User 'Cameras' with no password: do you have one?

[devastator]

Mmmm, this is serious !
Don't have it on my system, also using the BI remote app.

 

[MartyO]

If you mean admin then see this release note

• Admin console sessions and anonymous-admin remote sessions now have their own automatically created Options/Users account "admin". For security, it will not be possible to login with this account remotely unless you assign it a password (or had a pre-existing admin account with a password). This will aid in the future development of per-user statistics and counters.​

Any other use must have been created by someone.

Please tell ken to eliminate this automatic create admin.

 

[fenderman]

Please tell ken to eliminate this automatic create admin.

Why? It is there to add future functionality, it causes no harm or security risk.

 

[technet]

Not related with reported issue. But this automatically created user could had set as default the property "LAN Only" or another one clarifying its purpose and limitations.

Please tell ken to eliminate this automatic create admin.

If someone else founds "cameras" user please report here system and version.

 

[MartyO]

Why? It is there to add future functionality, it causes no harm or security risk.

Very simple: Obviously Ken changes code, features improvements ect ect. Anyone, yes anyone who is trying make use of some/all the features more then likely has a port open to the world or dMZed a router off of a router to the world. All should be protect with firewall and anti ect. BUT BUT BUT we give BI exclusions/exceptions ect ect.

So when he changes login proticals (for really more than likely a feature I or most folks don't need) he is opening up a bag of worms because he can't make a mistake in code writing, why. Cause he doesn't have a team to check out if he screwed up security to all the BI users how have given BI exclusions/exemption ect.

I have programed on a team before, even the best ones (definitely not me) make mistakes, when changes are made other team members test and retest before release. Actually its much better to have someone else test it cause when you write the code you become unintentionally biased as to what code is doing.

I hope he keeps the login simple, when I remove a user it should stay removed. So far when I remove admin user , it comes back when BI restarts. When I remove cameras user, it comes back with update.

 

[MartyO]

So if this code is not working right now, how do I know there is no harm or security risk, obvious he made a mistake in the code on the users aspect.

 

[MartyO]

I think BI has plenty of features, security on this camera security software should be simple, tight and then left alone.

 

[technet]

Very simple: Obviously Ken changes code, features improvements ect ect. Anyone, yes anyone who is trying make use of some/all the features more then likely has a port open to the world or dMZed a router off of a router to the world. All should be protect with firewall and anti ect. BUT BUT BUT we give BI exclusions/exceptions ect ect.

So when he changes login proticals (for really more than likely a feature I or most folks don't need) he is opening up a bag of worms because he can't make a mistake in code writing, why. Cause he doesn't have a team to check out if he screwed up security to all the BI users how have given BI exclusions/exemption ect.

I have programed on a team before, even the best ones (definitely not me) make mistakes, when changes are made other team members test and retest before release. Actually its much better to have someone else test it cause when you write the code you become unintentionally biased as to what code is doing.

I hope he keeps the login simple, when I remove a user it should stay removed. So far when I remove admin user , it comes back when BI restarts. When I remove cameras user, it comes back with update.

I agree. And I found that "cameras" user comes back even without an update. To be honest I've noticed this weeks back, and just now I've had the time to check it properly.

 

[fenderman]

So if this code is not working right now, how do I know there is no harm or security risk, obvious he made a mistake in the code on the users aspect.

it is working..I have no issues on any of my machines. You are making an assumption based on ONE users experience - and that users is NOT having an issue with the admin account. You can choose not to install updates and only do so after several months....thats the beauty of blue iris, BOTH options are available to end users.

 

[technet]

it is working..I have no issues on any of my machines. You are making an assumption based on ONE users experience - and that users is NOT having an issue with the admin account. You can choose not to install updates and only do so after several months....thats the beauty of blue iris, BOTH options are available to end users.

Disagree, not one user experience only and he's saying some truths based on his previous activities as a programmer himself. If the application isn't tested extensively before release, it's the end users that are doing this at production environment, which doesn't seem reasonable.

If you miss an auto update, you could be missing a security fix. And even if auto updates are disabled, one day you'll update: what could assure us that this late update was the best option? Will you take the time to test it or this is a part of the developer's work? I don't feel qualified for the job.

