Slashdot Mirror
Yup, Somebody Cracked Slashdot
What a great way to wake up! I went to bed at about 10 last night, completely exhausted (stuff unrelated to Slashdot stressing me out). I guess the upside is that I had a good night's sleep: the downside is I still haven't had a morning cup of coffee ;)
Allright, so by using the 31337 haxx0r tool known as "Common Sense", {} and Nohican managed to get a Slashcode test site's administrative access (this isn't a root shell or anything: its only a series of Web forms used to post stories, and configure various parts of the site). This was our biggest mistake: the password (God/Pete) was never changed on the test site. From there, it was a cake walk.
By exploiting a known security hole in pre-2.0 versions of Slashcode, they executed some perl of their own devising through our template system, and managed to run netcat on the the box. The hole itself required "God" access on a Slashcode site, so it was never a problem before... but since the password was the Slashcode default of God/Pete, it wasn't hard. We knew about the potential problem but since nobody ever had God access besides me, it was never a problem!
From there they managed to get ahold of our backup database (updated nightly). And due to another hole (one that is also fixed in the upcoming 2.0 "Bender" source tree ;) they managed to pull my Slashdot administrative passwd from the dump, and login as me, to the real Slashdot. (our db stores passwords in plaintext. Yes it's stupid, but I wrote this code 3 years ago and had no clue).
Apparently that's where they stopped: all they wanted was to post a story claiming victory. Immediately after that, they e-mailed us and told us how they did it. Our crack team plugged things back up immediately. (and the guys were nice enough to chat a bit with them on IRC explaining a few things).
The moral? Our biggest mistake was not changing the default data on the test site, and I'm sure that we'll patch the next version of Slashcode to require new administrators to change their passwords during installation. The eval hole (we've been working on removing this problem for some time now and replacing it with a templating system that is secure, flexible, and easier than the really crappy one we're using now) and the password problem (also fixed in bender) won't be a factor in Slashcode 2.0.
It doesn't appear at this stage that they actually did anything beyond posting their story. (We're taking all the appropriate precautions to make sure. Hugs to Yaz, Liz and Pat who are gonna have it the worst). You should also change your Slashdot User Password right now just to be safe.
The whole Slashdot authentication is ridiculously insecure. I coded it years ago when I didn't really know anything about scalability or security. Since then various bugs in Web browsers have changed a lot of things, so we decided to fix the problems in Slashcode 2.0. Unfortunately it's not done yet, but it's getting there. Of course, anyone with functioning neurons knows that you use different passwords on each system (especially Web sites where you aren't using any encryption!)
Nobody ever would have got anywhere had we just changed the default password though.
The good news is that it looks like {} and Nohican were good guys: the did the deed, took the credit, and went no further. Then they told us exactly how they did it so we could make sure it wouldn't happen again. Honestly, that's the best kind of hack. Two years ago we had the bad kind of hacker: he rooted the whole damn system and never told us how they gained entry. That sucked more than I can describe.
The bad news is that we have to pretend that these guys totally took over, and rebuild everything anyway. It's gonna be a long couple of days.
You can direct inquiries to me, but understand that I'm just a little busy right now, so I might not be able to reply to everyone.
[Heh, I wrote the following text for some friends about a week ago. Fits perfectly here. :) ]
How many sites, servers or systems do you log into regularly? On how
many sites, servers or systems have you registered yourself with a
user name and password? Quite some number, or what? Now; how many
different passwords did you use? Of course you've been told many
times to use different passwords everywhere. I keep wondering what
idiot invented that impossible rule; it goes without saying that you
need to reuse your passwords, unless you have a computer in your
brain.
What's my point? Let's say one of the administrators of one of those
sites is not as honest as it first seemed, and takes a peek into the
password database. Or let's say that someone cracks into that
database and gets hold of all the passwords. What could that person,
given your often used password, do on all the other sites you visit?
Would you like someone else to speak for you? To buy for you? To
sell your stocks? To use the encyclopedia you pay for? To read your
mail? Probably not. And it doesn't have to be that way if all web
developers out there obey the following, simple rule:
Never store clear text passwords.
You do not need to keep a user's password to be able authenticate her.
To repeat: Neither you, nor your web server, need to store any user's
password. The technology is ages old: You pass the initial password
through a one way hash function, and store the garbled password in
your database. Whenever the user wants to log in, you take the user
provided password, pass it through the same hashing function, and
compare the result with whatever you have in your database.
I guess some of you don't know what hash functions are, so here's a
short intro: Hash functions, or message digests, are one way functions
that take a text as input, and produce a signature based on the text.
Calling the function "one way" means that, given a signature, it is
impossible to get back to the original text. A good hash function
also makes it extremely hard to come up with a different text that
yields the same signature.
Several hash functions exist. The password file on Unix traditionally
uses a DES based hash function, known as crypt, to hide passwords.
Windows NT uses MD4 for passwords. I would suggest you use a widely
available function known as MD5. It is considered more secure than
both crypt and MD4. PHP has the string function md5, Java has the
java.security.MessageDigest class which provides MD5, Perl has an MD5
module, and I guess you'll be able to find some component for
ASP/VBscript too.
If you've ever read about password hashing, you may have run into the
term "salting". We may use salting to make sure two hashed password
are different even if they come from the same password. If you choose
"beer" as your password, and have access to the hashed passwords, we
don't want you to recognize another "beer" drinker among the users.
You may think that requiring unique passwords is a solution, but it is
not: If you register somewhere, and learn that the password you chose
is already taken, you may run thru the users and test with the
occupied password until you reach the owner. We do _not_ want unique
passwords.
A common strategy for salting is to combine the user name and password
into a new string, eg. with a line break in between, and pass that
string through the hash function. Of course you will need to redo the
combination when you verify the password.
What follows is a simple example in PHP. We provide one function for
storing the hashed password, and one for authenticating a user. Of
course you will need to implement the database functions yourself.
# Given a user name and a clear text password, calculate the
# salted, hashed password.
function getHashedPassword($username, $password) {
return strtoupper(md5($username . "\n" . $password));
}
# Given a user name and a clear text password, calculate the
# salted, hashed password, and store it in a database.
function storeInitialPassword($username, $password) {
$hashedPassword = getHashedPassword($username, $password);
# Save the hashed password in the database.
setHashedPasswordForUser($username, $password);
}
# Given a user name and a clear text password, calculate the
# salted, hashed password, and compare it to the one in the
# database. Return 1 if the user is successfully verified,
# 0 if verification failed (bad password).
function verifyPassword($username, $password) {
# Fetch the hashed password from the database.
$hashedPassword = getHashedPasswordForUser($username);
# Salt and hash the provided password.
$hashedProvidedPassword = getHashedPassword($username, $password);
# If the two hashed passwords are equal, everything is fine.
if ($hashedProvidedPassword == $hashedPassword)
return 1;
# The hashed passwords didn't match. Invalid password.
return 0;
}
As the example shows, storing hashed passwords is almost as simple as
storing clear text password. And it is a whole lot more safe. If you
choose to hash the passwords on the site you develop, you should
consider mentioning it on a "privacy policy" page. Advanced users
will appreciate it, and understand that you take security seriously.
Hacker's Haven 7843
The defaul login was sa. The default password was blank. I think it's about time you guys fessed up to your MSSQL addiction.
Seriously, everything this guy has written is 200% on the mark. Plain-text passwords are ALWAYS a major security risk, because crackers will ALWAYS eventually break in. The most secure box is the one you don't NEED to trust.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Colonel Sandurz: "1-2-3-4-5."
Skroob: "1-2-3-4-5?"
Sandurz: "Yes."
Skroob: "That's amazing! I've got the same combination on my luggage!"
-- www.bteg.com | bleh.n3.net | hac47.dhs.org
It's easy for them. Their readers know exactly how it is, and it's not like there's any data that needs to be protected. Accounts are free, no credit cards #s anywhere, etc... As long as they have backup tapes somewhere it doesn't matter what the fuck happens to the site. They can restore it.
