[Operators] Remove old unused accounts?
stpeter at stpeter.im
Thu Dec 10 12:10:09 CST 2009
On 12/9/09 10:20 AM, Jonathan Schleifer wrote:
> Am 09.12.2009 um 16:17 schrieb Michael Grigutsch:
>> I don't see a big problem in this, as the account either was never
>> used or was not in use for over a year.
> Well, I see a big problem with it. A big security problem!
What policy do you enforce at the big public IM service you run?
> Imagine the user has owner status in a MUC. Now that JID gets
> auto-delted. Someone re-registers that JID and got owner in the MUC and
> could hijack it. Imagine that user has been gone for years, and nobody
> remembers him. But know someone DOES remember him suddenly, registers
> the JID that user had and takes over the MUC. Same applies for PubSub etc.
People who run MUC rooms need to monitor who the owners are. If I run a
room, I regularly check the owners and admins. And if someone starts to
behave strangely, I change their privileges. And remember that very few
people are owners or admins in MUC rooms in the first place.
That said, there is a minor security concern here. MUC rooms and PubSub
nodes could garbage-collect owners and admins/publishers, just as core
XMPP services do. This is another reason to put such entities in the
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6820 bytes
Desc: S/MIME Cryptographic Signature
More information about the Operators