Slashdot Mirror
Slashdot Database Compromised!
Today the the Slashdot database was compromised by 2 hackers from the Netherlands. !(Nohican && {}) They secured the hole and send an email to the admins, they even should be reading it now. Update: 09/29 11:04 PM by michael : We know about it, blah-blah-blah. Don't email us. I think it's safe to say that whatever happened, you'll hear the full details soon enough. Thanks.
It's not about romantic BS.
It's about having some skill, interest and integrity. Don't let the hype cloud your judgement
No sig.
I see, /. and the open source community are naive? & I suppose you have more faith in law makers? Or perhaps executive managers? How many people do you trust your credit card details with on a weekly basis? What about those bank employees? You know, the stressed looking ones with the `I owe someone money' look about them...
White collar criminals rip exponentially more money than yr average website cracker gets out of cc no.'s, & they almost inevitably get away with it! Later to head another big company... A matter of declaring bankruptcy at the time as the missing millions gather interest in pacific tax havens...
Face it, your local supermarket keeps customer records, they know what you like, they have a goddamn dossier on your breakfast cereal preferences. The `State' walks in & out of your `confidential' phone conversations at will, yr boss legally owns your emails.
What the hell is the law? What is right & wrong? What is property? As far as the Man is concerned, it's whatever he says it is. Just ask Steve Jackson about Operation Sundevil.
Freedom of the press is restricted to those that own one... I'm sorry pal, but the same truism goes for property & law. Supreme truth is monopolised by those in control of the iconography. It seems some are more clearly influenced by that iconography.
Frankly, given the option, I'd rather cast my straws on the likes of {} & Nohican...
...Knowledge is power only if you know how to apply it.
ah, but for the boys on slashdot, someone is trying to break into their home at least every couple of minutes.
Personally, if someone was doing this to my house, and another individual came along, fixed the poor lock (or in this case, an open door) and left me a note stating the above...i would be grateful. This is not to say that i believe it's ok for people to attempt to break in to my, or anyone else's house. But do you honestly think we should villify the hackers in this instance?
FluX
After 16 years, MTV has finally completed its deevolution into the shiny things network
"It is seldom that liberty of any kind is lost all at once." -David Hume
Hey, at least I'm not calling it just 'America'. That'd be twice as bad. ;)
So, how does one pronounce {} anyway? :)
Signal 11 will be revealed to be Bill Gates
SpiralX (sic) is Wos
Bowie Poag was Pierre Trudeau (he's dead now)
OOG THE CAVEMAN was Jerry Brown!?
Who knows who the rest of us are????
no sig.
/. is a commercial entity. goto slashdot.com
________
Does anyone actually have a Java program designed to control air traffic, or for the operation of a nuclear facility?
He's a hole allright. "Security Hole" isn't the first hole that comes to mind though.
The message was not posted by Taco, it was posted by the hackers.
I would hope that /. boys coded the whole database so that passwords were one-way encrypted. Then it would be that much of an issue to change your password.
They aren't. If you forget your password, Slashdot will mail it to you (the "mailpasswd" button on /users.pl when you're logged out). Slashdot emails you your password, in clear text. So, even if the passwords are encrypted, they can be decrypted. How else would Slashdot be able to tell you your password?
It would be, if they weren't lying. Apparently, /. admins never got any such email. So let's not pat these guys on the back just yet. They may have been benign, but we don't know just yet.
www.poak.net
/. is a commercial entity. goto slashdot.com
No, the rfc1918 are non-routed addresses, but they aren't specifically localhost like 127. Now if someone is in a network where rfc1918 addresses are in use up to the point of contact with the outside world, then you might get them. Or _something_ on their network... If they aren't on a rfc1918 network, it'll probably get dropped at the first router, and definitely get dropped at the first well admined router.
itachi
Actally, that's today's date... in the Netherlands.
They hacked Rob Malda's password, which just so happens to be WUMPUS, but don't tell anybody, it's a secret!
--
Chief Frog Inspector
A feeling of having made the same mistake before: Deja Foobar
DO you think that, a nerd site could be compromised by errors in configuration? Slashdot is big bussines, and alot of nerds don't even know that they are a sort of community, that was sold by the people -and according to this latest trick no nerds, but business people- over 500 miljon dollars. So what else is new, you figured out, al at your self that you're being used? btw: I only look at slash doth if someone asks me to, in this case {} asked me to look. He thought it was somehow 'cool' I told him that it was a proof of my concept, slash doth isn't runned by nerd, by by business people, who earned allot. last time I checked someone had an intresting theory about M&M, still using that theory
I like the idea that slashdot was compromised. I'm sure it took skill and extreme ability to do so. Tack on the fact that They didn't rm -rf or install any trojans (i'm assuming) or didn't post a 4 page summary of everything that is morally wrong about slashdot, or even worse, an ASCII picture of natilie portman, shows they are intelligent. Good work. I look forward to seeing how you got in, and for having the guts not to do anything stupid. Thank you.
This is not "News For Nerds: Stuff That Matters".
This is just a hoax
Conformity is the jailer of freedom and enemy of growth. -JFK
No, in fact, this is the whole point. They found a bug in slashcode, they sent the fix to the right people. We're lucky that they posted this, and why? Because now it's fixed, and can't happen again, and it's causing discussion on the subject. :-)
Good Thing.
__________________________________________________ ___
rooooar
Commrade, you are wrong. Me and my collegues of course put backdoor into slashcode, so en case Slashdot talk bad about mother russia....
never did I say that I used the same passwords, I however do realize that other people do.
Let's see what WebFerret (The only way to search the Web!) makes of "nohican"..
[time passes..]
Ha!
Anybody want to drop the joker a line?ps: read his posts; I think from the context, and from the fact that this is the only "nohican" that came back, that...
t_t_b
--
I think not; therefore I ain't®
I'm on PJ's "enemies" list! Are you?
That's funny! I hope your post gets moderated up. :)
/. didn't mention it.
The article was posted by the hackers, that's the whole point.
This is quite humorous.
Pax Digitalia
You know that's why they cracked the DB, so they could post with +1 for everything.
:)
Maybe that ought to be a rule - anyone that cracks the DB and does no damage gets automatic GOD karma rating.
So tell them to post some News for...
what do you mean they fixed it?
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
That depends on which processor you use to calculate it. I thought /. was up to date enough that none of this would have happened.
Relating to this event: A few weeks ago, I took advantage of my friend's ignorance and used ftp to place a simple perl script into his box via the internet. Then, using telnet (yet another service he has enabled!) I executed the script. This script basically repeated these commands: "eject /dev/hdc" and "eject -t /dev/hdc", thus causing his cdrom drive to continously open and close. A few seconds later, after logging out of the telnet session, I received a phone call.
If they were able to hack, say, Mastercard I'd be impressed (and very scared).
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
What's 5 x $0.00???
On a pentium? $7777.77
This is what happens when you piss off the guys from DC with all the crap:cat stories ;-)
Looks like they are a 1337 bunch of hax0rs after all...
I lost me sig.
I submitted this Weeks Ago!
;-)
Way to go guys. Can't wait to hear the details. *grins*
--
This message brought to you by Colin Davis
Colin Davis
I've set my preferences so that I don't even see any of the Jon Katz ramblings anymore. It's been a very refreshing experience.
Quidquid latine dictum sit, altum viditur.
I only post comments when someone on the internet is wrong.
This story has the potential to draw the most comments ever. I'm doing my part, have you?
See that "Preview" button?
Nope. When an exploit is being actively used, you publish details immediately. Especially in this case, where the code can be patched by the end users themselves. (this all assume it's a hole in the slash code of course, and not some other problem.)
If they were Microslob guys they would have sent us all e-mail about how nice they are.
"..don't you eat that yellow snow."
Reading through the posts is kind of funny. Half the people are freaking out... "OH MY GOD! /. HAS BEEN HACKED!!!" and the other half are going "Phhhft... Yeah right..".
Whats the worst that can come of a successful hack against the /. database? A password leak, a few karma points added/deleted, a few posts getting majored?
Guys and girls, if you use the same password on /. that you use on other services around the internet, then you're begging for trouble. It doesn't matter if its /. or any other service, you should always use a different password for each. As inconvenient as it is, its the only real way of being secure. There are plenty of programs out there that will let you mantain a "secure" database of all your usernames/passwords if you really think you're going to have a hassle remembering them all. Just search zdnet or any of the other major shareware/freeware sites. Admittedly most of them are Win32 based, but using things like wine you can usually get around that problem.
