You may want to close this barn door on your IBM Connections site

by Volker Weber

Let's go to IBM Connections and not login. This is the important part. We are a dog on the Internet and nobody knows we are a dog. Let's pick an IBM site and issue a search query against the Profiles application. Let's find everybody who has tagged his profile with "machine-learning".

ZZ307BD25C

The first gentleman has a profile picture so he might be active. Let's click on his profile:

ZZ4EA5EAF7

Looks like he is indeed active and there is a conversation he is having. Notice that we are still not logged in.

When I saw this, I was shocked. And not only does that work on ibm.com/connections but on other sites as well. I thought this was a huge problem, so I contacted IBM on multiple channels. And I got the same answer on each of those channels: this works as intended. It's the default. Profiles are supposed to be crawl-able.

If you disagree and would rather have your Profiles not public, there is a simple solution which will have side effects elsewhere. You can require a login, before Connections discloses anything.


Comments

Thanks for the heads-up. We are actually in the process of shutting down the ibm.com/Connections instance that you highlight here, mainly because in my own opinion we can't operate and secure it the same way we can with Connections Cloud S1. I will bring this feedback back to my team if it will help accelerate some of the work we are doing.

Ed Brill, 2015-11-26

To be honest: The first thing we normally do after installing Connections at a customer is to enable forced login for all applications... So I am not aware of a customer site (especially if it is reachable from the Internet) which can be used without login.

Urspringer Michael, 2015-11-26

Ed, you should be able to secure ibm.com/connections the same way your customers can. I would be sad, if your on premises Connections product is less secure than your cloud hosted Connections product.

Michael, that sounds like the right thing to do. Unfortunately that is not the case for all Connections deployments. We have been there before. names.nsf used to be public as well, with server or user IDs attached. Oh, the fun I had with that. I would not dare doing this today.

Volker Weber, 2015-11-26

Take a look at the knowledge center, if you like:

http://www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/admin/c_admin_common_manage_ext_user.dita?lang=en

It's kind of hard to find, but down there in the deepest documentation it says:

Note: If external users are not forced to authenticate through a mechanism such as Tivoli Access Manager (TAM), then you must disable anonymous access for all Connections users. Perform the steps in Forcing users to log in before they can access an application. If anonymous access is enabled and external users are allowed to access your IBM Connections implementation, then external users might anonymously access all public data in IBM Connections. This access includes profiles and public files and communities that were not intended to be shared externally.

And as I found this, I'm not finally sure, it is the right documentation for the problem mentioned :-)

Wolfgang Fey, 2015-11-26

So IBM is about to shut down Greenhouse. We are using Greenhouse a lot to show the power of IBM Connections and other IBM products. This was VERY usefull to prepare many of the projects that led to a new IBM Connection customer.

The Smartcloud Installation is not really an option. As an external user you are not able to build connections, the activity feed end after 6 weeks, and so on. So what is the plan? Should be much easier to secure Greenhouse instead of shutting the whole thing down and deal with the complaints.

Alexander Kluge, 2015-11-26

I recommend to search available Connections sites through google since years, because sometimes updates return security settings to default.

So a combination of in-url and other search terms or site:connections-host should only show you the login page to your Connections environment.

Christoph Stoettner, 2015-11-26

> sometimes updates return security settings to default

Exactly. And the default is wrong. I have discussed this with Nick Shelness years ago. And he made Lotus ship everything with Access None. Nick has left long ago, and IBM needs to learn the same lesson again.

The default has to be closed and it should take a deliberate action to open it.

Volker Weber, 2015-11-26

Must admit that I really enjoy reading about enterprise software as a "Außenstehender".

Martin Kautz, 2015-11-26

Profiles are harmless. What about Files, Blogs, Wikis? All public by default also.

I suppose Connections wasn't intended to be reachable outside the internal network initially. Then these default settings make sense because you can reach all your employees with "public" content without having to pay licenses for them. But now an employee publishing something to the whole company might publish it to the whole world unintendedly.

Oliver Regelmann, 2015-11-28

Right. I just did not want to drop a bigger bomb. It's easy to demonstrate how one gets to the other public content without ever logging in. That is why I suggest to set the 'login required' toggle. Once we did that we can ask what happens after users are logged in and no longer anonymous. It's difficult enough to set the right scope even for those.

You will have to assess whether Connections is fit for use with "external" entities. Which is a typical enterprise view. What happens if you don't have 400k employees but 20k entities with 20 employees on average?

And once you answered that question we get to the big one: what control do I have over a 3rd party application that I install on my site. The answer is quite shocking.

Volker Weber, 2015-11-28

No question we could secure Connections instances as necessary. The ibm.com instance of Connections is doing double-duty with what we are investing in deploying for IBMers, which is Connections Cloud S1. I would like to have fewer moving parts total within our infrastructure, so the decision to decommission the ibm.com instance was mostly about simplification.

Re the comment from Alexander about Greenhouse, that's operated outside the IT/CIO organization, I have seen some discussions among those who operate and use it about how to handle some of the use cases and activity going forward.

Ed Brill, 2015-11-29

Old vowe.net archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Paypal vowe