Vidi, Vici, Veni
D'oh. Configure DNS to disallow zone transfers from anyone but the secondary. Host -l dies then.
Microsoft as many know represent the devil and well this being the month of 9 on the 29th day and in the year 2000. There have been 3 releases of Windows past Win 3.11 and well if you divide 2000 by 3 you get 666.666666666666667 well there ya go.
I think I'll put that in today!
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
Of course, when I say Base64 here, I mean MD5.
Just shoot me.
Matt. Want XML + Apache + Stylesheets? Get AxKit.
It was SGI's File System Navigator - a rather cool program for doing 3d visualizations of a file system. It's fun to play with, and actually suprisingly usable for normal work.
--
We always hash the passwords in our database, real quick n easy. NEVER store credit cards, yes its damn convenient to store them in the database, but is it so hard to type a few digits I mean is it THAT big of a deal to type your CC number each time? I know its more prone to error, but I am always leery of having so much sensitive data in a single place.. developers, admin staff, hackers.. the whole world has access to the CCN's then.. I just dont play that ;)
Jeremy
Instead, we have an open acknowledgment from the victims, a full story about what happened and what steps are being taken now, simple instructions for the users, and the proper amount of credit to the guys who cracked the site.
A little extra work for the /. crew, a good reminder for them to take security more seriously, but otherwise no big deal.
If only mainstream media could be this mature and accurate.
________________
________________
Private Essayist
You don't NEED to give the user the password he had if he forgets it. Just generate a new random password and mail it to him
Hah, this reminds me of a mom-and-pop shop I worked at years ago (first non-fast-food job). I was the network admin and developer. I had changed the network password, and looking for the new one, I saw a print-out of a Microsoft Knowledge Base article. I tore out the words "Microsoft Knowledge Base", highlighted the word Knowledge, and put it over the scroll-lock light, right on my keyboard.
I knew it was secure, and that was confirmed later when I was on my honeymoon. I got a call, the boss frantic, that no one could remember the password, and that they had looked through my office for a hint. Even the other most technically inclined person slapped his head when I told him, "Are you at my desk? And you couldn't find anything? Look on my keyboard..."
You quitting proves that the karma kap worked. The most annoying of the whores shut up. --CmdrTaco
It's called "ButtonFly" on Irix....
You should use different passwords on different accounts, just like passwords should not be stored in plaintext. Sometimes it just doesn't happen.
Everything in this post is false.
If you write an insecure system with passwords in plaintext when you're a college student with a small website, and you expect "the community" to download the code, notice the error and fix it for you, you're going to be disappointed.
...
If you run a website on code written by a college student with a small website, you deserve whatever you get. Even if you're that college student.
Taco should not be so hard on himself over that particular flaw; the real shame should be felt by the million and one fuckheads who downloaded the code and didn't even look at it before installing.
ONE flaw? ONE flaw?
1. Didn't change the default password.
2. Left user passwords in cleartext.
3. Kept a test machine with access to real information accessible to outside users.
I'm sure you can think of more if you try.
'Course, this puts the whole "security through obscurity" thing in a slightly different light
Try "security by people who can't put a sentence together for $6 million."
With all my fucking heart,
AC
I always thought my password was ***** anyways....
The anti-salmon
$password = crypt($password,"XX");
/* XX 'cuz I can't remember how to gen 16 bits of entropy in perl /*
Heck, even now, I don't know that you can hold them to "Customer focus."
"All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2000 OSDN."
But still, that's no reason for the demeaning tone of this post.
I think you meant "manner", not "tone". As you know, the only tones made during the creation of that post were tapity-tap-tap-clickity-click-SUBMIT.
I just love the way we geeks all tend to rip each other to shreds when we make stupid mistakes,
And why not? It's not like it was an intelligent mistake.. we have an entire kernel filled with intelligent mistakes. But stupid mistakes can be spotted from a mile away through dense fog across the english channel... there's no excuse for him to have not bothered to secure those passwords. I did it, and I don't even know perl!
You had no moral obligation to inform the readers of anything.
Major newspapers have a similar attitude. You might guess how interesting the content is.
Slashdot folks are a pretty educated crew
How quickly ye forgets why we have a moderation system!
--
Chew on this, perhaps they weren't able to hack into the user database. Instead they were only able to rig the 'change password' scripts and post a new story. Now the 'good guy' hackers are watching the new passwords stream in, :]
ha, not likely, but it would prove to be an incredible hack.
Yes. I really am a moron.
Ah. That perhaps makes it less necessary to wonder why the authorities in Norway should be contacted, when Slashdot gets hacked by a couple of guys in the Netherlands...
main(O){10<putchar(4^--O?77-(15&5128 >>4*O):10)&&main(2+O);}
I just ping to get the ip address [64.28.67.48] then try a few variations on the last number. (http://64.28.67.47:80, etc.) Finds stuff people don't want you to find. ;-)
--
Chief Frog Inspector
A feeling of having made the same mistake before: Deja Foobar
Actually....i think this is a commercial site. :)
"Dogs and cats, living together...it's mass hysteria!"
. . . become "FascDot Killed My Pr". They must have had a low bid on that eBay auction.
--
-- Geof F. Morris
Yeah. I think you just undid a whole bunch of people's arguements about why 'hackers' don't do any real damage. Where are those handcuffs with Mitnick's name engraved on them, now.....
We all know that CmdrTaco made a mistake, but saying that he should be canned is going one step too far. We all mistakes eventually... hey, look how many advisories and patches are posted every day. Look at what he's done for us, and now you say he should be fired just because he forgot to change a password? We've got to take this with a grain of salt -- ok, someone got full access to slashdot. What does this mean to us? No noticeable difference -- yet. Will this destroy the world economy? No. Will this affect anything besides making CmdrTaco work hard for the next week? No. He's already paying the price by having to rebuild everything -- give the guy some slack.
"Darn, my winmodem won't work with Linux? I'll have to recompile it... with my blowtorch."
This is nice to see. Big, front-page article saying they've been hacked, letting their users know. How many web sites do you think would do that for their users? Too few.
On the other hand, would we have been notified if the hackers hadn't put a big article on the front page? Food for though, but I'd like to think so.
Dave
'Round the firewall,
Out the modem,
Through the router,
Down the wire,
Barclay family motto:
Aut agere aut mori.
(Either action or death.)
Ah, if only the trolls had known...
--
Change my password? Um.. why?
This is a message board site, not my bank account.
Not the administrative passwords on my Windows 2000/Linux box.
Not the passwords for my personal writing folders (which have a different password than the box).
Not the password I use for my internet account.
Basically, there is nothing worthwhile to steal here, and if someone posted something under my name so what? I would then change my password.
But I don't need to now.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
Make up your mind, is the team supposed to crack things open or plug them up?
You can always assign new passwords to the users and hash them for storage.Then send the new pass to the users through mail.Look at yahoo
you should at least change your password
... it's simply about preaching.
I can't believe that a site such as slashdot would keep our password information in such a reckless manner.
How many stories have we read about e-commerce sites getting cracked and all the people bitching about keeping personal data away from web accessible boxes? Obviously NOT enough since slashdot cannot even learn from others mistakes.
Hell, I know it's just my slashdot account at risk but I think this proves a bigger point, it's not longer about practicing what you preach around here
I now adminster a groupware product - and it's amazing how many people keep the temporary passwords. Probably the best story I can relate is someone high up who kept forgetting his password. I changed it to his last name (I know, I know) and he still managed to keep forgetting it. Unfortunately the groupware product does not have a user password retrieval.
----
Making a fake post is cute, but it is a bit childish. I can not think of any other reason why the hackers made a fake posting other than making a name for themselves or embarrassing the site operators. Was the security of Slashdot really their primary or even secondary concern? Fake posts are no better than grafitti.
Can we even be sure that they only broke into Slashdot this one time? Were the systems reinstalled with fresh code that had been secured or encrypted? How can we be certain that a backdoor hasn't been installed?
