Avid Pro Audio Community

Avid Pro Audio Community (http://duc.avid.com/index.php)
-   General Discussion (http://duc.avid.com/forumdisplay.php?f=3)
-   -   Avid DUC not secure? (http://duc.avid.com/showthread.php?t=403825)

JFreak 04-09-2019 12:51 PM

Re: Avid DUC not secure?
 
Quote:

Originally Posted by andrej770 (Post 2521637)
Someone explain what you are asking to be protected here?

Someone somewhere wrote that most users are idiots and are likely using same password here and there so this https most likely would be protecting other parts of avid.com

Just a guess.

Darryl Ramm 04-09-2019 12:55 PM

Re: Avid DUC not secure?
 
I explained enough issues. You don’t think it’s an issue, too bad. I don’t know any security person who would think this is not an issue worth fixing.

Want to guess how many Avid staff might reuse passwords or slight permutations on DUC and Avid in-house systems? Want to guess if they have a corporate password management system or hardware key/2FA authentication implemented for internal systems? Oh what goodies that might reveal?

Want to think what could happen if somebody MITM attacks and gets admin access to DUC and all the non-public info is scraped?

Security happens in layers, https is one of those important layers.

andrej770 04-09-2019 01:05 PM

Re: Avid DUC not secure?
 
Darryl, if you feel so strongly why not offer to pay to move it to https for Avid. Put your money where your mouth is. Oh, not that important anymore right! :D:D:D It doesn't matter to me either way. I'm not one of the idiots JFREAK was referring to. But I agree there are those that need protecting from their own bad habits. Hmmm, maybe those that want https most are those that need protecting most. :D:D:D. Tell me... whats your password? And whats in YOUR wallet! :D:D:D:D:D:D:D:D

All in fun. Pull ya panties back out! :D:D:D

Darryl Ramm 04-09-2019 01:23 PM

Re: Avid DUC not secure?
 
Cost which has been brought up here before is a fallacy. Organizations like Let’s Encrypt provide certificates for *free*. Sure I’ll pay for one of those for Avid. Additional overhead costs should be down in the weeds, and easily offset by any security breach cost models.

How about having a nice slow think before you type a reply and see if you can come up with any actual reasons why using https would not improve security for almost everybody on DUC? My day job is working in the technology industry, including in the past for Google, I damn well appreciate their push to get everybody, technology luddites included, on https.

andrej770 04-09-2019 01:40 PM

Re: Avid DUC not secure?
 
Quote:

Originally Posted by Darryl Ramm (Post 2521644)
Cost which has been brought up here before is a fallacy. Organizations like Let’s Encrypt provide certificates for *free*. Sure I’ll pay for one of those for Avid. Additional overhead costs should be down in the weeds, and easily offset by any security breach cost models.



How about having a nice slow think before you type a reply and see if you can come up with any actual reasons why using https would not improve security for almost everybody on DUC? My day job is working in the technology industry, including in the past for Google, I damn well appreciate their push to get everybody, technology luddites included, on https.



Darryl, you care! Great! I don’t! It’s simple. Nothing http or https has helped or hindered any of the work we do in PT or in the industry. AVID has never had a breach anywhere. The possibility and probability are always part of a thorough threat Matrix (I guess my days as Dir. of infoSec for a major airline for 15 years in which the no fly list landed on my desk to process in) comes in handy but doesn’t change my opinion on THIS site. This forum is about PT and PT processes. It’s great you care. There’s your pat on the back.

Now...back to writing music. Good day!


Sent from my iPhone using Tapatalk

jeffro 04-09-2019 02:23 PM

Re: Avid DUC not secure?
 
Not a bad idea to weigh the impact in cost or inconvenience when considering increases to security, but based on discussions with our forum host I don't see a valid reason at this point to not implement this change.

andrej770 04-09-2019 04:51 PM

Re: Avid DUC not secure?
 
Hooray Jeff. Darryl will be tickled pink.

As soon as that's done, everyone can go back to using the same password they use at their bank. LOL . https saved us again!

Sent from my iPhone using Tapatalk

Frank Kruse 04-10-2019 03:25 AM

Re: Avid DUC not secure?
 
Quote:

Originally Posted by musicman691 (Post 2521071)
Let's put it this way - it returned false positives for places I've never been

Not saying that this is the case but it **could** mean that someone is already singing up to services in your name or using your name/email.

But again: not saying this must be the case. It just means your address is in those leaked/breached databases.

Frank Kruse 04-10-2019 03:29 AM

Re: Avid DUC not secure?
 
Quote:

Originally Posted by JFreak (Post 2521639)
Someone somewhere wrote that most users are idiots and are likely using same password here and there so this https most likely would be protecting other parts of avid.com

HTTPS won't stop people from recycling login credentials (and no one here claimed that), it protects from that info being intercepted by impersonating this website (MITM attack) and gets you to go there by sending you a fake email with a "click here to verify your account" or whatever. We all get these all the time.

Clicking on the little lock lets you verify the website you are visiting actually IS run by AVID and not someone else.

musicman691 10-14-2019 03:24 PM

Re: Avid DUC not secure?
 
Had an interesting thing just happen about an hour ago. I usually don't put my daw computer online but my other Mac was so slow with some streaming YouTube video I went to my cheesegrater. When I was done with that I decided to browse the DUC. I normally stay logged in to the DUC on both computers but when I came to the daw machine my login was cleared and when I went to login up came a message saying the connection was not secure and had steps to go through to get in here. Yet my other Mac is fine and still logged in to the DUC.


Daw comp runs OSXC 10.13.6 and other Mac (2010 Mini) is running 10.6.8


All times are GMT -7. The time now is 05:25 AM.

Powered by: vBulletin, Copyright ©2000 - 2008, Jelsoft Enterprises Limited. Forum Hosted By: URLJet.com