The biggest issue is the possibility of the articles being tampered with. I don't know what else is done on the box that hosts slashdot, but if the usual rules are applied, the database should be secure on a seperate machine to the web server.
This is a blessing more than it is a curse. The great wonders of opensource have shown us that even the mighty /. has an exploit in it now and then. I wonder if this would've been made so public if the slashcode wasn't opensource. As it stands, the flaw has been located and supposedly fixed.
Oh well, could be worse I guess. ;) At least they didn't deface the site or destroy the database or any other number of things that could've been done.
<panic>OH MY GOD!!!!!!!!!!! SLASHDOT HAS BEEN HACKED!!!!!!!!!!!!!</panic>
Unless you are a member of the oppressed Wallons, Unite my Wallonic breatheren and let us together smite the evil Dutchmen!
The current Slashdot moderation system is made by gay communists!
Perhaps this is the downside of using mysql instead of a more secure database like Oracle (maybe outta your reach) or DB2. Opensource does have its drawbacks...
/. is a commercial entity. goto slashdot.com
Tripwire is good for identifying a breakin. However, to rely on it is dangerous. The most secure way of checking is to take the drive out of the box that's using the drive, install it in another box that's standalone, mount it, run tripwire, and write the file to CD/readonly floppy. Then you've gota do it every time that you want to check. But things can get complicated as a hacker could put things in a home dir, or some other writable part of the filesystem that wont get checked by tripwire since that stuff changes so often. It's brutal. Tripwire is good for identifying change, but not so great for making sure that there are no reminants. There's always room for error. Better safe than sorry.
True, but the /. team could have easily deleted the story. They do deserve some credit for not doing so.
Ahh - My eye!
The doctor said I'm not supposed to get Slashdot in it!
that ./ will no longer be able to have offspring?
-Peter
. Penguins Surely Ca
I am just wondering why i get this weird looking page about that says; This is not www.slashdot.org Neither is this a site which tries to make money off your typo, like some have suggested , we just try to help you and then it suggests me to go to http://slashdot.org anyone care to explain?
I'm assuming you are the real you because... well, becuase I can't think of a compelling reason to think otherwise.
Wasn't you, was them dutch guys, y'know, the two guys in Rotterdam, to whom Bill Clinton outsourced the entire NSA? Yeah, Rob was fiddling with a new game SimCarnivore, which looked innocent enough, and it faked an AIM note that there was a new submission 'Microsoft Merges with Island of Guam, World Stunned', y'know? So anyway, like he gets this fake Mozilla popping up and he logs in and it emails his password back to these guys, just before Rob gets Segfault (core dumped) to cover the tracks. Good thing we have a budget surplus, maybe we can buy back the NSA© from those guys and outsource to someone less mischevious, such as these guys
--
Chief Frog Inspector
A feeling of having made the same mistake before: Deja Foobar
It was an oblique reference:story in The Register
"..don't you eat that yellow snow."
Great... All the true hackers that go by the definitions in the Jargon File are now very angry with CmdrTaco for using "Hacker" incorrectly in the story! I thought slashdot was run by people who understood a geek's needs!
-- 2 + 2 = 5, for very large values of 2
actaully, the line goes Oh My God! They Hacked /.! You Bastards!
Runnin' On Empty
You may know the guy, but I doubt that the slashdot admins do... I doubt that they know you either. A tiny bit of trust is not something to risk a business on :) Thats the thing about hacking. Even if you hack in, but dont even touch a thing, the admin still has to wipe the box and start over, because if they don't, there is not PROOF that the hacker didnt touch anything.
your sig should read: "I'm not NOT licking toads!"
They shoulda used OpenBSD like Junebug does. Secure by default, locked down like a 13th century 16-year-old damsel's chastity belt.
But they had the balls to keep it up.
- Apple Computer......proudly going out of business for over twenty years.
It's great that these hackers (i shouldn't use crackers because they fixed up the hole) exploited and sealed the compromise. In computing Utopia, all hackers should do this, then we won't have security compromises. Thumbs up for those 2.
No they are bad, the whole point is that now VA needs to check the servers and maybe everything else behind the firewall. That's a drain on resources whichver way you look at it.
There's no such thing as a friendly hack.
This is another fine example of how we should never trust people from the Netherlands. First they bomb Pearl Harbor and now this. You know, there's a secret organization of of prominant leaders and buisnessmen from around the world who are secretly Netherlanders trying to take over the world. It starts with Slashdot. You'll see. This is just the beginning. They're just playing with us right now! You'll be sorry when the Netherlanders attack us again, oh yes, you will...
Or even dot-slashed.. ./'d... Get it?
I need a sig.
In other ramblings of my mind, our friends in the server room should make a mandatory password change. It is always good practice
/. is a commercial entity. goto slashdot.com
Actually that's how it looked when i saw it originally:
(Score:)
by on (#)
i did say they took away the privilege, not that they abused it.
The funny part (ok, this whole thing is funny) about this article is that its the best article that I've seen all day...
IMHO,
Geoff
Any loss (especially of stories and comments) would be highly undesirable for a site such as Slashdot, imho. Then there are even more important systems, such as those that handle financial transactions, in which it is probably mission-critical to not lose any information in the event of a crash or a crack. What methods do database administrators employ for recovery in such situations?
Ignorance is curable. I want to learn. Thanks in advance. :)
anyone could get into that port.
"..don't you eat that yellow snow."
Oh my GOD! They Hacked Slashdot! Let's get the bastards!!
Actually, I thought it was kinda funny. I'm not sure I'd feel the same if it were my site though.
Maybe he thinks he's all "sophisticate" spelling it "spelt". Either that or he's a damn foreigner in league with the Netherlanders.
Catch me on AIM: SigningiS
I prefer a void in conversation to a vacuous one.
I know because an admin said so.
www.poak.net
but...but...but...I don't have a password! I run CP/M!
Well, I think they speak Nether. Or was it Hollish?
You posted at +1? Wow, you're brave - for a dumb, loud American.
If you really wanted to know, it's Norwegian.
Be nice to your friends. If it weren't for them, you'd be a complete stranger.
Yup, I've noticed the exact same thing, though I don't know why this is happening... -jerdenn
Maturity? Obviously you've missed the point of this story, but in any case you seem to have odd delusions about personal property and information security. Regardless of whether the powers that be need to audit their code better, the fact that the site could be cracked in no way justifies the actions of the childish losers who went ahead and broke in. I'll avoid the tortured analogies to an unlocked house, but I certainly expect that polite users will stay the fuck away from my machines, whether or not I overlooked the buffer-overflow-du-jour. I wouldn't for a moment trust any asshole who ended up with a root prompt on a system I use or run without authorization.
I agree with earlier posters that the second-rate pieces of shit that did this shouldn't be sued or legally harassed- have their parents spank them and send them to bed early without dessert. But it's hard to imagine these vandals serving any more useful purpose than as a focus for the contempt of their middle-school classmates.
erhm search for 'Frank van Vliet' on securityfocus and you know all about me ({})
On E-Bay:For sale ANY /. user account you want. Who needs to purchase a high karma account when you can just buy your enemies accounts and trash thier karma, reputation/image? That's right! Step right up boys and girls. 5r1p7 k1dd135 Inc. will for a limited time only give you access to any account you desire and you may trash away at will:) Call 1-800-urh4x0r3d in the next sixty seconds and we will even throw in a snippet of code that will gaurantee you the same access to any slash based site.
Wait! Theres more! mention OpenSource and we will even throw in a free kernel upgrade and the link to the actual HOW-TO's will also be yours! Here's the best part!!! If you call and say CmdrTaco sent you we will even throw in his account and all the censoring powers that come with it. Imagine, you and your friends can kill off quickies and JonKatz with a single click(TM). /. $authors)
Note to self: IF s/N ratio>=facts(old news +
Prospecting Stinks. Stop Wasting Time on Cold Calling.
They compromised? Dammit, I told them to keep arguing.
--
Win98 sux without these 1337 toolz !!
Free publicity.
--- Where's my X.400 protocol decoder?
