Is DirectAdmin fair and secure enough on production server?

[floyd]

You have got to be trolling, right?

I have been a contributor to the forum for over 5 years so NO to the trolling.

I am done here unless you can prove that there is a vulnerability now.

The OP wanted to know if DirectAdmin was stealing user's data. The answer is not that anyone can find.

 

[brinkie]

I'm not a regular poster as floyd is (but am a regular reader). But i think this discussion is taking a wrong direction so i'd give my 2 cents.

I'd say if someone knows about a vulnerability in DA or any other system he or she should report it. I don't believe that asking money for that knowledge is a good idea.

If someone would email me and tell me he or she found a vulnerability in a program i wrote (and i do write programs) and asked me money before sending me at least some basic outline of the vulnerability found, I'd delete the email right away. Especially since there's so much nonsense mail coming in every day, I'd treat it as being just that. Some opportunist trying to talk me money out of my pocket by scaring me off. Period.

So, if the DA admins didn't reply, that doesn't mean they aren't interested. Not at all. I think this conclusion is simply wrong.

To get back at the question? Personally i believe DA is as secure as other systems that do the same. No system is 100% bullet proof.

 

[randomuser]

If someone would email me and tell me he or she found a vulnerability in a program i wrote (and i do write programs) and asked me money before sending me at least some basic outline of the vulnerability found, I'd delete the email right away. Especially since there's so much nonsense mail coming in every day, I'd treat it as being just that. Some opportunist trying to talk me money out of my pocket by scaring me off. Period.

I'm not sure what this really has to do with anything. I stated that I sent an email asking that if I were to find any issues, would they would be willing to purchase that information. It was a simple offer, much more simple than you are making it out to be. Just like floyd, you are twisting things around and adding drama. I don't think that what I said was that difficult to comprehend, nor does the offer for an exchange of goods automatically make someone a liar, an "opportunist", or make their offer "nonsense". Later kids. I'm tired of being on the defensive here. Good luck with that whole "everyone owes vendors free bugs" thing.

 

[ranz]

@floyd:

here here!

@brinkie:

here here!

 

[tillo]

[sarcasm]Nice flame, keep it going [/sarcasm]
You are both convinced of what you are saying, and you probably are both right, just have a different, correct opinion of what security is. It's not an exact science you know. Just shake your hands

I'll reply to randomuser's considerations about my previous post.

Vulnerabilities are difficult to find in it? Compared to what? It's been rooted before, a few times at least. Only took me about 30 minutes of poking around when I rooted it.

I'm not surprised, as any skilled auditor is able to compromise the security (isn't this better than "rooting"? If you want to be a professional, use the right terms) of any software given enough time.

What's important is the combination of how difficult it is to find and to be exploitable and how risky the data compromise is in terms of confidentiality, integrity and availability. This is the criticality, combined with how often a vulnerability is found or is exploitable defines the criticality over time of a software, and DirectAdmin has a medium to high one in my professional opinion.

Of course DA has been compromised before. I'd be even ashamed about some of the vulnerabilities found. But I had the pleasure of actually getting replies from a developer (I didn't ask for money without warranty of results, just gave the results, maybe that's the reason) and he was well aware of the circumstances that created the vulnerability, and he corrected himself right away. I'm sure it won't happen again, not in the same context.

Last, I would like to give you a professional advice. If you are looking for customers, do not denigrate them publicly... IMHO it's not helping.