I certainly feel that the security breach should be publicized. I am glad that the problems have been fixed. And I understand the hackers desire for anonymity given our society's penchant for litigation. However, I do not think it is polite or justified to inform a site's admins of security holes through graffiti on the front page of their website at 10:30 PM. An anonymous or pseudononymous email message would have had the same end result. (Getting phone calls about urgent time sensitive problems at 10:30 PM is bad enough for most system administrators; getting phone calls for problems that could have been solved in the morning is really frustrating.)
The folks who broke in may not have been "black hat" intruders, but it is specious to call them "white hat" hackers. Perhaps there needs to be a term like "gray hat" hackers, but "immature self-promoting" hackers seems to work just as well.
--Sam
"The bad news is that we have to pretend that these guys totally took over, and rebuild everything anyway. Its gonna be a long couple of days."
have a nice week-end rob!
--
"Science will win because it works." - Stephen Hawking
if this was such a obvious, silly, beginner's mistake, where was your fucking patch for it? Huh? What was stopping you? I know fuck-all about computer programming, so I couldn't have repaired the error. You, however, are a fucking expert, apparently. So what's your excuse?
-- the most controversial site on the Web
Since Slashdot was cracked, and the password database was compromised, it seems to me a very important proper step is to email the user base suggesting they change their passwords. Not everyone logs in everymorning to slashdot. If I had not logged in, I would not have known my password was compromised.
Quack
There have been several occasions when I received an email saying Slashdot has received a request for my password. I have no idea why anyone would want my password, but there you go.
If your idea was implemented, then people could just continually ask for requests and cause a denial-of-account.
Since accounts are anonymous and trivial to make, I don't really see it making much difference anyway. It would only matter for people like Bruce Perens who has some kind of authority and several would-be imitators.
Look at yahoo
Which doesn't send passwords, AFAIK.
And it wasn't a problem before, since you could use other encryption methods.
I personally think all sites should offer the entire site in SSL. The more encrypted traffic running around the 'net, the better.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
OK, I changed my password to Pete.
I would've had them add me to the express article suggestion queue. (Which of course doesn't really exist. It wouldn't be fair to have class distinctions between SlashDot users. yeah right)
Work for Change & GET PAID!
It's not clear from the post, but it would appear that Slashdot simply stores the username / passwords in a table unmangled?
Damn...The minimum you should have done is hashed it (with either MD5 or SHA-1 - both of these are available for Perl). The next (recommended) step is to also salt the password prior to hashing to prevent dictionary and similar attacks.
Bruce Schneier is right in Secret and Lies: people just keep making the same security mistakes time and time again :((((
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
You don't need 100,000 passwords.
;-)
You only need one...
Hey, CmdrTaco, what ISP do you use?
"Darn, my winmodem won't work with Linux? I'll have to recompile it... with my blowtorch."
Long live the Taco.
================
================
Microsoft is not the answer, Microsoft is the question. The answer is "no".
No, I think your current system of paying people to make you do unnecessary work on ridiculous topics such as "The Pre-Roman Carthaginian Patriarchy" or "Rights of the 13th Century African Immigrants" is probably right on-target.
By the time you get out, you should be perfectly suited to a lifetime of meaningless, tedious work that slowly kills you.
"Beware he who would deny you access to information, for in his heart he deems himself your master."
We divvent 'ave none of this 'ere "karma" malarkey. All Slashdot readers used ter get beaten senseless three times a day joost to make sure we weren't up to anything.
This was our biggest mistake: the password (God/Pete) was never changed on the test site. From there, it was a cake walk.
From the Encyclopaedia Britannica:
From Merriam-Webster's Collegiate Dictionary:
These were PDP's they were breaking into.
There was also a field service account usually set to a pattern, something like DECAPR, DECMAY...
--
Chief Frog Inspector
A feeling of having made the same mistake before: Deja Foobar
There's no difference between failing to keep the hackers out and leaving stuff where the hackers can get to it. But more, I totally disagree with your "theory" about passwords. Slash, please keep our passwords in plaintext, or keep it as an option for users who want it.
First, think of your bank account. It's real numbers stored in a computer, numbers that other people shouldn't be able to see or change. So, these numbers need to be protected. You can't effectively encrypt them (without leaving the keys sitting there: the computer needs to get to them) so the issue is purely one of protecting them. Give a computer scientist the task of protecting some vital data and she will set about designing a secure system. It's a fun problem to solve. Well, that's all passwords are: data that needs protecting.
Yes, there are scenarios where hashed passwords allow for a neat trick: knowing the hash lets you authenticate but does not grant you access. But that trick depends on certain elements that are not necessary to guard a website. Think of it this way: if someone gains root access to a website, they don't need an insignificant user's password.
The convenience of Slashdot being able to email a password if someone forgets it is a benefit that far outweighs the difficulty of the task of protecting them.
The most important thing is that the Natalie Portman threads are safe. All things Natalie are sacred beyond price.
Geez, talk about hypocrisy. I'd take DigitalConvergence's treatment of victim's over Slashdot's any day!
icqqm [ICQ:11952102]
To the point that you and everyone else on this site keeps obsessing about, I wrote an entirely separate post about the fallacy of the importance of hashing passwords.
Moderators, you may want to go moderate my other post down: it makes a serious, knowledgeable and accurate point just like this one did. Why should the post I made here be moderated down and not that other one? How can Slashdot continue its plummet if you don't moderate down all people who question the received wisdom of a pack of junior engineers, or not even engineers, who follow each other lemming-like off a cliff. This security breach had nothing to do with hashing. I used a password for Slashdot that I don't care about with an email address that's "phony": I couldn't care less if somebody steals my account. All those to whom this compromise represents a problem: I don't think you are smart enough to lecture Slashdot on the subject of security.
Ladies and Gentlemen, it seems that was not Anonymous Coward posting there it was in fact Hemos... Those things will get through now and again... We apologize for any...
WHAT! WHAT? We got fucking hacked again? Jesus... Oh man this thing is still on?
--click--
This
Bruce
Bruce
You are the real Bruce Perens.
And to think, Andover paid you guys over $6 million each for this site. You'd think a company willing to part with such a huge chunk of change would at least EVALUATE the site. Most companies would be all up IN your koolaid before writing such a check and their audit would have shown that this site is held together by band-aids and paperclips that are 3 years old.
... just the eyeballs it would deliver to their advertising group.
It just goes to show that Andover had no interest in the *site* and it's validity or integrity
I can't say I'm surprised one bit.
--
Yes. Thank you.
The password would not be hashed to prevent someone taking a single account on the machine; the password would be hashed because many people use the same password in a great many places.
It's just common courtesy; hash it, and you at least have taken a step to prevent the damage from spreading just beyond your site. Normal plaintexting is just irresponsible. Think about, say, slashdot-- for each of these users they have a valid email adress and a valid password. How many people you really think are going to be using different passwords for their slashdot account and the e-mail accounts listed on slashdot..?
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Now that is what proactive security is all about.
I do not deploy Linux. Ever.
As one former boss suggested: Fingerprint scanning. You poke your finger into a hole in the scanning box and if your fingerprint doesn't match it chops off the finger. He assumed they wouldn't try to fool it more than 10 times.
--
Chief Frog Inspector
A feeling of having made the same mistake before: Deja Foobar
> {} is not a valid user.
:)
Of course not! {} is the empty set.
-- Randy
There's no reason a web server host should ever be allowed to initiate connections of ANY sort to hosts outside the local network. All the HTTP requests are incoming-only and only port 80, the only outbound requests the server should make are to the local database server, etc.
Admins needs to understand the concept of 'defense in depth'. Put filters (or a separate filtering router) between the internet and the firewall, disallow outbound access for servers at the firewall, install IP-Filter on the web server hosts themselves, and harden the OS on each host.
Development networks should not have access to the live network, much less the live database.
I do not deploy Linux. Ever.
Encore! Encore! ...
/. needs an Inspired classification.