I kind of think they blew a great opportunity though; imagine the chaos that would ensue if they inserted a story titled "Linux 2.4 Released!" with a link to goatse.cx cleverly hidden as a link to kernel.org...
- Joe
-Joe
Wait up, man...
Maybe some other sites running the Slash code would like five minutes or so to secure their sites before everyone else in the world knows about it?
Or rather, let's make sure everyone's got the fixes before we go passing around the exploits, ok?
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
--
I would expect that actions like this occur fairly often, however: If this had been a 'secure' e-commerce web site, would they have posted this at all? No way! They would have hid it at best, and tried to sue the 'hackers' at worst. I did something similar (No, I'm not a cracker, and I can't 'hack' web servers, I just noticed a gaping hole) for a company I used to work for, and I didn't even get a 'thank you' from the company. Do you think this company told their customers? Yeah right. That incident, like probably thousands upon thousands of others, was pushed under the rug, hopefully to be forgotten.
To reinstall or not is a tradeoff. The distinction between being told about a security hole by somebody you don't know hasn't exploited it and being told about a security hole by somebody that has exploited it and tell you they hasn't done any "bad stuff" is fairly artificial.
'Reinstall after breakin' is a rule of thumb, mostly intended to communicate that it is close to impossible to secure a box against somebody that has had control of it.
Eivind.
Doubting the existence of evolution is like doubting the existence of China: It just shows that you're uninformed.
Whereas we foreigners automatically know them all by heart. I am constantly astounded by North American ignorance.
Yes, this is most likely the best way to find and fix security problems, but we have to be *very* careful about attitudes such as the one you're proposing. What would have happened had Slashdot carried our credit card numbers as well? Would we be as happy that some people were poking around the website? According to the attitude you're suggesting, the answer would be a resounding YES! YES, because there could be other people out there who are malicious and if the hole didn't get fixed this way it could have turned out to be much worse if other people had found it. But the fact of the matter is that unauthorized hacking is wrong whenever it is committed. A blind faith in white hat hackers is very dangerous because there is no telling what their motivations are, no matter what they say. How in the world do you know that they didn't take CmdrTaco's passwords? If /. had credit cards, how do you know none had been taken? Because they told us about the security hole? That is not enough proof. Hell, the best way to commit a crime would be to hack in, steal a few things, and then report the problem. And they would be held up as heros, not hackers because "luckily, the boys at slashdot "get it""
Property is property, period. Just because this is IP, and just because it is on the Internet does *not* make it any different.
As an Amercian with a decent grounding in Dutch, let me say that it IS an obscure language.
:-) the senate was one vote short for Dutch being the primary language in the USoA.
:-)
Dutch might have been a "world" language. When the USoA had to decide what language to pick as their national language (no, the Americans didn't invent English
My God, the Dutch language would have rich words like "moederneuker"...
It's not THAT surprising that an American doesn't know
no comments
-- for undocumented cisco commands, take a peek @ dotu
... you have to admit that this is a classy white-hat hacker way of posting about it...
BlackNova Traders
Buzz! LTNS. :)
--------------------------------
--------------------------------
Not all who wander, are lost.
Slashdot doesnt use one way encrytion like unix passwords? Like enter the password, encrypt it, and check against the encrypted save? Or do I have that ass-backwards and wrong. It would seem that you could do that sort of thing, even with a database. *shrug*
I think that's true regardless of whether there are any visible hacks to the site. Even if they had just emailed the slashdot crew a patch saying "this is broken and allows an exploit", slashdot or VA would still have to check the servers and maybe everything else on the possibility that someone has used the exploit. It doesn't make good security sense to say "well, I don't see any hacks even though there's this exploit, therefore I wasn't hacked into" -- especially on such a high-profile site.
This has fun implications for when you upgrade an OS (or anything else) to patch a security hole; if you're really security conscious, you have to do some risk analysis to decide whether to react as if someone has used the hole already to backdoor your system.
It's actions such as this that should show the press and the general public that hackers aren't the out-to-get you script kiddie types they are stereotyped as...
I had enough free time to hack into other people's systems. Get a life people. I mean the shear amount of time I spend reading /. is enough to send me to nerd heaven....
(+1 Funny) only if I laugh out loud.
There's no such thing as a friendly hack.
/home/
/var/MySQL/
/. is no to delete posts unless there's something messing with the page display, was it that infamous hello.jpg, or worse?
Let's see, a still-working site, or
#
#w00t
w00t- not found
#rm -rf
#rm -rf
Of course that's overly simplistic, but think about it. Even if the person found the security hole, and sent in a a patch privately, who's to say the discoverer or someone else hasn't already been quitely exploiting it? Of course now that an exploit has been found (and assuming they DID get the email), There still exists an exploit.
They'll still have to check and make sure that's what really happened, examine their entire system and probably do a whole lot of reinstalling, but that's what happens. I would hope they'd be doing that anyway if someone turned in an exploit+patch.
Which also brings up another point. This site in particular seems to have an inordinate amount of content being passed back and forth that is simply incredulous. How many times a week must Rob &Co. get email to the effect of "3y3 0VVn Jo0!"? How do you know when someone is serious? When the hacker posts a story about it, of course! I'd say this is probably the best (if not funniest) way to let everyone know at once. BTW I do feel sorry for the crew up there having all the shit to go through that they must right now.
One question I do want to see answered, even before the how-to on the crack...EXactly what DID they put in the 1rst post that got it deleted so quickly? Remember that The policy on
Fist Prost
"We're talking about a planet of helpdesks."
Fist Prost
"We're talking about a planet of helpdesks."
-Jaron Lanier
Shit... does this mean I have to go cancel my credit card?
-ct
Update: 09/29 11:04 PM by michael: We know about it, blah-blah-blah. Don't email us. I think it's safe to say that whatever happened, you'll hear the full details soon enough. Thanks.
--
The shareholder is always right.
At least they didn't post a who's who by seeing which accounts passwords all matched, eh? Could be pretty embarrassing to some of those who have special "blow off steam" accounts.
Sincerely,
Bruce Perens*
*Joke, get it? Joke.
Fist Prost
"We're talking about a planet of helpdesks."
Fist Prost
"We're talking about a planet of helpdesks."
-Jaron Lanier
I might still have to behave as though I've been broken into; a criminal may have come along earlier, or the person leaving the note may be a particularly devious criminal, but that's still better than nothing, as it reduces the window of exploitability that Bruce Schneier likes to talk about.
I will hold you accountable if that happens for first speaking it, and will smite thee with a poorly written appple II emulator to compile in.
An Education is the Font of All Liberty
Hahahaha, not even Taco has grammar that bad!
Cat wasn't going to go back in the bag, worms in the can, horse in the barn, etc. The *really* interesting thing - and no one in the comments seems to have thought of this yet - is how will the rest of the news media handle this tomorrow? Anyone want to wager on the headlines? I'm guessing a simple "Slashdot Hacked", and an article long on pointing and laughing but short on details.
--
Michael Sims-michael at slashdot.org
Yes, I just changed my /. password, thanks for the suggestion. Now noone will know my root password is '123456'
Even if you *haven't* been compromised, the only way to know no trojans, etc. are installed is to do a fresh install. Just have a little faith, man.
Damned Norwegians.
Here is a link on how to be l33t for the haxors.
Ah ah ah...
That's '31337 h4xx0r d00dz'
"You know, Hobbes, some days even my lucky rocketship underpants don't help" -- Calvin
12345!!??
That's a code some idiot would put on his luggage.
okay, dumb joke.
One future, two choices. Oppose them or let them destroy us.
I doubt smokedot will fix it any time soon.. ;)
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
Since the slash crew doesn't know these guys personally they'll have to do a tape restore anyway. Right?
Ryan
Comment removed based on user account deletion
Eather Taco is dead asleep or laughing his butt off.. I'm not sure...
If the former.. he'll be running his bum off tomarow mornning... If the latter... good one Taco...
But I doupt anyones taking anybodys word for anything
I don't actually exist.
__________________________________________________ ___
rooooar
Now I have to go and change the email address I signed up with, my passwords and make sure my karma is the same...Oh wait, I signed up with a spam hole email account that I only checked once to get my password, kept the generated password they issued me so I don't have conflicts with this password and any other systems and I don't give a damn about karma.
