sent them the credentials. I made this thread mainly because this have never happened to me before when contacting support for other products, so I just wanted to make sure i wasn't doing something stupid. You are free to don't give a shit about my suggestion, but now it's out there and I think it's a valid point.
    I think you're misunderstanding dmorris's response, it's not that we don't care, it's that we need to service our customer's issues in a timely fashion. We obviously can't be escalating every case to an escalation engineer just to get GUI access.

    1.) We restrict access to the secure support channel simply because of the capability for abuse.
    2.) No matter what system we switched to, a dishonest worker would still be able to exploit it.

    I think it's highly unlikely that someone would go to the effort of intercepting our email just to grab a temporary login to someone else's untangle system.

    As I've said, if you don't feel comfortable in creating a temporary username and password, we are happy to set up a remote support session with you. We do this all the time for customers that don't feel like giving us admin access.

    So, while I don't agree with your concern, I can appreciate it and we've have an alternative approach available to you.
    m.
    <BR>
    Big Frickin Disclaimer:
    While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions.
    <BR>It often helps troubleshooting if you have a good network map. Look <A HREF="http://forums.untangle.com/tip-day/5407-how-draw-network-diagram.html">here</A> if you want my advice on how to draw one. <BR> <B>Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com<B>

  3. #13
    Master Untangler
    Join Date
    Oct 2008
    Posts
    141

    Default

    OKay. I'm quite finished and pleased with your answers, but i still think i need to get my point across.

    1.) We restrict access to the secure support channel simply because of the capability for abuse.
    This is what I don't get? By asking for credentials instead, you're effectively making the opportunity for abuse bigger. How about making your internal process simpler?

    2.) No matter what system we switched to, a dishonest worker would still be able to exploit it.
    Yes. But it would be logged, and easily tracked making the risk of abuse much smaller.

    Using the gotomeeting is good enough for me. However I didn't know that was an option at the time.

    And one last thing:

    I think it's highly unlikely that someone would go to the effort of intercepting our email just to grab a temporary login to someone else's untangle system.
    A temporary login? Once you're in you're in. Also likeliness of an attack shouldn't decide if you're going to fix an obvious attack surface or not. Especially when it's so simple to counter. my 2 cents

    I still think it's bad practice to ask customers for passwords, and that will NEVER change. Also from a social engineering standpoint. Don't teach your users bad habbits. although i don't have that low expectation of untangle users hehe
    Last edited by arndawg; 09-29-2010 at 11:50 AM.

  4. #14
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,554

    Default

    Well that's just it, the practice of passing around passwords is only a bad habit in the case that you're trying to access a client's personal account.

    In Untangle Support's case, they have NEVER asked me for THE admin login to the box. They have asked for a admin login for the box.

    There is a distinct difference in creating a unique and temporary account for support purposes, propagating the information so it can be used, and removing / disabling the account when the support ticket is closed, and handing over your default admin login.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #15
    Untangle Ninja proactivens's Avatar
    Join Date
    Sep 2008
    Location
    Greensburg, Pa
    Posts
    2,362

    Default

    Here is an idea I think would be a good alternative.

    Setup something like a VNC client on Untangle. On the support tab, have a field where the admin. has to enter a key of some sort. The key they enter will tell the VNC client to connect securely (ssl encrypted) to a VNC server at Untangle which then gets routed to the engineer or support tech. who is working the ticket. Once the connection is established, VNC "switches sides" similar to the way gotomeeting does, so the admin becomes the presenter and the support guy becomes the viewer.

    Using this method, Untangle is not opening any security holes because the appliance is establishing the connection through the NAT, not receiving the connection so no holes need punched in the firewall. The admin. has control of when a connection is established and to whom, and the support guys get the access they need without needing the user to create any temporary accounts.

    I've seen such systems before being used for medical application support
    www.nexgenappliances.com
    Toll Free: 866-794-8879
    UNTANGLE STAR PARTNER
    Follow us at spiceworks!

  6. #16
    Untangle Ninja mrunkel's Avatar
    Join Date
    Jul 2008
    Posts
    3,022

    Default

    Or we'll just continue using gotomeeting to support clients.
    m.
    <BR>
    Big Frickin Disclaimer:
    While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions.
    <BR>It often helps troubleshooting if you have a good network map. Look <A HREF="http://forums.untangle.com/tip-day/5407-how-draw-network-diagram.html">here</A> if you want my advice on how to draw one. <BR> <B>Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com<B>

  7. #17
    Untangle Ninja proactivens's Avatar
    Join Date
    Sep 2008
    Location
    Greensburg, Pa
    Posts
    2,362

    Default

    Just throwing it out there.
    www.nexgenappliances.com
    Toll Free: 866-794-8879
    UNTANGLE STAR PARTNER
    Follow us at spiceworks!

  8. #18
    Master Untangler
    Join Date
    Oct 2008
    Posts
    141

    Default

    Quote Originally Posted by mrunkel View Post
    Or we'll just continue using gotomeeting to support clients.
    The problem is. You're asking for credentials first even if you provide this solution. Your attitude is pretty cavalier. It's like straight out of an it crowd episode with Douglas Reynholm.

    sky-knight: you are completely wrong. An admin is AN ADMIN. Once you're in, you're in. I seriously don't understand what you're trying to say? Do you think the danger is in personal information stored in the default admin account? If so, you have disqualified yourself from the discussion, considering this is A admin account of the MAIN MOFO ROUTER?!

    I didn't read proactivens post, but i feel what he's trying to say. tbh i'm kind off drunk. But this is EASY. Take logmein reach's example. I think this is what proactivens is going at. If someone contacts untangle support, have them enter a token or pin-number, and then support can access their GUI or BOX based on an INCOMMING connection from the client (support user). How this can meet resistance. I don't know. but okay. Good night, i need to sleep off the beer. Anyways. This is simple logic and i feel I'm meeting resistance just because it equal a lot of work. I'm not saying this is something that's needed KNOW, but it's quite IDIOTIC to argument against it. GOOD NIGHT.

  9. #19
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Thanks for your feedback. We hear you.

    Next time please just ask to use the support system. The implementation is almost identical to the ideas many have proposed in this thread.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  10. #20
    Master Untangler
    Join Date
    Oct 2008
    Posts
    141

    Default

    Quote Originally Posted by dmorris View Post
    Thanks for your feedback. We hear you.

    Next time please just ask to use the support system. The implementation is almost identical to the ideas many have proposed in this thread.
    That's great. Sorry i was a bit harsh in my last post.

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2