Damn, wish I could moderate, I'd push that puppy to a 5, but
It is funny, but it's also art.
--
Chief Frog Inspector
A feeling of having made the same mistake before: Deja Foobar
And if you aren't assuming that your password at every site you visit isn't stored in plaintext, then you get what you deserve. Do you use the same password to your online bank as you do on /.? You might as well call for all of /. to be SSL so that people can't sniff your passwords when you log in.
/. has the responsibility to try and protect the site, users have the responsibility to make sure that a breakin anywhere has limited ability to cause us harm.
As so many people have pointed out here and in other security forums, security is all about managing risk. I use the same password here and on a few other sites - but if any one of those passwords is lost, all it means is that someone might be able to post as me here (who cares?) and read NYTimes articles online under my name. Oh dear!
/. should make every attempt to help protect our user information. However, while
"There is more worth loving than we have strength to love." - Brian Jay Stanley
--
> after years of watching secretaries jot down passwords on 3x5 cards and post-it notes and tuck them into the pencil drawer of a desk.
Some of Digital's VT terminals had a data field that would store text, and would echo whatever that text was back to the screen whenever you typed a certain control key. (Sorry - been too long to remember the details.) Lots of lusers in the VAX shop where I worked used to put their username-tab-password in the terminal's data field, so all you had to do is type ^whatever at the terminal, and you were logged in as the terminal's owner.
It didn't bother me too much to discover that the forklift drivers were doing this. But when I found out one of the m0r0n5 with syspriv was doing it...
--
Sheesh, evil *and* a jerk. -- Jade
Don't have to tell me that, after years of watching secretaries jot down passwords on 3x5 cards and post-it notes and tuck them into the pencil drawer of a desk.
Probably the best I ever witnessed was at some economy barn, like a Sam's club. They had the manager's password on a note taped to the front of the monitor, it had been there for some time.
Why don't I just give Anonymous Customer a refund of, oh, $500. Better make that $500.01 or the bean counter will get suspicious.
--
Chief Frog Inspector
A feeling of having made the same mistake before: Deja Foobar
So the sophomore CIS student comes running out of the lab:
Professor! Professor!! I've create a linux distro with no absolutely no way in and installed it on you laptop!
Professor: So how do I log in?
Student: Hmm... I hadn't thought of that.
Seriously, though. I agree with your point. I'll be building my first linux box soon and my plan is to install packages only as I need them. That should as least limit the vulnerabilities. I think. :)
As you can see, we've had our eye on you for some time Mister Taco. In one life, you have a respectable computer discussion site. In the other you use unencrypted passwords and shoddy security measures...
One of these lives has a future, and the other does not... Give us the karma, and we will wipe the slate clean, and you can start a fresh slashdot.
You underestimate how many fucking idiots are on the web :) The security measures I am talking about would have been almost trivial to implement (I think signal 11 provided the meat of the code right in this thread), and would protect the /. crew from (correct) accusations of lax security.
Like I said, when this type of thing happens to other major sites that don't encrypt user data, everyone is quick to say how stupid it is.
----
---- I made the Kessel Run in under 11 parsecs.
---- ;-)
Please don't fame me too much
It's either on the beat or off the beat, it's that easy.
I moderate therefore I rule!
--
Hey, the only things passwords protect on this site are preferences and Karma. Lots of people have seen the slash code and no one thought that Karma was so important.
Comment removed based on user account deletion
Like... put a wrapper on a command to delete a random file.
--
Chief Frog Inspector
A feeling of having made the same mistake before: Deja Foobar
Hahaha, that's very funny (moderators, look at parent poster's names to "get it").
Free music from Jack Merlot.
As if I care about my password. What's someone going to do, log in and post as me?
--
Communication is only possible between equals
So this place has been vulnerable for 3 years now because of plaintext passwords? Great way to push the opensource movement.
Only the State obtains its revenue by coercion. - Murray Rothbard
Because your password changing script doesn't know the password. The password was e-mailed to an address you don't have access to.
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
host -a -l slashdot.org
Wow, cool! Check out http://warez.slashdot.org for cool warez downloads!
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
For the systems (and users) I'm thinking of, I don't think truly random generated passwords would go down well with our user base. I was thinking of random picks from a dictionary.
Thats not to invalidate your reply though - its all valid information. The solution I'm thinking of is the MD5 URL to visit to reset your password. It could be one-time generated with the current time, the user_id and a secret. Thus impossible to guess, and again, the password doesn't get reset until the URL is visited.
Matt. Want XML + Apache + Stylesheets? Get AxKit.
We can do a little better than leaving the keys "sitting there". The typical bank uses a hardware security module (HSM), and the keys only appear in the clear inside the HSM. That stops the hacker from running away with the keys. The Personal-Identification-Number (PIN) is already protected in most banks using the methods I describe below.
The sense of the message, as described, is still correct. If the hacker can make the host call the HSM to decrypt the numbers, than you still have not protected the numbers. That is part of what makes logical security design so much fun :-)
The HSM design approach is to not provide a generic decrypt function. Instead you figure out how the numbers have to be used, and provide narrow functionality that performs just what needs to be done, and nothing more. You also tie the HSM transaction with cryptographic audits. Even if a hacker (or insider) gets into the system, they can't stealthily modify the data (it will be detected during the crypto stage). All they can do is perform a limited set of functions on the protected data (using the HSM), which can be monitored and undone (using the audit trail).
In practice, using an HSM, you can make a system much stronger than the post implied. Note that I am just talking about confidentiality and integrity here, the HSM does not help against deletion and DoS attacks.
Remembering many different passwords isn't that hard if you have a computer do the remembering for you. The catch is that the passwords need to be stored securely enough that you're the only person that can get to them. Someone already mentioned a Windows program that does this. I use Strip, a GPLed password-storing program for the Palm. It stores the passwords in an encrypted database (encrypted in either DES or Idea, whichever you prefer). It also has a decent random password generation feature.
--Phil (Just don't ever forget the password with which Strip's database is encrypted.)
355/113 -- Not the famous irrational number PI, but an incredible simulation!
Or you could just use a slow server like I do.
Will
Frank van Vliet, aka {}, was as well the wizard who managed to put an IIS banner on apache.org some months ago.. I'm really curious for his next hack!
Here is an interview on LinuxSecurity with him.
Comment removed based on user account deletion
- Always change your default passwords (that is the easiest way to get hacked, as seen in The Cuckoo's Egg, a la Hagbard)
- Never store your passwords in plaintext. Preferably, just hash them.
- Never trust a good password to a website. I have a throw-away password I use for unencrypted web stuff; slashdot can have it, and I'm gonna keep it. If they hack my kuro5hin account, I'll survive.
- Hope for the best, expect the worst. If someone compromises your system, it doesn't matter how nice they are about it; make sure you check everything, regardless.
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
***** to the ***s who *****d /.
Ahem. I rest my case.
Comment removed based on user account deletion
apt-get slashdot_passwords
dpkg -i hack_slashdot_6_34.deb
. . . setting up God
.
.
install shadow passwords (y/N)? N
Creating user GOD
Enter password: ****
Re-enter password: ****
...
the password you entered was pete. Is this correct (Y/n)? Y
God is now setup. Have fun!
If someone knows your password, then they can change your password. Then you don't know "your" password anymore.
Yes, this is what really costs businesses money, irrespective of whether any damage was done.
Using certificates instead of username+password also eliminates the possibility of my password being stolen when somebody on my LAN or at my ISP sniffs the cleartext HTTP traffic.
This goes back to one of my comments on the question of 'Should Slashdot charge for access?', the concept of having an enhanced account level with SSL support, and giving SSL traffic a higher priority on the WAN/LAN links to the servers.
Call it a 'subscription' and I can get my employer to pay for it.
I do not deploy Linux. Ever.
Thanks for the info. All I know for sure is that it looks like Slashdot, and has Slashdot's content on the main page (and links to it for subsequent pages), but it's fast when Slashdot.org is getting bogged down.