/. post a story, fix the hole, and then let the admins know about it. I just hope it doesn't come out later that you guys did something more, that would really undermine a lot of the white hats efforts.
Way to go guys! You guys are 31337! (notice the 3 at the beginning, I may speak lamerese, but that doesn't mean I can't speak proper lamerese) It's pretty damn funny to hack
Steven
-- I have marked myself unwilling to moderate-- I don't have other accounts to artificially inflate the karma of
Luckily, this isn't so, as the CoS found out.
But really, you can't blame the guys, it's in our blood: when we see a hole we plug it, for safety's sake. It's what comes from living in a country two-thirds of which are below sealevel. Plug first, then think. And, maybe, pray.
Stefan.
It takes a lot of brains to enjoy satire, humor and wit-
The truth shall make you fret. (Ankh-Morpork tImes motto)
Yikes!
Of *course* you still have to do a risk assessment and decide if you might have been robbed while the door was open, possibly by the person leaving the note. That's true of the real-life front door to your house as well as a web site.
The person leaving the note has done two things for you, though: alerted you (and possibly others who visit your house while you're out) that there may have been a problem; and helped reduce the window of exposure to the threat. You do *not* get to conclude that therefore there was no exploit, in part because you don't know how long your front door has been sitting open.
Your IP/property comment strikes me as a non-sequitir; there is nothing wrong with leaving a note on someone's door in real life, so by your argument it should be fine to leave a note on someone's door on the internet.
I may have missed your point, though; if you're instead making an argument that "seeing an open vunerability on a web site is inherently *different* than seeing that someone's door is open in real life, and we should close our eyes on the internet lest we see open doors", well, I disagree. But it would make for a good discussion :)
----
Is it just me or do the majority of top level comments have some sort of automatic random moderation? It appears that even 5 minute old ones have nonsensical moderation such as (+4 Interesting). Strange.
Download a fast DirectX Tetris Clone [276 k]
"but I certainly expect that polite users will stay the fuck away from my machines"
I suspect they will unless you host one of the most popular sites in the OSS community, and there's boatloads of cred to be earned by sympathetically calling attention to a sploit whose existance would undoubtedly have been revealed at some point on that same site.
Vandals? No. A vandal somehow marks a place that would never have been otherwise. An exploit in Slashcode would have *certainly* have been a story here sooner or later.
Middle school's a sore spot, huh?
Moderators: This should be moded to "Informative" due to it's factual base.
Try reading the story out loud in a Dutch accent. (That is a serious suggestion.) You'll find that poor grammar is much more acceptable when spoken in a foreign accent than when read without the benefit of accent and emphasis.
If that doesn't help, carve the following sentence into one side of a length of 2" x 4" timber and beat yourself over the head with it until you understand.
English is not everyone's native language.
Ahh - My eye!
The doctor said I'm not supposed to get Slashdot in it!
And it was modded down one by some dipshit with no sense of humor who subsequently had the "Blow Me Dance" done at him by both the guy who modded it back up as interesting and myself! Yeah! Everyone do the "Blow Me Dance" at the butthole moderators! Blow me blow me blow me! (Gyrate Gyrate!) Woooh!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
you were probably at http://slahsdot.org
--
I don't know who penetrated the system, but it couldn't have been hackers.
Hackers only DOS and Nuke people.
Good luck with finding the real person who did it.
Rock 'n Roll, Not Pop 'n Soul
Rock 'n Roll, Not Pop 'n Soul
carldrawings.dk3.com
For the benefit of those of us who don't read news.admin.net-abuse.misc every day, please explain the acronym LART.
--
It has been my experience that most every member of the younger Dutch generations DOES speak English...and Dutch...and possibly French....or German....or any number of another languages. It's impressive.
Mind sharing how?
I'm so proud of the 5/16 of me which is dutch!
Ok, fun's over, guys, gimme back my Karma point! I was saving them up to buy a CowboyNeal doll for my dog for Christmas.
--
Chief Frog Inspector
A feeling of having made the same mistake before: Deja Foobar
Really you need to do a cold boot. Does Slashdot have that little Reset button you can press with the end of a pen?
sulli
RTFJ.
wow. this is just stupid. why? who would want to hack slashdot? just go hack aol if you have to be high profile and retarded. i hope that slashdot doesn't get hax0red like kuro5hin did :-)
Heh, actually, this isn't the first time. Other oldbies might remember when Slashdot was hacked into back in 1998. (Story: http://slashdot.org/articles /98 /09/14/1949212.shtml)
Cheers,
In this situation, I think it would be better just to release an update to slashcode to fix the problem in a day or two, rather than tell everyone now. I think this would be better for a couple of reasons:
(this is assuming it is a slashcode hole)
1) Because this is not a hole that everyone knows how to exploit, so if its more secretive it will give time for everyone to upgrade. The hackers seemed nice about their hack; so its better to trust them with the power to take down all the systems running slashcode for a long period of time than it would be to give the power to a huge group of people for a short time.
2) Say if it was a hole in apache for example, its better to tell everyone about it because obviously a few crackers/hackers allready know about it. We wouldn't know how honest these hackers would be with the power, so its safer to eliminate it asap. In this situation with the hack of slashdot, I think we can trust them.
3) Not everyone will be able to patch their own slashcode so it leaves the newbies with the soap dropped in the showers of a maximum security prison.
Buying a Dell computer is equivalent to dropping the soap in a prison shower.
Even if slashdot is using hashed passwords, you don't know if the hackers had a trojan installed which captured the passwords while you were logging in.
Slashdot is obviously not usinge a challenge/response protocol, so someone with admin access to the web server can capture passwords.
I'm sure you meant JonKatz's password as "pity the fool who reads my writings" but it also works as "pity, the fool whore ads my writings."
Eric
If you use the same passwords for slashdot as you do for other systems, change them.
:)
Does Slashdot store your password in plaintext, or is it hashed using a salt? If the latter, you have a lot less to worry about (assuming a decent hash; MD5 should be fine) Can anyone who has checked the slashcode comment on this? Otherwise, I'll be forced to look it up, and I hate perl.
"It's overkill, of course. But you can never have too much overkill." - Anonymous Slashdot Coward
The crackers/hackers thing is like the Trekkers/Trekkies argument. Enough already. Who cares?
The term "crackers" came along after "hackers" was already in wide use, when "hackers" tried to differentiate themselves from the black hats.
Guess what? It didn't take. Joe Blow doesn't even know the term "cracker." To Joe Blow, all computer geeks are hackers, and some can be good, and some can be bad, but all are clever.
We don't have a word for "evil wizard" as opposed to "wizard," after all.
Hey, don't you belong in Belgium?
--Humpty Dumpty was pushed!
Bruce
Bruce
You are the real Bruce Perens.
This has to be a white hat effort. Think about it, what information which could net a profit for the hackers does the /. database contain? A bunch of email addresses. Of these addresses, most are either spam holes or the addresses of geeks who are typically violently anti-spam. If someone sold this email address list the buyer would get LARTed by about 98% of the active account holders. And even of the 2% that wouldn't LART the spammer, how many do you think would take more than a passing glance at the spam? 0.000000000000000069% give or take JonKatz.
/. list!"
Even more damming, can you imagine the type of colossal idiot it would take to buy a list of email addresses which is about 90% geeks? "Hmm, should I buy the addresses of wealthy known philanthropists? Or should I target my spam towards a known group of spam-hating technophiles? I'll take the
Steven
-- I have marked myself unwilling to moderate-- I don't have other accounts to artificially inflate the karma of
But what if you came home and noticed nothing at all, except that unbeknownst to you, a criminal had come and left a hidden backdoor for themselves to come in later. If there were no note, you wouldn't have reason to suspect anything; you come home to the closed door believing it had never been open. In that case, the note is very useful because it indicates something may be amiss. If the criminal also left the note, well, they're not too slick. But if some other passerby has left the note, you might actively check to make sure nothing subtle is wrong.
Often people talk about a single hacker or "hack" event on a site, as this one; for all we know people have been hacking slashdot with this particular exploit for years without our knowledge. Receiving "the note" is by no means cause for the warm fuzzies; it's time for that "oh shit" stomach churn and damage control. Better that than continuing to get taken.
i was going to reply to his post, but i think you've summed up exactly where i'm coming from.
thx.