This issue is serious and reveals more than it seems.

 

[fenderman]

Disagree, not one user experience only and he's saying some truths based on his previous activities as a programmer himself. If the application isn't tested extensively before release, it's the end users that are doing this at production environment, which doesn't seem reasonable.

If you miss an auto update, you could be missing a security fix. And even if auto updates are disabled, one day you'll update: what could assure us that this late update was the best option? Will you take the time to test it or this is a part of the developer's work? I don't feel qualified for the job.

This issue is serious and reveals more than it seems.

There has only been ONE report of this issue. I have not seen anyone else report this problem, have you?
I would much rather have an update twice a month rather than wait 6 months for a tested update...When there is a security update its listed in the release notes..which are posted here. It is not serious at all. If you want software that releases updates once a year or less, check out the competition. IF you are really paranoid and for maximum security simply setup a vpn, problem solved.

 

[MartyO]

I don't mind updates but my advice is leave the user section alone, it used to work fine.

OK Fenderman, remove admin, and close program, then relaunch program from desktop, admin is not removed. But wait, it showed it was remove, so is this a security program or baby cam program, admin isn't working right.

 

[MartyO]

Disagree, not one user experience only and he's saying some truths based on his previous activities as a programmer himself. If the application isn't tested extensively before release, it's the end users that are doing this at production environment, which doesn't seem reasonable.

If you miss an auto update, you could be missing a security fix. And even if auto updates are disabled, one day you'll update: what could assure us that this late update was the best option? Will you take the time to test it or this is a part of the developer's work? I don't feel qualified for the job.

This issue is serious and reveals more than it seems.

Thanks for the heads up, and starting thread, it will be interesting watching fendermen defend this obvious issue.

 

[fenderman]

I don't mind updates but my advice is leave the user section alone, it used to work fine.

OK Fenderman, remove admin, and close program, then relaunch program from desktop, admin is not removed. But wait, it showed it was remove, so is this a security program or baby cam program, admin isn't working right.

That is EXACTLY the way it was intended to work. He explains it in the release notes. There is nothing to defend. Its operating properly. Simply create a strong password and only allow access via lan...I dont see the problem here. Again, if you are paranoid, then use vpn. There is no more security risk here than the current account you are using to access the webserver.

 

[MartyO]

That is EXACTLY the way it was intended to work. He explains it in the release notes. There is nothing to defend. Its operating properly. Simply create a strong password and only allow access via lan...I dont see the problem here. Again, if you are paranoid, then use vpn. There is no more security risk here than the current account you are using to access the webserver.

We don't know the risks, all the sudden a cameras user is appearing in the list, but not for everyone. After removing, it will reappear with update, why, is this mentioned in release notes?

 

[fenderman]

We don't know the risks, all the sudden a cameras user is appearing in the list, but not for everyone. After removing, it will reappear with update, why, is this mentioned in release notes?

Are you saying that you get the camera user or admin? I have not seen anyone other than the op report this issue.

 

[MartyO]

Is the remove function in the user tab working properly, yes or no?

 

[fenderman]

Is the remove function in the user tab working properly, yes or no?

So i take it the answer is no, you dont get the cameras user, you get the admin user which is the design. Yes, its working as designed. When you delete the admin its designed to ADD it back. If you want to disable it, all you need to do is uncheck it.

 

[bp2008]

Hello everyone,

I've seen that in some Blue Iris installations we can find a user 'cameras' with no password and it has unlimited remote access.

What is that exactly? We've disabled it here, of course.

:nuts:

I just tried connecting to my "supposedly secure" Blue Iris remotely, using "cameras" as a user name with no password, and indeed it let me in.

I confirm this is real.

I am on 4.1.7, Windows 10 x64.

 

[fenderman]

:nuts:

I just tried connecting to my "supposedly secure" Blue Iris remotely, using "cameras" as a user name with no password, and indeed it let me in.

I confirm this is real.

I am on 4.1.7, Windows 10 x64.

Are you saying that the cameras user name was automatically generated by blue iris?