It works now; I just checked.
- W. Blaine Dowler
http://www.bureau42.com
So how did they find the name of the test machine to use then?
From what I remember there was some fancy load balancer in use, and all the real slashdot boxes were behind a firewall...
Steve
---
I like your thinking.
Ok, how about this for a password scheme?
-At account creation, get username, password, e-mail address.
-Hash the password (pick an algorithm)
-At login, hash the password, compare to authorize
-When user forgets password, hash the stored password hash. E-mail it to the email address.
-The user can use the string to reset the password. The reset script just compares the string to the hashed stored password hash.
The reason I'm scrambling it is to so that the string people use to log in can't be used elsewhere.
This is a lot more secure then then plain text, especially if people use the same password in more then once place.
If the password database is compromised, then I would still urge people to change their passwords like Slashdot is doing, but at least people wouldn't have to worry about the actual phrase being known to others.
So the increased security is as follows:
Compromised db does not compromise password when used on other sites.
Cookie does note contain plain text password string - again, safety from other sites.
You're right, it doesn't prevent the cookie from being grabbed (which I acknowledged) or the db.
However, the use of session IDs would solve that first problem, which, like I said, I plan to implement soon.
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
You mean it took 3 years and some 0wning to get taco to fix his security problems. You blast MS for having holes in software but this takes the cake. 3 years!
Only the State obtains its revenue by coercion. - Murray Rothbard
Comment removed based on user account deletion
I'll admit, I'm fairly new to the writing of code for the web, but the first thing I did on taking over someone's site admin was change the passwords from plain text in the cookies and db to crypt() (didn't want to use md5 since a lot of different scripts and programs used the db - crypt is more common).
Even so, the way I have it currently set up is a problem. Someone could grab a copy of the local encrypted cookie, then use it to connect as the user from then on. The easiest way I can think of to solve this is to have the cookie be a combination of a timeout value and the encrypted pass, and store that value in the db as well ('till timeout) but even so, at least user passwords can't be read out of the database in my current setup.
Come on, this is just common sense. It wouldn't have taken 37737 knowledge of perl to have implemented that in the first version of Slashcode.
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
Now, the fact that the default password was used to get into the box is one issue.
Another issue is how the crackers managed to get root after the fact. They exploited known security holes.
Just something to reduce my karma, but since the code is open source, bugs are supposed to be found much more quickly and fixed within a few hours given the right channels. Yet, since the bugs are supposedly easier to find (looking through source code as opposed to trying various techniques to so what happens) than in closed binaries (that is one of the main arguments for open source), we have our lesson for today.
Which is:
If you use open source products, patch early and patch often. If you reinstall an old version, plan to spend a significant amount of time applying patches. Otherwise, those well known and easily-researchable bugs will come back to haunt you in sequential order.
Having been a computer instructor for a year and a half, I have found that there is good news when an authority screws up publicly. First, it shows than no one is an authority on everything. More importantly, when a mistake is made, sometimes students can learn more by finding out how to fix something than how to do it correctly in the first place. This event will have more admins thinking about security today than a dozen security articles would have.
All my programs have but one purpose. They take the contents of RAM and place those contents into a file called 'core'
I dunno if it is appropriate to do this...but there were a coupla comments replying to the first post that got modded down to a -1...I think it was somewhat unfairly......so..here is the UF link that might put these two in perspective so it makes sense and people realize that the reply was not "flamebait" but it sorta made sense.... comic about ******* passwords
thanks.
The anti-salmon
Is that the encrypted string cannot be used to log in, only to try and convince it you are already logged in.
That's why using a combination of a login password and a random session id would make this completely secure, save from packet sniffing.
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
They hacked in, and then they closed up the security hole; that's awfully nice of them. Let's hope that the hackers that crack the SDMI's DMAT aren't so nice (or greedy).
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
Taco should not be so hard on himself over that particular flaw; the real shame should be felt by the million and one fuckheads who downloaded the code and didn't even look at it before installing.
'Course, this puts the whole "security through obscurity" thing in a slightly different light ...
-- the most controversial site on the Web
If any other website had there unencrypted password database stolen, everybody here would be outraged. I can recall more than one story on /. involving such elementary security mistakes. What if I used the same username/assword on every website? Now the hacker has access to my ebay, amazon, buy.com, etc accounts, all because Rob never fixed a major, 3-year-old security glitch.
----
---- I made the Kessel Run in under 11 parsecs.
The feature I'd like to see most is a killfile.
I can block out story authors that annoy me, I wish I could do the same to posters that annoy me.
--K
MODERATORS: Flamebait or Troll. None of this Offtopic, Redundant, or Overrated crap.
---
Comment removed based on user account deletion
It intrigues me why so many apparently sane people would go around condoning cracking just because they told the site owners how they did it. The fact still remains that these crackers have inconvienced every user of slashdot who now have to change their password, and caused the /. team to expend large amounts of effort and money checking the system to see that what the crackers were honest about what they'd done.
/. readers were interested in bettering the IT profession, not supporting the actions that give it a bad name and make us all look bad.
/?
I fail to see how any crack can be considered "nice". Relatively nice I'll give you, but this behaviour is still highly unethical, illegal and a real problem that exists on the internet. I thought
Sigh, I guess the standards have changed again - now you can hack a site as long as you don't kill the system and you tell the owners. How long before it becomes OK to rm -rf
Adrian Sutton
How will I ever remember a new one?
Sounds like a loser with a lot of time on their hands. Well, thats most of slashdot...
Is fascism really all that bad? People need motivation.
Speaking strictly for myself, good luck, CmdrTaco & all the crew...
Bugs are hard to avoid -- thankfully, you were dealing with "white hats" this time. By the way, isn't it funny this information is already available on other sites... ?
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
No, My point in that statement was just that you're calling us "customers" of slashdot, which isn't entirely the way the service works. They want to keep viewers, obviously, but I don't think we directly contribute monetary value to the site aside from the whatever value is added by intelligent user comments. Just pointing out that the traditional company/customer relationship rules don't quite apply here.
As for the condescending part, I think a lot of us geeks just come out that way without realizing it. I got into a long argument not long ago with a guy who treated me basically like crap and called me a GPL zealot when I suggested my sofwtare could be used in a project he was working on without conflicting with the GPL. He took the typically condescending attitude I see coming naturally for most of us, and I took offense. Meaningful communication was broken down because of this.
Most of us are involved in some way in the free software/open source movement, where communication is a critical component of a working business/development model, yet most of us have no idea how to effectively keep communication channels open. I think we need to start collectively thinking before we speak, as there's no excuse to come off unintentionally abrasive when we're dealing with the written word. We can review what we're about to say before we say it -- a luxury not available in most encounters.
--
NeoMail - Webmail that doesn't suck... as much.
Bruce
Bruce
You are the real Bruce Perens.
No, they aren't. My ~/.netscape/cookies file just has my userid in it. Check yours.
Yes they are.
The value of your cookie (last field) should be something like %2533%2532%2534%25[insert encoded password].
Unless you have some deal with slashdot to get a different type of cookie?
Of course, there are other kallisti's I've run into, and kallisti is kind of a troublemaker name, anyway...
Would somebody please tell us next time they crack slashdot, I'm sure there are people that would like to use an exploit to change their nicks
For what it's worth, SQL Server 2000 no longer has that problem by default. The sa login is only created it you choose to have mixed NT security and SQL Server security. If you do choose the mixed route, you're reminded that a blank password is a Bad Idea. You can still install that way, mind you, but it's no longer the default.
--
NEVER make systems with default passwords. Even a 10-year old could come to this conclusion.
- Steeltoe
http://www.debunkingskeptics.com/
. . . you should at least change your password
Oh well, I'd been meaning to change my password anyway. Just hadn't gotten around to it. Now I have.
Live to be Moderated
The last thing we need is for some troll to hack Slashdot and turn it into a goatse.cx mirror (a dream I'm sure has crossed the mind of many a middle-school, immature techno-jerk).