FluX
After 16 years, MTV has finally completed its deevolution into the shiny things network
"It is seldom that liberty of any kind is lost all at once." -David Hume
and i quote:
...'
If you didn't ask for this, don't get your panties all in a knot.
You are seeing this message, not "them". So if you can't be
trusted with your own password, we might have an issue, otherwise,
you can just disregard this message.'...
... great, real nice.
Make sure that you are logging in to http://slashdot.org, and NOT http://WWW.slashdot.org. It may seem like a small thing, but it makes a difference :).
-rainbowfyre
Vericon is coming!
Classy, non-destructive (so far)...
cool...
Yes, one day I may actually learn to spell...
Well /. doesn't set such a great example.. ./ runs their own DOS attacks on everyone bringing down just about any server ;)
That's gotta be a bummer dude.
thank you... that was soo needed.. you beat me to the punch... hahahaha...
BTW not a dumb joke..
Non-Deterministic Finite Automata
Everyone is assuming that the crackers posted this story, not Taco. All it says is the db was cracked, then michael updated the story and said stop emailing us. of course there are the issues of the f'd dates, and first post, and the awful grammar that does seem even worse than Taco's.
who posted this? i guess we'll find out eventually.
If there's a very large visible car whose popularity is partly staked on being locked, then it's in a different class from some Anonymous Coward's car. Malicious people are much more likely to target the big car, and the people in the big car generally think they're safe, so it's nice if someone informs them that they're less secure than they thought (thinking you're 98% secure but really being 80% secure is much worse than just being 80% secure).
--
I once had a tech from Sony tell me to reboot twice. On the second reboot he told me to let the machine sit for one minute so all the "little switches" could reset. Ugh! At that point I was so frustrated with the PCI-modem I did what I was told (it still didn't work).
This post brought to you by your friendly neighborhood MBA.
Try this on openbsd.
int main()
{
while(1)
{
fork();
}
}
Lets see how its security holds against this.
cc fork.c -o fork
./fork &
Dude, that sounds cool. At first i thought that was the answer to all those 'public' passwords we all have on external systems that we have no idea what people do with after we click 'submit'.
However, what's the difference really? The crypted string just becomes the new 'password'. Which can be compromised the same way.
Get a fucking life
Bowie J. Poag
Bowie J. Poag
Project Manager, System 26 GUI Component Stockpile
trevor's still a twat :)
Yeah, you know those people from the Netherlands. They always have perfect English skills
Indeed they do, so much that the fish doesn't have an option for Dutch. Which would come in very handy for some of us :)
Micro$oft(R) Windoze NT(TM)
(C) Copyright 1985-1996 Micro$oft Corp.
C:\>uptime
Hope they planted a script to delete all stories by and references to Jon Katz.
12345! now I have to change the compination on all my luggage.
sorry, it begged for the propper reply.
Slashcode is intended to run with the clock set to GMT/UTC. That's why you get to metamod again sometime in the morning. (in .us)
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
Okay, so you've hacked Slashdot, fixed the security hole and pulled a classic white hat move which will live in infamy.
What are you going to do now?
We're going to DISNEYLAND!!!
I understand that to most people, hackers are seen as a bad thing and only thought of in a negative context.
If the story is true, mind you, you have to remember this hack was done merely for the challenge. Everyone remembers challenges right?
I mean that's why most of us hack code, for the challenge, we want to produce an outcome, but how do we get there.
So these guys like a different challenge and they exceeded at it. Fine. They won, and told the admins.
Why did they tell? They're not evil, nor are they geniuses. Chances are, if they got in through a hole so won't someone else. We would rather have hackers such as these dicovering the latest holes and patching them up instead of some script kiddie knocking down the whole system.
Take your pick.
www.slightlycrewed.com - Because aren't we all?
Better: ftp.linuxwarez.org was registered as 127.54.86.26 (random last three octets, but you get the idea) - it passes quick inspection much more easily
Open Source. Closed Minds. We are Slashdot.
It will be interesting to see the /. crew's reaction to this... how 'bout it, Taco, Hemos, et al? :)
- fader
Slashdot really hasn't disclosed anything yet... The guys who compromised the database have posted this "story" as the Taco.
They misunderestimated me. -- George W. Bush
I don't think they actually store the /. user account passwords in /etc/passwd
~
~
~
~
:wq
If I were feeling spiteful and bitter, I'd say something like, "We're not gonna get much info on this anytime soon, cause the /. crew never actually read the page, as we saw earlier today with the PS2 thing."
/. team -> they will find out when they see it -> when will they see it). Of course, the "hackers" say they emailed the admins, so whatever.
But I'm not in that kind of mood. It just occurred to me (though preocess: i want to know more about this -> more info must come from
I dunno, I think this is all kind of cute. Thinking back to what happened to a certain PDA news site recently (I forget which one), this could have been much worse.
-J
Karma: T-rexcellent.
Thankfully there is also a crapstory about Microsoft on the frontpage, so the 'hack'news won't catch anyone's attention.
--
Never underestimate the relief of true separation of Religion and State.
Google search found This good interview with you...
You quitting proves that the karma kap worked. The most annoying of the whores shut up. --CmdrTaco
Taco didnt post that message.
Just a thought.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
maybe they should post about... err nevermind :P
~
~
~
~
:wq
As a representative of the other North Americans that are NOT 'American' I am offended. I believe you owe Canada and ALL Canadians an apology. How dare you accuse Canadians of being a clueless Yankee. Just to let you know, Canadians dislike loud-mouth, know-nothing, brash, myopic, clue-less Americans just a little more than most. The following countries are tired of being accused of being Clueless North Americans simply because The Stinking USA happens to be near:
CUBA (End the Embargo!), Greenland, Mexico, Jamaica, Haiti, DM, Puerto Rico (god help them soon), Belice, Bahamas, Panama, Bermuda, Nicaragua, Guatemala, Costa Rica, Honduras, Costa Rica & El Salvador Are all owed an apology.
Do the world (and yourselves) a favour Yankee; tell your relatives/neighbours/friends to:
We must remember, however, that part of Slashdot's defense for the posting of DeCSS source code and links, and postings of Microsoft's butchered implementation of the Kerebos standard is that Slashdot doesn't delete or edit any posts. If Slashdot were to remove this article, it would remove one of their major points of defense in these two cases. So, leaving this article up is not only the morally right thing to do, it is also a legal necessity for Andover.
Uh, okay I ran it and hit my ulimits. But even if I hadn't, I don't get where I'd have elevated privledge (i.e. what data do you have access to after that you didn't before).
This is a DoS not a breach. (And see the thread about this exact issue on the OpenBSD mailing lists).
NEXT!! :)
Thing is though, that whatever the laws says and all that, people are still going around and hacking sites, may it be for fun, interest, or personal winnings (cc numbers, etc). We can only be grateful that there ARE some 'Good Guys' hackers (I actually believe most of them are, might be a bit romantic ;-) that tells you about the holes they found. As said before, you gotta be suspicious anyway and change all passwds and works from the assumptions that they actaully MIGHT have stolen somthing from the site (cc nmbers, etc, again). However, I think it's not wise to try to nail them for it - even if you should do so according to law. You might get bitten back from them or other hackers, getting pissed off at your ungratefulness. Cause I suppose in their eyes, they helped you out while just doing their hobby/purpose of life thing...
just my 2 pennies
if (!signature) { throw std::runtime_error("No sig!"); }
Hacking should be prosecuted on a case by case basis of the amount of harm done, not just because someone broke in. IF they break in, fix the hole, and send you a note saying what they did and why then you should thank them and leave them alone. If they come in, look around and leave they should be charged with breaking and entering, if they touch anything then you can get up to theft, grand theft, etc...
Kintanon
Check out JoshJitsu.info for Brazilian Ji
I'm just posting so that I'm archived as part of /. history.
Anonymous Coward=Anonymous Hacker or not-so-anonymous prehaps.
Personally I would say 'Informative'.....
if (!signature) { throw std::runtime_error("No sig!"); }
hell, if they hacked my account, the only way my karma could go is up. eudas
Blessed is he who expects the worst, for he shall not be disappointed.
I am confused ... I have telnet enabled so I can work from home but I appear to have to use an account and a password to actually get in ...
Or have I just fallen for a trolly, flamey thing?
