Slashdot Mirror

← Back to Stories (view on slashdot.org)

Slashdot Database Compromised!

Posted by ryuzaki0 on from the w00h00-departement dept.

Today the the Slashdot database was compromised by 2 hackers from the Netherlands. !(Nohican && {}) They secured the hole and send an email to the admins, they even should be reading it now. Update: 09/29 11:04 PM by michael : We know about it, blah-blah-blah. Don't email us. I think it's safe to say that whatever happened, you'll hear the full details soon enough. Thanks.

13 of 371 comments (clear)

  1. Re:"fixed" Slashdot? by Ollinghhajuilo · · Score: 5
    I hope by "fixed" you also mean, "deleted Jon Katz's account."

    He's a hole allright. "Security Hole" isn't the first hole that comes to mind though.

  2. Clear Text or Two-Way Encryption by Rahoule · · Score: 5

    I would hope that /. boys coded the whole database so that passwords were one-way encrypted. Then it would be that much of an issue to change your password.

    They aren't. If you forget your password, Slashdot will mail it to you (the "mailpasswd" button on /users.pl when you're logged out). Slashdot emails you your password, in clear text. So, even if the passwords are encrypted, they can be decrypted. How else would Slashdot be able to tell you your password?

  3. Re:The hacker formerly known as {} ? by nohican · · Score: 5

    I pronounce it as "bracketbracket" :) - Nohican

  4. I can see it now... by MousePotato · · Score: 5

    On E-Bay:For sale ANY /. user account you want. Who needs to purchase a high karma account when you can just buy your enemies accounts and trash thier karma, reputation/image? That's right! Step right up boys and girls. 5r1p7 k1dd135 Inc. will for a limited time only give you access to any account you desire and you may trash away at will:) Call 1-800-urh4x0r3d in the next sixty seconds and we will even throw in a snippet of code that will gaurantee you the same access to any slash based site. Wait! Theres more! mention OpenSource and we will even throw in a free kernel upgrade and the link to the actual HOW-TO's will also be yours! Here's the best part!!! If you call and say CmdrTaco sent you we will even throw in his account and all the censoring powers that come with it. Imagine, you and your friends can kill off quickies and JonKatz with a single click(TM).
    Note to self: IF s/N ratio>=facts(old news + /. $authors)

    --
    Prospecting Stinks. Stop Wasting Time on Cold Calling.
  5. Don't they deserve a reward? by Joe+Groff · · Score: 5
    CmdrTaco should send these guys a couple of "I HAX0RD SLASHDOT" T-shirts.

    I kind of think they blew a great opportunity though; imagine the chaos that would ensue if they inserted a story titled "Linux 2.4 Released!" with a link to goatse.cx cleverly hidden as a link to kernel.org...

    - Joe

    --

    -Joe

  6. Re:Info! by pb · · Score: 5

    Wait up, man...

    Maybe some other sites running the Slash code would like five minutes or so to secure their sites before everyone else in the world knows about it?

    Or rather, let's make sure everyone's got the fixes before we go passing around the exploits, ok?
    ---
    pb Reply or e-mail; don't vaguely moderate.

    --
    pb Reply or e-mail; don't vaguely moderate.
  7. Re:this is cool by edibleplastic · · Score: 5
    I'm sorry, but this is the kind of romantic BS that seems to cloud the open-source community. According to you, these guys are cool because they're so friendly and helpful. Yeaaaaa! Let's live in a world where everybody looks out for his neighbor, people leaving cute little notes on each other's web sites: "Excuse me, I noticed a little hole in your site, so I decided to come on over and board it up... for free! Have a nice day!"

    Yes, this is most likely the best way to find and fix security problems, but we have to be *very* careful about attitudes such as the one you're proposing. What would have happened had Slashdot carried our credit card numbers as well? Would we be as happy that some people were poking around the website? According to the attitude you're suggesting, the answer would be a resounding YES! YES, because there could be other people out there who are malicious and if the hole didn't get fixed this way it could have turned out to be much worse if other people had found it. But the fact of the matter is that unauthorized hacking is wrong whenever it is committed. A blind faith in white hat hackers is very dangerous because there is no telling what their motivations are, no matter what they say. How in the world do you know that they didn't take CmdrTaco's passwords? If /. had credit cards, how do you know none had been taken? Because they told us about the security hole? That is not enough proof. Hell, the best way to commit a crime would be to hack in, steal a few things, and then report the problem. And they would be held up as heros, not hackers because "luckily, the boys at slashdot "get it""

    Property is property, period. Just because this is IP, and just because it is on the Internet does *not* make it any different.