Honestly, though, what other features can we expect to see in Slashcode2? Story moderation (or changes to the overall mod structure)? Perhaps user-definable themes (OK, I know I'm going out on a limb there)? Removal of the suid requirement on the script? Just throwing out some honest questions...
----------
1) Plain text passwords ?! You have got to be kinding me. For something this large I would never use plain text passwords. I would recommend looking into a common MySQL function called password(). If someone looses there passwords, create 2 fields. 1 the old password, the other a temporey field for the new one. If they rember there old password, they are logged in. If they don't, they use the temp one to login and be forced to change it on the spot.
2) You didn't change the default password ?! If this was another site that did this, we would call them stupied. I am sorry, but this is very dumb.
3) If slashdot is insecure, maybe this should be you primary concerin. Take a look at my projects code if you would like. Its a PHP API, but, it could be easly ported. Sorry, shameless plug.
Well, it could have been worse, you could have woken up and had to restore the entire database.
until (succeed) try { again(); }
until (succeed) try { again(); }
Of course, anyone with functioning neurons knows that you use different passwords on each system (especially Web sites where you aren't using any encryption!)
:)
Same goes for changing the default password
Karma: 2.71828182846 (Mostly due to small, fun pills)
No, they aren't. My ~/.netscape/cookies file just has my userid in it. Check yours.
As a matter of fact, there are no passwords in my cookies file at all.
- A.P.
--
* CmdrTaco is an idiot.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
If you run Windows, one program I trust to store password's is Bruce Schneier's Password Safe. Store your passwords in a passphrase-protected database using Blowfish encryption.
Similar (but incompatible) software using Blowfish is available for macintosh, and Palmtops.
I'm still looking for an X11 equivalent.
I do not deploy Linux. Ever.
Mod this up, from what I can figure,
Frank=={}.
"think of it as evolution in action"
But recall that the value of what's in a bank is a lot less than the value of what's on Slashdot. Everybody who is shouting hash the passwords should also be shouting "hash the user names too" but they are not. This leads me to believe that they aren't thinking too hard about the problem.
"He who steals my purse steals trash, but he who steal my good name steals that which enriches him not at all, and leaves me much the poorer.."
[..or something like that.]
t_t_b
--
I think not; therefore I ain't®
I'm on PJ's "enemies" list! Are you?
So, the code looks like this in getUser:
if($uid > 0) { # Authenticate
$I{U} = sqlSelectHashref('*', 'users',
' uid = ' . $I{dbh}->quote($uid) .
' AND passwd = ' . $I{dbh}->quote($passwd)
);
}
So I think you want to change the definition of passwd to be a char(32) and change "passwd = $I{dbh}->quote($passwd)" to "passwd = MD5->hexhash($I{dbh}->quote{$passwd})".
You would, of course, have to change the code for adding users and changing passwords, but you get the basic idea. This is easy stuff. The only thing that it does not allow for is mailing a user their password. How to solve for this?
Well, I would add a two-step process where a users says "I forget my password". You then invent a temporary password which you mail to their email address. This password is sent with a link to a special "verify that you forgot your password" page. If it's an attacker, the primary account password has not changed, and the user gets annoyed by an email message (as they would now). If it is the real user, they authenticate themselves via this temporary token and THEN you email them a new primary password which they are required or at least asked to change immediately. In fact if you want to make it really easy add the temporary token to the URL for the verification page (e.g. http://sd.org/verify?user=ajs&token=3485839828).
All the security of the current system plus encrypted passwords in the database.
For coming up with the new primary password, I would use the trick of using a random dictionary word followed by a random digit and a random noise character. This works out to be around 2^21 easily remembered passwords (about 5e4 words with a good list of 4-6 letter words, 10 digits, 32 noise characters = 16x10^6 = ~2^21). An easily cracked space woefully, but decent for throwaway passwords, especially if they're required to change them.
"Our crack team plugged things back up immediately."
He could have meant that it was a great team... on the ball... a crack team.
load "linux",8,1
Yes, openbsd does a good job in that respect. But I think there are other workable models. OpenBSD makes the tradeoff in favor of security over everything including convenience. If every linux distro came with a firewall that blocked incoming connections, the average user could play around with a fun, fully loaded box and not be at risk. Yes, there'd still be room to make mistakes, but only by doing something rather than by not doing something.
No, now some hacker has access to all your accounts because you're a fucking idiot. No amount of server security can replace good password hiegene on the user's part. In fact Slashdot was hacked due to bad password hiegene (not changing a default one), not poorly implemented security.
Besides, why should a silly little web log have security to protect the crown jewels?
Using Explorer 5.0, I asked for my cookies at the
bottom of the page at http://www.pir.org/nocookie.html
(JavaScript has to be enabled for that test). The site
sent me a test spam that picked up my Slashdot cookie
that I asked for, using the cross-domain cookie reading
bug in Explorer. It sent back the cookie from my disk
in a second email. It has my Slashdot user ID in it AND
my Slashdot password, in plain text. All you need to do
is to make two passes with a URL decoder to get the
hex codes converted.
So all the Slashdot cookies on MS Explorer have been
available for cross-domain reading for a long time,
and anyone who uses a favorite password on Slashdot
has been asking for trouble all that time.
Slashdot is legally liable for failure to exercise
due diligence with personally-identifiable information
provided to Slashdot by its users. If Taco will take
the trouble to contact Andover's lawyer, we can expect
Slashdot to email everyone in their database, advising
them to change their password.
There was some discussion of this a few months ago, but
Slashdot wasn't excited about the issue. I complained
to the CEO of the company that owns Slashdot, but didn't
hear back from him. (Any lawyers out there are welcome
to a copy of my fax to Andover CEO Bruce Twickler,
describing Slashdot's password vulnerability. It is
dated June 10, 2000 and describes precisely the demo
mentioned above in the first paragraph. Send a self-
addressed stamped envelope to PIR, PO Box 680635,
San Antonio TX 78268-0635.)
According to discussions on slashcode.com about three
months ago, some plans were afoot to improve the
situation, but no one seemed to be in any hurry.
The whole point of using a one-way hash to store the
password on the server is so that if your server gets
hacked, you don't have to notify all your users with
an email that says, essentially, "Dear user: We're
incompetent, and your password has been compromised.
Please change it."
you folks being so up front and honest about it. I realize this is not a commercial site, but still, a full acounting the morning after. Gotta like that! I'll change my password if I can remember what it was ;-)
Going on means going far
Going on means going far
Going far means returning
Sorry, but I'm gonna go with white-hat, still. "Immature self-promoting"??? Yeah, like most people, to different degrees. White-hat doesn't mean "I'm holier than Mother Theresa" because that's not realistic. Real people have failings. I choose to respect people, even if they have a few...
You know, that site full of smart ass, 20-20 hindsight kids getting cracked. "We told you all that long haired pinko commie type hippie fag freeware was in secure!", market-troids will cheerfully chirp, "You need to grow up and get yourself a real commerical OS." The New York Times has been making references to SlashDot (not always flattering). Even Scientific American made a snide comment or two this month about the "propeller head crowd on Slashdot." ZDNet will burst, and the clueless will be able to stick their heads in the sand again.
Friends don't help friends install M$ junk.
I will correct you. The output from the md5 function consists of hexadecimal digits. I use strtoupper because i like upper case hex digits.
"The password to the Air Shield is 1 2 3 4 5 sir."
"Brilliant! That's the same password I have on my luggage."
Is this post not nifty? Sluggy Freelance. Worshi
If you have a piece of data that can be used as-is to authenticate, then you have what we usually call "plain text passwords". At least, what you're storing is plaintext. Scrambling it a little to confuse people and not letting people use that password on a web form doesn't really buy you much security. Of course, these days, crypt() and lousy passwords doesn't get you very good security, either...
IOW, your solution doesn't help any. If they get the password db, they can log in. Okay, okay, maybe brain-dead script kiddies can't.
