my profile | my password | search | faq & rules | forum home

» Film-Tech Forum ARCHIVE   » Operations   » Digital Cinema Forum   » DSS200 FTP credentials ... cannot be changed from factory defaults ... WTF?!

Author Topic: DSS200 FTP credentials ... cannot be changed from factory defaults ... WTF?! Leo Enticknap Film God Posts: 7474 From: Loma Linda, CA Registered: Jul 2000 posted 09-16-2015 07:14 PM                        I'm scratching my head over this one. I'm trying to make a DSS200 accessible for FTP ingestion from a remote Internet location (basically, to enable trailers and that sort of stuff to be swapped between two DSS200s in two theaters without the need to move flash sticks back and forth, and also to ingest short DCPs and keys from home). As part of this, I emailed Dolby customer support to ask them how to change the FTP login credentials from the factory defaults as stated in the manual. Their reply came back - they cannot be changed and you have to use the defaults! I find this staggering. As a general rule, the quality of Dolby's products and support is second to none, and so I can't figure out why they would do something as stupid as to deny their customers the ability to apply very basic IT security 101 - don't leave the username and password on the factory default. I could understand why they didn't want to publish the procedure in the manual - to discourage novice owners from reaching beyond their ability and locking themselves out of their own servers, and/or to prevent bad guys (e.g. disgruntled employees) from locking server owners out of their machines maliciously. But I didn't for one moment think that the software was written such that it simply couldn't be done. As far as I can see, I now have three choices. 1 - Give up on the idea of having remote access to the servers, and keep them disconnected from the Internet. 2 - Mess around with port forwarding in the router firewall settings, such that only incoming connections from specific IP addresses on port 21 are allowed. As one of our theaters and my home has a dynamic IP, that's not going to work unless I update the router settings every time AT&T, Verizon or whoever chooses to change the IP addresses of the places I want to reach the DSS200s from. 3 - Accept that the DSS200s will be left wide open to hackers. I hope that Dolby will come to their senses and add the ability to change these credentials from their defaults on a future software version. I can't even begin to imagine the rationale behind making them completely fixed.  |  IP: Logged Frank Cox Film God Posts: 2234 From: Melville Saskatchewan Canada Registered: Apr 2011 posted 09-16-2015 07:35 PM                        Put an intermediate computer between the cinema server and the outside world. Then forward the ftp connection as described here: SSH port forwarding  |  IP: Logged David Buckley Jedi Master Film Handler Posts: 525 From: Oxford, N. Canterbury, New Zealand Registered: Aug 2004 posted 09-16-2015 08:34 PM                        Yeah, SSH port forwarding works, but FTP is a twat of a protocol for this sort of thing, which is why it takes an article to explain how to set it up! But SSH does provide a good solid secure platform. Does the Dolby box not provide any other file transfer protocols? The additional computer can be as simple as a Raspberry Pi; that's what I use for my SSH termination point to dial home.  |  IP: Logged Sascha F. Roll Expert Film Handler Posts: 140 From: Berlin, Berlin / Germany Registered: Sep 2015 posted 09-16-2015 09:24 PM                     Leo, same thing with SONY-Servers, the FTP-Login (s2suser ect.) cannot be changed.  |  IP: Logged Pete Naples Phenomenal Film Handler Posts: 1565 From: Dunfermline, Scotland Registered: Feb 2001 posted 09-17-2015 02:09 AM                     I believe the same is true of Doremi. Surely you're not leaving them open to the outside world? Sites where we do remote content transfer, we connect via a secured VPN. So the worry about the FTP details being default is a moot point.  |  IP: Logged Steve Guttag We forgot the crackers Gromit!!! Posts: 12814 From: Annapolis, MD Registered: Dec 1999 posted 09-17-2015 06:54 AM                     Leo, I'm unclear about how your severs are hanging out on the internet. I, personally, have not ever had nor desired to change the FTP credentials to a server but those servers are NOT on a common network. For you to "see" the servers you already must have been trusted enough to be on the same network as them. Even NTP time is only via a local time source on the network. Using a suitable firewall router (I like Sonicwall, myself), you can make any/all of your networks as secure as you wish. Furthermore, just what can a malicious person do if they do get into the FTP directory? Add or delete content...that is about it. Yes, deleting content would be sucky. But back to the design concept...I'm not sure that leaving a server's media NIC hangig on the internet is a wise idea for any reason. And an internet based FTP transfer is bound to be hideously slow on a network that is normally VERY fast. I would think a far superior solution would be to have a relatively inexpensive computer with a large storage system be what you transfer content/keys to and then from that computer push the keys/content over to the servers desired. You also then don't have a brand specific FTP system...you could have 4 brands of servers and still have a functional system. There are tons of ways for remoting into a computer and with as much security as you desire.  |  IP: Logged Carsten Kurz Film God Posts: 4340 From: Cologne, NRW, Germany Registered: Aug 2009 posted 09-17-2015 07:22 AM                     We use DropBox for similar applications. I don't know if there is an easy way to transfer files automatically to the DOLBY, but if there is a general use computer running drop-box locally, everything can be automated nowadays. These cloud storage apps have the added benefit that they make sure every single file is synced perfectly during daily use of these machines, no matter how often they are disconnected from the network or rebooted. After a while, everything is synced. If you use FTP, you always need to make sure everything is stable during the transfer. There are other services like drop-box, but I found DropBox the most stable of all them. And they have the most clients available. Another, slightly different option is BitTorrentSync. - Carsten  |  IP: Logged Leo Enticknap Film God Posts: 7474 From: Loma Linda, CA Registered: Jul 2000 posted 09-17-2015 10:15 AM                        I get that by putting extra security infrastructure in place - SSH port forwarding, a VPN or whatever - this issue can be worked around. But for me, it's a case of the security/convenience tradeoff. I'm only looking to be able to transfer small DCPs (e.g. snipes and trailers) and KDMs remotely. I have one projectionist who doesn't use email at all and therefore can't ingest a KDM if it arrives on the day of the show and I'm not there, and times when the programmers need DCPs made from files (e.g. walkin slideshows) at the last minute, when I'm at home 70 miles from the theater. If it takes an hour to transfer 3GB, that's not a problem and a better option than four hours of driving. Adding serious extra network security infrastructure to the booth is not something I have the time or the budget to do, but our IT guy is able to fix things so that these servers have an external IPv4 address. If I could set up proper usernames and passwords such that only a determined hacker using brute force could get through them, that would be enough security for me (i.e. proportional to the risk, in my judgment). But I can't, because Dolby won't let me, leaving my only options the more time-consuming and expensive ones to implement, as described by Steve and Frank, or putting these servers on the public Internet with their factory default credentials. It is surely not a massive software engineering task to make these credentials changeable by the end user. Given that even 12-year old schoolkids are taught that the first, most basic rule of IT security is never to leave usernames and passwords on the factory default when you buy or take charge of a new device (not to mention the fact that server credentials left on their factory defaults is reportedly how the Sony hack was done), I'd love to know what line of reasoning led Dolby to make them unchangeable.  |  IP: Logged Scott Norwood Film God Posts: 8146 From: Boston, MA. USA (1774.21 miles northeast of Dallas) Registered: Jun 99 posted 09-17-2015 11:48 AM                        It probaly _can_ be configured, but not within the regular Dolby user interface (you would probably have to boot off of a CD or the network, mount the filesystems on the DSS200, and edit the configuration and/or password file for the ftp daemon). If you try this and break it, Dolby probably won't help you fix it (and I would not expect them to do so). Even if you do change the login information, the FTP protocol sends information (including login details) in the clear across the network, which means that login information can be "sniffed" by anyone with network access at either end. It is much better to use an SSH tunnel, VPN, or some other means to allow remote access to the DSS200. I agree with the others that D-cinema servers should not have direct Internet access.  |  IP: Logged Steve Guttag We forgot the crackers Gromit!!! Posts: 12814 From: Annapolis, MD Registered: Dec 1999 posted 09-17-2015 11:56 AM                     Leo...while not speaking for Dolby at all (they have people that can do that)...I'm sure the reason is that having that password/user change would cause more grief than good. What you are wanting to do is far less common and, in my opinion, FAR more risky. Moving content about a complex is a very common operation and there are automated systems for doing this (TMS systems) and having a user/password that is known will go a long way to ensuring that these systems work reliably. Then there is the security risk aspect of it all the FTP directory is of low security risk...you aren't going to infect the system from in there or trash it. While you can delete content from its top level directory, I don't think you can even delete content from the "generated packages" directory. So it comes back to...what is the big advantage that would offset the disadvantages to making that password changeable? Generally speaking, the server's protection should be where you allow its access. if behind a suitable firewall...just who is getting to it? As such, the need for this change gets even less necessary. I could make the argument for other passwords on the Dolby server being settable...much more harm can be done by knowing a fairly common Dolby password. Alas, only the UI user-level passwords are settable.  |  IP: Logged Marco Giustini Film God Posts: 2713 From: Reading, UK Registered: Nov 2007 posted 09-17-2015 03:47 PM                     As Steve says, no need to hire an IT genius: just place an inexpensive PC with a decent HDD on it. You transfer to that PC and then you can either push the content to the servers or let your projectionist pull what they need. Personally I would not want my media server on the Internet. I use VNC when I need to access a server - that way I am behind a firewall. Opening a Linux server to the world is not something you want to do, particularly if the standard port is being used. You'll be hacked in no time.  |  IP: Logged

All times are Central (GMT -6:00)

Printer-friendly view of this topic

Hop To: Select a Forum: Category: Operations -------------------- Digital Cinema Forum Film Handlers' Forum Large Format Forum Ground Level Feature Info, Trailer Attachments & REAL Credit Offsets Category: Community -------------------- Film-Yak Film Handlers' Movie Reviews The Afterlife Bob Maar's Joke-A-Thon Category: Classified -------------------- Equipment and Supplies Wanted/For Sale Help Wanted/Seeking Employment Category: System -------------------- Software Beta Testing Forum

The Film-Tech Forums are designed for various members related to the cinema industry to express their opinions, viewpoints and testimonials on various products, services and events based upon speculation, personal knowledge and factual information through use, therefore all views represented here allow no liability upon the publishers of this web site and the owners of said views assume no liability for any ill will resulting from these postings. The posts made here are for educational as well as entertainment purposes and as such anyone viewing this portion of the website must accept these views as statements of the author of that opinion and agrees to release the authors from any and all liability.