  8. Re:it's not that cool by jesterzog · · Score: 5

    I don't think anyone's particularly happy that people are poking around their websites. However, if a stranger comes by and leaves a note that says "your front door was open", that is more helpful than nothing.

    I know what you're getting at and sometimes I do feel that way. Also though, I think it can be a very gray area and IMHO it's risky the way you're going with it.

    I'll use the car-in-the-parking-lot scenario. Would I mind someone leaving a note on my car if they noticed one of the doors was unlocked? Within reason, probably not. But do I think people have the right to walk around the parking lot trying to open car doors, just to see which ones aren't locked? Of course not.

    There are metaphors everywhere. I can encrypt my email to prevent people reading it. Do I want anonymous strangers to try to decrypt it as long as they promise not to read it? Not really. If I say I don't mind, it gives anyone who wants to break it an easy back-door out of being prosecuted. Imagine what it would be like if govco could get away with saying "we were only trying to show you that your cryptography was faulty. Oh and by the way, we stumbled on this evidence which we're going to use against you.". It always starts with small things, and I can't see why it wouldn't lead to that.

    Obviously I'd like to know if anyone stumbles on a way in accidently or sees something by chance, but I'd like to arrange for it to be tested on my own, thank you.

    So I guess my point is that if it's ethically okay to try to crack websites etc in the interests of improving security, it suddenly makes it ethically okay to crack them. As long as someone hasn't actually stolen the credit card numbers yet, it makes it okay.

    Sure some crackers mean well, but it shouldn't be an excuse to let them off. If they really want to test a site that way they should ask permission first. Let sites decide whether they want everyone trying to break them or not. Most of them will say no, and at that point, what right does anyone else have to force their "better" opinion on another person or company regardless? I've had enough of that from govco and I don't want to start getting it from random unidentified script kiddies.


    ===
  9. Info! by Skyshadow · · Score: 5
    Okay, so you've hacked Slashdot, fixed the security hole and pulled a classic white hat move which will live in infamy.

    So, let's hear some details. Howdya do it? Remember, we're techies and not magicians; we can reveal our secrets.

    ----

    --
    Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
  10. this is cool by fluxrad · · Score: 5

    i think something like this truly embodies the hacker ethic (yes, we're talking about the one you hear about in the news :(

    Technically, you could sue these guys and have them thrown in prison (with certain international legal asumptions). Luckily, the boys at slashdot "get it." - This is truly the open source of cracking. Finding a problem and making fixing it. I feel like there should be a sign on the front porch of the internet that says "Please leave this place tidier than you found it"


    FluX
    After 16 years, MTV has finally completed its deevolution into the shiny things network

    --
    "It is seldom that liberty of any kind is lost all at once." -David Hume
  11. Full disclosure? by psychosis · · Score: 5

    Just curious if we'll have a report on what happened and how it was done after everything is cleaned up. With slash being full-open-source, it would be a good way to educate the community.
    Not that I think we should expect something in the next hour or anything, but in a week or so, maybe...

  12. Hackers Crack Slashdot Database, D.C. files Suit by Greyfox · · Score: 5
    The hackers who cracked Slashdot's database today got a Cease and Desist letter from Digital Convergence's lawyers at Kenyon and Kenyon. Citing a violation of Digital Convergence Intellectual Property, they demanded that the hackers cease and desist at once. Stated James Rosini, "Slashdot is written in perl, right? Well perl can be used to violate Digital Convergence's Intellectual Property, so Perl is their intellectual property, too." He went on to aside "We're also going to send one to that dipshit Greyfox for taunting us and doing the ``Blow me Dance'' at us."

    Nohican and {} were unreachable for comment, and when we got in touch with Greyfox, he did the ``Blow Me Dance'' at us. The community declined to comment officially but some members of it said that they were pretty much doing the ``Blow Me Dance'' and ignoring Kenyon and Kenyon, too.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  13. Re:paranoia by Anonymous Coward · · Score: 5

    I suggest reinstalling Windows.