...I guess everyone else is perfect, having never made a mistake. That's what I have learned from this intelligent discourse.
Shit happens, then you wipe.
Don't believe anything I say. I crash test crack pipes for a living.
Humorously enough, all passwords are stored in plaintext, while all "FIRST POSTS", and "HEMOS SUX" messages are stored using MD5.
However, there is hope as I hear the password insecurity will be fixed in the future, somewhere in SlashCode 3, where all passwords will be forwarded in Morse Code to BUGTRAQ for security.
Austin
Just wondering, is {} pronounced
"O-pen-brak-et-klozd-brak-et"
Or is there a Dutch pronunciation???
I thought the passwords were stored as hashes. This sure is one helluva breach of confidence...
Did the hack have some effect on metamoderation? At least since I changed my pw this morning, I can't metamoderate. Damn shame, too.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
--
The shareholder is always right.
You mean root to the box that hosts /.?
I thought they just pulled CmdrTaco's password and logged in to admin.pl and posted the story. Wasn't that the extent of their intrusion?
Well in that case it's too late, isn't it? They should be changing their passwords on their _other_ accounts.
"Well kids, you tried your best, and you failed. The lesson is, never try."
I didn't use the link. I knew better. I logged in and then went to user profiles. Thanks for the warning tho.
The truth shall set you free!
What was the IP address of the test machine?
I just want to make sure I don't accidentally stumble upon it and screw things up again.
Well I can sum it up like this....
Dookie Happens (nice... public... kids might read version)
Good to see some "Nice guy hackers" gettin publicity to show the world that not all hackers are bad.
Ey! Don't believe them. It was all a plot to get Slashdot more traffic and sell more banner ads.
The story supposedly posted by the crackers was signed by CmdrTaco itself. Would he think we wouldn't notice?
Slashdot.org has the highest security. And it runs Linux. And Slashcode is GPLed. You want me to believe that some Dutchmen can crack it?
(Suggestion to moderators: Conspiranoid, +1)
__
__
Men with no respect for life must never be allowed to control the ultimate instruments of death.
GW Bu
Signal 11's karma exceeded an unsigned BIGINT and triggered a buffer overflow leading to an exploit. Slash code operators are encouraged to kick Signal 11 in the nuts until the problem goes away.
If you need (Perl) templating, have a look at Mason, http://www.masonhq.com. It's very fast (runs under mod_perl) and unbelievably flexible.
Chris
Now that's cracking!!!
Hey, you think your house is cool?
I have a throw-away password I use for unencrypted web stuff [...]
I've found that the best way to good password security in reality is to systematically back them up as they're created, to a plain text file which is easily viewable on an simple unconnected box (no network at all) and automatically backed up to floppy diskette (extremely cheap, and multiple copies can be physically strewn about).
As long as I can easily find the passwords again if the GnuPG-encrypted copy of the text file on the connected box (for cut and paste from a temporary unencrypted RAMdisk copy) is mangled, it's much easier to bring myself to make up a zillion different passwords for every conceivable demand).
Sure, a 1337 h4}{02 d00d might rappel down from the roof with Cat-5 cabling and crack open the window with a high-technological assault screwdriver, snatch a floppy diskette labelled "secret valuable password text file" and run hell for leather to get to a terminal from which he can clean out my bank account, but oddly enough, I don't sleep with one eye always open. That ain't gonna happen.
Besides, I also encrypt these sensitive physical-media backup text files with heavy-duty WinZip 8.0 password protection. (The Windows box is for graphical programs that run overnight to render complex images, and it doesn't need to be connected more than occasionally). Even the 1337 d00dz can't crack that.
A truly excellent pizza parlor is a delight unto the heavens. Treasure the sauce and the toppings!
I've been here since Rob was still in school, since before moderation, before accounts. I'm in the first half of 3 digit accounts. I haven't logged in since I posted a comment without reading what I was responding to carefully and being 180 degrees off base. Correct info, wrong context. Result.. Moderated *UP*.
First, other than Slashcode, what has coding Rob done in the past 3 years?
Second. In 3 years *Why didn't he fix a known issue*?
Third. Why didn't he reset *all* passwords already?
Fourth. Are the recipients of the hugs interns? How much do they get paid?
Fifth, He's 'exhausted" BooHooHoo, it must be tough being a 23 y.o. millionaire.
Damn, I can't believe I've been reading slashdot for that long!
I seem to recall consensus at the time was that the attacker probably got in through a hole in BIND 4.9.6, which was distributed with the version of RedHat (5.0? 5.1?) slashdot was running.
--
I must agree. I've been running Crack for both Unix (Solaris and GNU/Linux) and Windows NT where I work, and it's amazing how many passwords were found just in a few minutes. Crack is an extremely cool program.
c 50-faq.html
http://www.users.dircon.co.uk/~crypto/download/
I don't remember where I found the NT port of Crack. Sorry.
Isn't it interesting that one of the biggest security holes is default passwords on services.
Notice that for a long time the most common way of gaining credit card numbers was to find a MS-SQL server that could be accessed from the internet and try and access it with the default username/password.
If you're programming something do us all a favor and make people enter a password during the install instead of having a default.
End dual-measurement, let's finish going metric!
http://gometric.us
Is there anyone else out there who hears warning bells when reading the words, "Change your password immediately here." with a link? Has nobody ever heard of social engineering? I know that I'm not the only person on Slashdot with a mild case of paranoia.
[dsplat ducks under his desk to avoid being spotted by the black helicopters]
The net will not be what we demand, but what we make it. Build it well.
Doesn't everyone just use 'slashdot' for their password?
kc.
kc.
"You'll have to speak up, I'm wearing a towel." - Homer J. Simpson
You all have to pay royalties to me now, because I was faster at getting to the patent office
You store the passwords in plain text?
Dude, that's as lame as something I'd write...
--
Listening for the sound of the coming rain...
Another gratuitous movie quote:
The password is "swordfish"
It's from a Marx brothers movie
and to me represents the ultimate
stupid passwd.
Can't remember which movie, but it
features Harpo (the speechless brother)
pulling a swordfish out of his coat
pocket and waving it at the doorman
in order to get into some exclusive
place.
Is this the promised end? Or image of that horror? KING LEAR
I'm glad somebody else has the dream of customizing the colours of Slashdot .. the white/teal look, while is nice and pleasing to the eye, is getting a little old :/
.. I know, it's white on teal. Cut me some slack here!) would be a nice change of pace!
Now, colour schemes like Enlightenment's (with the nice graphics
------------
CitizenC
Hmm, let me see. This happens with MySQL and Windows, and its like the gates of hell were just opened and all evil allowed to spill out. It happens with Slashdot and Linux, and "oh well, I'll just change my password".
I'm wondering here
the sample story? You know, the one that tells you to login as God/Pete
and also suggests that the first thing you should do is change the password?
<nelson>Ha Ha!</nelson>
Why bother changing your password? It just means that you'll have another unencrypted plain-text password laying around... Besides who really cares if your /. account gets hacked? What are they going to do? Kill your Karma?
Bah! Wait until they get the Slashcode 2.0 up and can affirm that encrypted passwords are being used.
Remember those clever chaps in Milwaukee, the 414's who broke into several DEC systems years ago? Then tried to capitalize on it, by selling their story to Hollywood?
Their big secret was in knowing the default password to the system account [1,2] was SYSTEM, pretty smart of DEC, pretty dumb of users not to change this immediately.
The less we study history, the more we are doomed to relive it.
--
Chief Frog Inspector
A feeling of having made the same mistake before: Deja Foobar
dnnrly
dnnrly
BARAVELLI: Hey, what'sa matter? You no understand English? You can't come in here unless you say "swordfish". Now, I give you one more guess.
Marx brother trivia: Name the fifth Marx Brother.
--
---
eeww, I'll have a crab juice.
Absolutely
Subject: Default admin password with Slashcode.