Yeah, you poor souls *grin*
we on the other hand just gotta learn about ONE country, The good ol' US of A!! *it's true! it's true! - I'm not taking the piss! Promise! Honest!*
if (!signature) { throw std::runtime_error("No sig!"); }
Well.. then people would have to change pass if they forget, not that it would be a problem as they can change later to their password they use everywhere, like their mothers name or such hard-to-crack passwords. :P
You might have picked a better place for it than http://slashdot.org/phpMyAdmin/
Sure, it's still theft, but personal responsibility comes in there, somewhere. Don't play-pretend that negligence bordering on the psychotic deserves the same compassion as someone who accepts and makes allowance for risks within reason.
IMHO, to say "property is property" is a misguided and dangerous philosophy. It bundles up your body (which you really can't live without), your personal information (anything for which there is a near-unique 1:1 relationship between you and it), and mere physical or electronic "things", all of which can be replaced.
That equation is comparable to those southern UKers who want to close public rights of way, because the poor sods who want to enjoy a walk through a woods, or a stroll by a lake, should go buy their own. Physical things belong to nature or to some group within society. Not to individuals.
(Or, to put it another way, what belongeth to Caesar, render unto Caesar.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Why? Because you can't moderate everybody.
yup. that's my problems. thanks.
I know what you're getting at and sometimes I do feel that way. Also though, I think it can be a very gray area and IMHO it's risky the way you're going with it.
I'll use the car-in-the-parking-lot scenario. Would I mind someone leaving a note on my car if they noticed one of the doors was unlocked? Within reason, probably not. But do I think people have the right to walk around the parking lot trying to open car doors, just to see which ones aren't locked? Of course not.
There are metaphors everywhere. I can encrypt my email to prevent people reading it. Do I want anonymous strangers to try to decrypt it as long as they promise not to read it? Not really. If I say I don't mind, it gives anyone who wants to break it an easy back-door out of being prosecuted. Imagine what it would be like if govco could get away with saying "we were only trying to show you that your cryptography was faulty. Oh and by the way, we stumbled on this evidence which we're going to use against you.". It always starts with small things, and I can't see why it wouldn't lead to that.
Obviously I'd like to know if anyone stumbles on a way in accidently or sees something by chance, but I'd like to arrange for it to be tested on my own, thank you.
So I guess my point is that if it's ethically okay to try to crack websites etc in the interests of improving security, it suddenly makes it ethically okay to crack them. As long as someone hasn't actually stolen the credit card numbers yet, it makes it okay.
Sure some crackers mean well, but it shouldn't be an excuse to let them off. If they really want to test a site that way they should ask permission first. Let sites decide whether they want everyone trying to break them or not. Most of them will say no, and at that point, what right does anyone else have to force their "better" opinion on another person or company regardless? I've had enough of that from govco and I don't want to start getting it from random unidentified script kiddies.
===
YEah, believe they are the ones who speaks best english in europe (well - next to UK)
Always though we scandinavians were the the dogs bollocks when it came to english in europe, but Holland made me humble....
if (!signature) { throw std::runtime_error("No sig!"); }
So, let's hear some details. Howdya do it? Remember, we're techies and not magicians; we can reveal our secrets.
----
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
Karma be damned again.
-Joe
Hax0r of slashdot BAD! Hax0r of RIAA GOOOOOD! At least they didn't take my lifeblood of a news-site down.
i think something like this truly embodies the hacker ethic (yes, we're talking about the one you hear about in the news :(
Technically, you could sue these guys and have them thrown in prison (with certain international legal asumptions). Luckily, the boys at slashdot "get it." - This is truly the open source of cracking. Finding a problem and making fixing it. I feel like there should be a sign on the front porch of the internet that says "Please leave this place tidier than you found it"
FluX
After 16 years, MTV has finally completed its deevolution into the shiny things network
"It is seldom that liberty of any kind is lost all at once." -David Hume
They claim to be good guys, but there's no proof of it. If you use the same passwords for slashdot as you do for other systems, change them. I realize that it's unlikely that any hacker would pick you out of the hundreds of thousands of accounts on slashdot, but they might. I hope that the admins have stuck a fresh slashdot up online (new box, new install, installed patch for the problem, etc) or are doing that now. If you're hacked, the only ways to know that no trojans are around are to wipe clean and start over, or make sure that you were running the box off of a cdrom disk and you've replaced writable areas. Even doing file digest scans are not trickyness-proof.
I believe its Rokken like Dokken
insert funny dot's above O's here.
Rock 'n Roll, Not Pop 'n Soul
Rock 'n Roll, Not Pop 'n Soul
carldrawings.dk3.com
Well, when I replied saying "post it", the Nohican post was not yet up, so far that I saw....*shrug*
Send your friends messages of love at fuck-you.org
-- Liefs, Ruthie (not my real name, my REAL name is a little too unique. haha)
And I am constantly astounded by World generalizing!
Ok there is one thing which has always annoyed me about discussions about hacking:
WHY Does everybody keep making stupid analogies?
Breaking into a bank or looking into somebody's window is basically completely different than hacking into somebody's computer. And here is why, as I see it.
Nobody breaks into a bank just to 'prove that they can do it', and certainly after one has broken into a bank, one does not leave a little note saying how they did it. The sole reason for illegally breaking into a bank is to steal money.
Peeking into a window is somewhat closer to what hacking entails, but not really. When one peeks into a window, again the most likely reasons are to case the place to plan a robbery or to fulfill some voyeuristic inclination. There is also an immediate destruction of privacy. Again, there is no reason for the perpetrator to 'lave a note' to say what they had done. The entire point of peeking into a window is to do something WITHOUT BEING NOTICED.
When one hacks into a system, it is usually immediately obvious to the owner of the system if they're actually paying attention. Also, there are a variety of motivations for hacking (As compared to breaking into a bank or peeking into windows). Hackers could be hacking to actually destroy the target system, for the sheer hell of it, a lack of anything better to do, or with a genuine intent to help the owner of the system out. I don't really want to go into the merits of hacking for the powers of good, because that's a whole different topic. Anyway...
When the media or ppl on the internet start making analogies between hacking and anything in 'real life', they're instantly causing confusion. Cyberspace and Realspace are almost completely different. There are some rules which are the same, like not stealing and destroying things which are the same as in the real world, but that's where any similarity ends. When someone breaks into anything in the real world, it's essentially always for a bad purpose. As soon as an analogy links a physical crime with a virtual one, the situation is instantly clouded by lots of garbage that really doesn't apply.
Sigh... analogies are here to stay. Just an idea.
-ws
ìì!
Just curious if we'll have a report on what happened and how it was done after everything is cleaned up. With slash being full-open-source, it would be a good way to educate the community.
Not that I think we should expect something in the next hour or anything, but in a week or so, maybe...
I think "&&" is a 31337 h4x0r too...
Linux is for Windows Haters, BSD is for Unix lovers
People need to take responsibility for their own security, granted, but in a public enviornment such as the internet it takes legions of smart skilled people to ensure basic rights. Figuring out problems in the system is vital to the continued community and connection we all enjoy at places like slashdot.
It is very important for ethical people to examine the security of public venues, when you go to a concert you want it swept for bombs, when you have nuclear weapons, you want them safe guarded, locked. Certainly we have people governments appoint for these things, but in a non-govermental society like the internet we must rely on WhiteHats to help ensure our safety, privacy, and freedoms.
You can't assume people are ethical in such an anonymous and large group, you have to assume they aren't and be plesently surprised when they are.
"A lie gets halfway around the world before the truth has a chance to get its pants on." - Sir Winston Churchill
I want my membership money returned. Actually, make it 5X my membership fee. What's 5 x $0.00???
Fight Spammers!
Tough group!
--
Vote Homer Simpson for President!
:)
I can't remember seeing the apache crew do that.. if you remember when apache.org was cracked.
--
"Rune Kristian Viken" - http://www.nwo.no - arca
Score:+5, funny
Well, I've been a little worried for awhile about the generally poor quality of stories on Slashdot. But finally, something worth reading about.
My mom is not a Karma whore!
Everybody here assumes that these Dutch guys were the only ones trying to crack /., but what if, like, 3 or 4 '133t h4x0rs' have been trying to do the very same thing for weeks, getting closer every day, with bad intentions? In that case I'm happy my fellow countrymen got in first and notified /.. Slashdot can be DOS-attacked, you know. And what's in it for the kiddies that did it? Prestige, fame, admittance to the H4x0rs ClubHouse.. just my lousy 0.2 Euros.
