User 'Cameras' with no password: do you have one?
- Thread starter technet
- Start date
fenderman
Staff member
- Mar 9, 2014
- 36,892
- 21,408
- Dec 25, 2014
- 135
- 17
Not related with reported issue. But this automatically created user could had set as default the property "LAN Only" or another one clarifying its purpose and limitations.
If someone else founds "cameras" user please report here system and version.
If someone else founds "cameras" user please report here system and version.
Very simple: Obviously Ken changes code, features improvements ect ect. Anyone, yes anyone who is trying make use of some/all the features more then likely has a port open to the world or dMZed a router off of a router to the world. All should be protect with firewall and anti ect. BUT BUT BUT we give BI exclusions/exceptions ect ect.
So when he changes login proticals (for really more than likely a feature I or most folks don't need) he is opening up a bag of worms because he can't make a mistake in code writing, why. Cause he doesn't have a team to check out if he screwed up security to all the BI users how have given BI exclusions/exemption ect.
I have programed on a team before, even the best ones (definitely not me) make mistakes, when changes are made other team members test and retest before release. Actually its much better to have someone else test it cause when you write the code you become unintentionally biased as to what code is doing.
I hope he keeps the login simple, when I remove a user it should stay removed. So far when I remove admin user , it comes back when BI restarts. When I remove cameras user, it comes back with update.
So if this code is not working right now, how do I know there is no harm or security risk, obvious he made a mistake in the code on the users aspect.
- Dec 25, 2014
- 135
- 17
I agree. And I found that "cameras" user comes back even without an update. To be honest I've noticed this weeks back, and just now I've had the time to check it properly.
fenderman
Staff member
- Mar 9, 2014
- 36,892
- 21,408
it is working..I have no issues on any of my machines. You are making an assumption based on ONE users experience - and that users is NOT having an issue with the admin account. You can choose not to install updates and only do so after several months....thats the beauty of blue iris, BOTH options are available to end users.
- Dec 25, 2014
- 135
- 17
Disagree, not one user experience only and he's saying some truths based on his previous activities as a programmer himself. If the application isn't tested extensively before release, it's the end users that are doing this at production environment, which doesn't seem reasonable.
If you miss an auto update, you could be missing a security fix. And even if auto updates are disabled, one day you'll update: what could assure us that this late update was the best option? Will you take the time to test it or this is a part of the developer's work? I don't feel qualified for the job.
This issue is serious and reveals more than it seems.
fenderman
Staff member
- Mar 9, 2014
- 36,892
- 21,408
There has only been ONE report of this issue. I have not seen anyone else report this problem, have you?
I would much rather have an update twice a month rather than wait 6 months for a tested update...When there is a security update its listed in the release notes..which are posted here. It is not serious at all. If you want software that releases updates once a year or less, check out the competition. IF you are really paranoid and for maximum security simply setup a vpn, problem solved.
I don't mind updates but my advice is leave the user section alone, it used to work fine.
OK Fenderman, remove admin, and close program, then relaunch program from desktop, admin is not removed. But wait, it showed it was remove, so is this a security program or baby cam program, admin isn't working right.
OK Fenderman, remove admin, and close program, then relaunch program from desktop, admin is not removed. But wait, it showed it was remove, so is this a security program or baby cam program, admin isn't working right.
Thanks for the heads up, and starting thread, it will be interesting watching fendermen defend this obvious issue.
fenderman
Staff member
- Mar 9, 2014
- 36,892
- 21,408
That is EXACTLY the way it was intended to work. He explains it in the release notes. There is nothing to defend. Its operating properly. Simply create a strong password and only allow access via lan...I dont see the problem here. Again, if you are paranoid, then use vpn. There is no more security risk here than the current account you are using to access the webserver.
We don't know the risks, all the sudden a cameras user is appearing in the list, but not for everyone. After removing, it will reappear with update, why, is this mentioned in release notes?
fenderman
Staff member
- Mar 9, 2014
- 36,892
- 21,408
Are you saying that you get the camera user or admin? I have not seen anyone other than the op report this issue.
fenderman
Staff member
- Mar 9, 2014
- 36,892
- 21,408
So i take it the answer is no, you dont get the cameras user, you get the admin user which is the design. Yes, its working as designed. When you delete the admin its designed to ADD it back. If you want to disable it, all you need to do is uncheck it.
:nuts:
I just tried connecting to my "supposedly secure" Blue Iris remotely, using "cameras" as a user name with no password, and indeed it let me in.
I confirm this is real.
I am on 4.1.7, Windows 10 x64.
fenderman
Staff member
- Mar 9, 2014
- 36,892
- 21,408
Are you saying that the cameras user name was automatically generated by blue iris?