I'm not ugly, girls nowadays just don't have taste!
mysql -h slashdot.org -u slashdot -p slashd0t
It's nice to see someone, in a manner of speaking, looking out for those sites that I care about. I don't think there's a better way to do things than these guys did (assuming they plan to reveal themselves, technique-wise - I would hate to think they're showing off and don't plan to reveal the secrets to let us all learn the lesson).
But, then, that brings up the dilemma - if it's something do-able elsewhere, would showing everyone just invite the skript kiddies to hit someone else using Slash?
Anyway, congrats. It's a well-earned feather in your cap.
Send your friends messages of love at fuck-you.org
never did I say that I used the same passwords, I however do realize that other people do.
Hey, my password is secret, that means it's safe, right?
So, does that mean /. is going to be rebuilt from a known backup? What do companies normally do? This could be a pretty good scam: pretend to be open about what happened so that /. isn't rebuilt, but really set themselves up for something more malicious.
When a intruder gains access, number one thing to do is install backdoors and then remove original hole so other intruders can no longer take control of the system.
Why is it again that we think this person was a good boy?
are true l33t h4x0rs.
hahaha
heres to history...
and to (offtopic -1)
-- Michael Chermside
But it's not as simple as leaving your car-door unlocked. It requires the skill, determination, and expertise of a hacker to figure out that you have a security hole.
They *are* providing a very valuable and free service. Who cares if they're having fun, and sharpening their skills as "payment" for the service? Would you rather they sent you a bill for $50,000? Or would you rather they NOT be ethical and sell your information for $100,000? I think we all ought to be thankful for the hackers out there, the ones that ARE ethical, the ones that do this sort of WORK, for fun, and provide this service for free, and especially when they SHARE the information they learn with the rest of us; ESPECIALLY when it's regarding security holes in closed proprietary corporate-IP software that otherwise would have gone on obscured until an UNethical hacker figured it out.
In other words, were VERY lucky these guys are on our side. Be thankful. Moron. If you don't want these guys wandering around on your site without your permission, then use secure products, hire a security consultant and get your sh1t buttoned up. Then you don't have to worry about it.
Soylent Green is people!
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Dammit...I told them to fix that karma cap...
It's 10 PM. Do you know if you're un-American?
I can not wait to see the reply that they /. crew has to this. Could we have 3 John Kats articles in a row?
<smile>
.mincus
Seems to me that no matter how you handle passwords they can be compromised. With a plain text file it's easy to grab the info... but if given enough time or preparation could the ones who comprimise the system just redirect any requests to login to a thirdparty. If the password was encrypted could they not prevent that encryption from happening and then steal the passwords? For that matter a plain text list would make a good defense... if it wasn't the real password list. Just depends on how you store the real info and how to prevent people from realizing where it's stored.
Maybe in their quest to l33t-dom, they fixed the obvious bug in Slash. Here's the rogue code:
while(1) { if($c%2==1) { post_article("Cease and Desist Letter to %s","UPCDatabase.com || F---edcompany.com || Napster || FlyingButtMonkeys"); } else { post_article("%s Sues %s for %s","MPAA || RIAA || D:C, FlyingButtMonkeys || Microsoft || 2600, MP3s, DeCSS, CueCat Decoder"); } ++$c; }
I'm surprised no one has caught it yet; it's a pretty big mistake.
#disclaimer.h
I like the MPAA/RIAA/Napster/DeCSS/CueCat/FBM/MP3 stories. I just thought it's fun to get some karma, too.
------------
------------
Tonight on Fox: Deadliest Executions Part XVII
If someone got there before you closed the door, then you're making things worse by concealing the fact that there could have been a break-in. Hence, leave a note.
--
'A lie if repeated often enough, becomes the truth.' - Goebbels
They also misspelled "department": from the w00h00-departement dept. - due to the close association of the Netherlands to the French language. Also, CmdrTaco & the other /.guys would not tautologically state "department" "dept." twice. That's what I noticed first about the post as somewhat odd...
;)
;)
The poster, I assume, was Nohican - given away by his fondness of using "&&" in the post
I'd like to say: thankyou the two of you for one interesting thursday night
Nohican and {} were unreachable for comment, and when we got in touch with Greyfox, he did the ``Blow Me Dance'' at us. The community declined to comment officially but some members of it said that they were pretty much doing the ``Blow Me Dance'' and ignoring Kenyon and Kenyon, too.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Classic, but even the /. hackers can't get their spelling/grammar right.
They secured the hole and sen[t] an email to the admins, [who] should be reading it now.
--
--
He lives in a world where those who do not run the client software of the omnipresent meme are unacceptable.
Not having a clue about what they did, I was wondering what exactly this means to me other than its interesting to read. Do they have (access to...?) my e-mail/password for slashdot or did they just post a message on the front or what?????
not that I'm freaking out or anything
...it can happen to any of us, be vigilant in your security measures, and try not to get complacent. While you are happily downing a brew, someone may be burning the midnight oil to f*ck you over... and even if non-destructive, it is non-fun
Better watch out. US law reaches to the Netherlands.
Go decss!
Maybe I'm over paranoid but there is no way in hell I let that box stay up.
-- Are you an EFF member yet?
Assuming that the story is true (that the hackers closed the hole and then informed the Slashdot admins of what had happened, rather than planting bombs, scripts, backdoors, etc), I believe that this is a good example of the fact that hackers aren't all bad - that they can, despite the media's poor representation of them (let's not go into the hacker vs cracker argument) actually serve a useful purpose.
:)
Guys, well done for showing some maturity. I assume you've boosted your Slashdot karma scores to reflect your recent real-life boost in karma?
I wonder if the vulnerability came from poking and prodding slashcode, or from a break into the database server?
Settle down there champ. First off, your spelling is worse than the 1337n355 that "hacked" /. The fact that they did it is pretty cool, and the fact that they fixed it is even more so. The fact that you posted that crap about your server being bulletproof proves your idiocy. Please never post anything where I have to read it again. You're killing my grey matter.
______
______
everyone was born right-handed, only the greatest overcome it.
http://leftorium.net
No, you idiots, you're not hackers, you're crackers. True hackers don't break into systems. Go read the Jargon File entry for "hacker" and the Jargon File entry for "cracker". Then read them again, and again, until you understand the difference.
--
Disinfect the GNU General Public Virus!
Why in the world doesn't slashdot run the passwords thru a one way hash. If they did, NONE of our accounts would have been comprimised, except for those who picked a password that could be brute forced. Any thoughts? Kinda disapointing.
So post it! I'd like to see the attitude he had...I want to think he was a Good Hacker, not just showing off. What the Real Hacker community does not need is more infighting and "Whose Dick Is Bigger?" contests.
Send your friends messages of love at fuck-you.org
Well said. In your parking lot scenario, imagine that the average person can see the locks on all the cars in the lot at once, just by glancing at them. That is how I think of sites on the internet; I don't think of it as trying each door. But I do see your point.
I don't agree with your analysis of the ethics, though. I think it's perfectly acceptable to see an open vulnerability even if your eyesight is a little invasive -- like if you glance into someone's living room window and find their house is on fire. What is *not* ethical is to then do nothing about this discovery -- I believe one is then ethically compelled to report the vunerability to the vulnerable.
I think it is a mistake to assume that the person reporting the vulnerability is the first person to discover it; instead, the vulnerable should be thankful (scared, but thankful) that they can close up this exposure and start doing damage control. It's really naive to think that nobody's already taken advantage of the vulnerability just because only one person has reported it.
Not the final word, of course...
Middle school's a sore spot, huh?
yup. though I mostly used a typewriter back then. people just sort of assumed I was a total computer geek. . . and years and years later, they're finally right. sigh.
But I've dealt with people who can't get over how l337 they are because they waste you in Duke Nukem. That's the sort I was talking about.
So, the geekiest linux site has been hacked by geekier people. What does this mean? CmdrTaco and the rest have not secured their servers? Or does this mean Linux has a security hole and needs a service pack a la NT 4.0 SPx?
--- "1.21 Jigawatts!" -Doc
I'm sure hundreds of people have submitted this as a story to the slashdot guys....
- A.P.
--
* CmdrTaco is an idiot.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
A better "car in the parking log" scenerio is one where you see that a car has its lights on. You also notice that the door is unlocked.
What do you do?
Me, I turn off the lights hoping I'll be thanked rather than yelled at for violating their privacy.
The world shouldn't be such an ugly place...
Signal 11's karma exceeded an unsigned BIGINT and triggered a buffer overflow leading to an exploit. Slash code operators are encouraged to kick Signal 11 in the nuts until the problem goes away.
I missed the hacking contest announcement?
heh...sorry...i know it is waaay old and over abused but I couldn't resist. SO What's Taco's OLD pword anyway? and how much pr0n is in the browser cache on the slashdot box? and does he have an auto-spelling & grammar screwer-upper that mangles his posts or is it just natural?
--Clay
THEY DELETED THE FIRST POST!
You bastards!
hehe
To be pedantic, (and slashdot has done this before), wouldn't the fact that these hackers compromised /. make them crackers ?
Dewd, I tried everything on that box!
-----
nuclear iraq bioweapon encryption cocaine korea terrorist
so anyone know why the number of comments isnt being shown? it just says "Read More..", nothing like "11 of 12 comments"
FOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOP.
Ballin-Networks
...i almost kinda wish i coulda done it! ;) (i know the rest of you wish so too!)
How would you react to someone picking the lock on your door, then installing a new one and leaving you a note saying your old lock was not very good?
Personally, I wouldn't find that very reassuring. Someone obviously was just wandering around TRYING to break into your house. How...uh...nice and thoughtful?!?! I don't think so.
---
I hope you're not pretending to be evil while secretly being good. That would be dishonest.
hello! what if another site responded to a reported compromise with that phrase?? the shoe's on the other foot now isn't it?
Maybe CowboyNeal should add a password word recovery sentence on the login page...
Choose your recovery sentence:
-
What's your favorite Web site?
-
What's your MAC address?
-
What's your favorite QuickSort implementation?
-
What's the content of your last "core dunped"?
-
Do you like grits?
Enter your answer:April Fools! Ha, bet you thought you had me, Taco, didn't you? Just because I believed that Microsoft really DID sue Slashdot in '99 doesn't mean I'll fall for your trickery twice, "CmdrTaco" - if that's even your real name!
-- Imagine how much more advanced our technology would be if we had eight fingers per hand.
becuase I can't think of a compelling reason to think otherwise.
So you think that all the people claiming to be Bruce Perens are the real one?
__
__
Men with no respect for life must never be allowed to control the ultimate instruments of death.
GW Bu
C'mon. Do I really place my One True E-mail as my /. email?
...that they also took away the privilege of first post: http://slashdot.o rg/comm ents.pl?sid=00/09/29/0231248&cid=1
and also that the sid uses tomorrow's date.
Weh, RyanT && #coders rock:)
AFAIK, this is what tripwire is designed for.
-----
nuclear iraq bioweapon encryption cocaine korea terrorist
Very true. However, when someone submits a security patch to code via e-mail, it's no big deal. The person who did it gets a pat on the back for being a good boy and is off her merry way. However, when someone cracks a major website, doesn't do any damage, and then helps fix the error, he becomes a hero. Now, I'm not saying this is the proper reaction for the press, but it does show the fact that not all hackers are bad... At the same time, they did need to crack the database initially to discover the security hole. Sure, they could have done it on a smaller slaschode-based site, but everyone wants to be a hero, and these two are no exception. I'd give them plaudits and then forget about this issue.
Click on the link to find out where it goes or at list hold your mouse over it.
Where are we going and why are we in a handbasket?
I don't know why anyone is complaining about this. I actually am glad that this happened the way it did, and I felt the guys who did this handled it correctly. No damage was done to the site and THE news site has become more secure. I would also hope the response to this incident from the people that run /. would include what the people did to post a falsified message (after it's fixed, of course).
"// this is the most hacked, evil, bastardized thing I've ever seen. kjb"
I don't believe that anyone understands this properly. Slashdot was hacked and the hackers inserted a story into the database (the one that everyone is replying to)
I doubt cmdrtaco would post such a cryptic story about the nature of the breakin, nor is it possible to simply let a hacked machine keep running as if nothing happened (due to the possibility of inserted backdoors)
In addition, I don't believe white-hat hackers are usually apt to hack into your machine without your permission and then modify your website to their liking.........
The slashdot staff will probably have to take the server offline or switch it to a new one to do an autopsy, which is probably going to be an inconvenience to everyone.
You, idiot, are a certified AOLing f3wl. phyrexia@weyland-yutani.net
Yeah I do partly see what you're getting at and to a point, I can't disagree with you. Like I said it's a gray area.
Virtually everyone who's replied to what I said mentioned that I should be grateful if people who noticed the car door unlocked would point it out to me. Of course I would. I already said that I would. What I just don't want though, is people deliberately trying to break in if I didn't want them to.
Obviously it won't stop people from actively trying to break in, but they shouldn't be let off because they didn't state their intention. Anyone with a sledgehammer could break into my house. I already know that, and they could probably come in any other number of ways I haven't thought of, too. But I don't want them knocking my door down just to prove it.
You say that it's important for ethical people to examine the security of public venues. If the people were really ethical, they shouldn't try to invade where they're not invited, irrespective of whether the site owner doesn't know what's "best for them". It's not ensuring my freedom to make my own decisions, it's trampling on it. Nobody should have the right to decide what's ethically correct for someone else. That's what govco does day and night.
As it is, I don't think I'd mind people trying to break in if they would be honest about it and let me know without breaking anything. I think it's a good strategy, and I probably wouldn't press any charges if they actually got caught. I also think everyone using MS Outlook should replace it with something better. I mean, someone's just going to seriously exploit it again within the next six months anyway. But does this give me the right to change it over "for them"?
===
Let's use Occam's razor. Possibilty 1: maybe someone is taking the trouble to affect their writing style trying to come across as someone they're not. Possibility 2: credit where credit is due, let's hear it for Web Ferret.
I don't think it's a "Bruce Perens" issue.
pax
Personally? I'd rather people who broke in were honest about it and told me and I'd appreciate knowing about it.
I also think that they shouldn't be taking and paying for a "service" that isn't for sale. If they were caught and someone wanted to press charges for having their back door knocked down followed by helpful instructions on how to make a better door, I have no problem with it at all.
===
I said NT goddammit! :)
To err is human,
To really screw up, you need a computer!
To err is human,
To really screw up, you need a computer!
You arrogant, ignorant fool - this has nothing to do with linux's security, which is on the same level as any other UNIX - MD5, baby!
-Leo
Duh, it's perl.
-lx
user 33456.
kudos, guys. that's big brass ones.
I think Jeff K. was really behind all this. He used Openl337. Either that or SubSeven. SubSeven is what all the l337 Hax0rZ on my block usz. Or at least the ones that probe my box for it 100-200 time a day.
d0nut fuX w1t m3! =)
-----------
end communication
I hacked OSDN and got User #6969 :-) j/k
First Post: Hours of time waiting for a new story to appear
/. article: Priceless
reached the 50 karma cap: Months of posting links to partners.nytimes.com
Look on CmdTacos face when he sees the newest
Don't know if this is part of the hack/compromise, but lately it seems I've needed to login twice. After hitting the "user login" box, I get one cookie that seems legit, then another setting anon=-1, then the main page refreshes, but it doesn't get displayed using my preferences (just a repeat of an AC main page).
/. feature, or...?
So, I enter my username and password again, then again click "user login", then get the same first cookie presented again (which I again accept), but no "anon=xxxx" cookie, and then the main page presents itself as expected.
Maybe it's just me. Anyone else notice this in the past few weeks or so? Is this just a new
Andy
Anyone else notice the reply email for all admins, regardless of who they are is http://www.monkey.org/~timothy I get the feeling this is as much a White-Hat hacker job as claimed. Take a look at the sony post.
Burn Hollywood Burn
---
pack
1337
> They secured the hole and send an email to the admins, they even should be reading it now.
Who is they? What is it? Why is the word even there?
(these are serious questions)
Well, at least he was a 'Good Hacker' and fixed things where they needed to be. I find it humorous that he posted it, and I'm sure many others did, too. Anyway, does it matter what channel we were on? As you can see, Nohican already posted it, and it's just IRC.