To: BUGTRAQ@SECURITYFOCUS.COM
Slashcode SA-00:00
Topic: Default Password not Changed in Install Procedure of Slash
Category: Install
Affects: All slashcode prior to 2.0-Alpha (bender)
Credits: Nohican and {} for exploiting.
I. Background
In prior versions of slash there are several issues that one must be aware of that are covered in the INSTALL. One must change the default admin user/passwd from God/Pete to something else.
Proper setup of Slashcode depends on people reading the INSTALL.
II. Problem description
Because of the slash install and code not having something that forces the admin user to change the password, one may inadvertently be leaving themselves open to access from the outside by unauthorized users.
III. Impact
Because there are issues in the design of slash prior to rewrite for 2.0, someone who has access to an admin account with a seclev of 10,000, can find ways of executing arbitrary code by inserting a block as the user running the webserver and thereby possibly gaining unauthorized shell access or access to the database.
As the INSTALL notes, "If you do not change all your passwords, you almost certainly will get haX0rD."
IV. Workaround
Check to see if you have accounts named God, author or author1 and that they are not using default passwords. You may also want to evaluate which accounts have seclev privileges to alter block data.
V. Solution
We will be releasing a new version of the current main branch that will no longer have default admin password and will require you to manually add an admin user.
This issue has been fixed in the development relaese of slashcode (AKA Bender).
________________________________________
Brian Aker
Slashdot Senior Developer
http://slashcode.com/
t_t_b
--
I think not; therefore I ain't®
I'm on PJ's "enemies" list! Are you?
It's: left-curly-brace right-curly-brace or{and}
These: [and ]are left-square-bracket right-square-bracket
hmm..
I wonder if {} knows he's left-curly-brace right-curly-brace or if he, too, thinks he's something-bracket-something..
t_t_b
--
I think not; therefore I ain't®
I'm on PJ's "enemies" list! Are you?
2 years ago we had the bad kind of hacker: he rooted the whole damn system and never told us how they gained entry.
maybe the old hacker should sue nohican and {} for violating his intellectual property
Slashot had a story about 3 weeks ago stating that Western Union got cracked and recommended to their customers to changes passwords and even cancel their credit cards.
--weenie NT4 user: bite me!
--weenie NT4 user: bite me!
"Computers are nothing but a perfect illusion of order" -- Iggy Pop
Zeppo! (or Karl)
dave
There was an opinion column/bitchfest :^) on kuro5hin a couple of days ago asking people if they get a thrill out of bitchslapping script kiddies. Now, these guys weren't script kiddies, but they did get in, and they did let someone know rather than just trying to get a root shell and doing a "rm -rf /*"
/. are taking it OK...a lot of people would probably be calling the authorities in Norway on this one. :^) That attitude sucks, because this is the sort of thing that needs to be fixed (it could easily have been someone less polite) and the people who made their way in did little harm...other than causing extra work. :^)
:^)
Nice to see that the folks running
Kudos to Rob and crew for taking it so well, and letting the truth out into the open; if only everyone took such occurences so well.
Stating on Slashdot that I like cheese since 1997.
This whole thing with Slashcode default passwords reeks of Microsoft.
"The price of freedom is eternal vigilance." - Thomas Jefferson
I was just wondering if Cmdr and the gang had the foresight to include performance trending and DB traffic analysis when they all had their pow-wow to figger out the damage control priorities and tasks when this brown stuff hit the whirly metal things. I mean, everyone and their dog will be changing their password here and they could glean some damned good ideas on how effecient their indexes/lookups/etc are behavin...
/. and the rest are AC's.
Wait, what am I saying? There's only 4 or 5 real people with actual accounts on
Do not taunt Happy-Fun Ball
You mean we're supposed to have a password? :>
Too much of linux and opensource have this idea that boxes should be "locked down" and "hardened" after installation. Really smart people say that, but it's totally wrong. Boxes should start out without known ways of getting in. Any access should be "opened" or "unlocked" or even "softened" if that's what you want to say.
http://dailynews.yahoo.com/h/zd/20000928/tc/mitnic k_to_it_managers_everybody_is_suspect__1 .html is a story about Kevin Mitnick's warning that people are always the weakest link in security. Here we have slashdot admins making a simple password mistake. Just imagine what the average user on a corporate network (with read access to the rest of that network) could do.
I would have made it a link, but either netscape or slashdot kept putting spaces in it because it was so long. Sorry.
WARNING: there is a trojan on your
Can you imagine Taco posting a story: Slashdot has been hacked. To be on the safe side, I'd advise you to revoke your credit cards. That might have been rather nasty.
Well, let's just be happy that nobody cracked a commercial site that HAS credit card records... Oh wait, they did...
--- No quote, no plan, just leave me alone
Exactly! I just hope Slashdot doesn't get a lawsuit for negligence from somebody whose credit card account gets hacked because these guys took the password from Slashdot. Or from somebody who gets sued for a comment they didn't make on some other web site, or ...
Yeah, you shouldn't repeat passwords on multiple sites, but who can remember them all without writing them down?
main(O){10<putchar((O--,102-((O&4)*16| (31&60>>5*(O&3)))))&&main(2+O);}
main(O){10<putchar((O--,102-((O&4)*16| (31&60>>5*(O&3)))))&&main(2+ O);}
LN2 is cool!
For crying out loud, this got moderated *up*? The guy wrote the stuff 3 years ago, when Slashdot users could hardly have been referred to as customers. Heck, even now, I don't know that you can hold them to "Customer focus." Last I checked they weren't charging us anything to use slashdot, and weren't selling our data to anyone for profit. If you want to call loading a banner ad being a customer, then I guess...
But still, that's no reason for the demeaning tone of this post. I just love the way we geeks all tend to rip each other to shreds when we make stupid mistakes, and when we do so, the tone we take is almost always one of "I know everything -- I do no wrong." This should have been moderated as "Flamebait."
You had no moral obligation to inform the readers of anything. Slashdot folks are a pretty educated crew -- we're fully capable of drawing our own conclusions, thank you.
--
NeoMail - Webmail that doesn't suck... as much.
True enough, but do remember that the weakest link defines how strong the chain is.
So what if you encrypt passwords on the server, passwords are stored in cookies on your home machine, as well as sent plaintext over miles upon miles of internet cabling before reaching slashdot.org.
If someone really wanted everyone's slashdot passwords, all they'd have to do is sniff some connection along the way.
Hackers will always hack in. There's no such thing as an invincible system. It's just a matter of time and determination (as we've seen time and time again).
"Darn, my winmodem won't work with Linux? I'll have to recompile it... with my blowtorch."
everybody is so busy with everything else, they forgot an important thing! where can i get that l33t hax00ring tool called "Common Sense"?? you think i'd forget to ask? huh??
Banu
/. does have a short memory span, doesn't it?
Don't you remember what happened to K5?
Bleh.
--
Peter
Nohican.
{} is not a valid user..
-
Meep meep
There's no little piece of trojan code that's going to record my password and send it off to somewhere else, is there? No, probably not...
So, how do we know CmdrTaco wrote this article himself if some cracker/hacker gained god access? Well, it probably was the real CmdrTaco.
Probably.
:-)
It's 11pm, do you know what your deamons are up to?
Why is X on the server at all?
--
My comments and opinions completely reflect those of anyone and anything I am remotely associated with.
Which is easier:
Sniffing 10,000 network connections to get 100,000 passwords
Getting one big password file
--
Non-meta-modded "Overrated" mods are killing Slashdot
(Hey Ryan! Here's your proof!)
I have learned that the real catch is that all new password changes (like the ones we've been advised to make immediately) are being captured by the white hats
I just find it ironic that there have been a couple stories on Slashdot over the last month about security holes resulting from unchanged default passwords (i.e. Microsoft SQL), and now Slashdot falls to the same issue.
Manyt of the posters here talk about throwaway passwords for here (like mine). So it would be interesting to see a report, next week sometime, on how many of us actually followed Taco's advice.
Best Slashdot Co
The person that left the default password on a publically accessible server should be canned.
At any job I've worked, something like this would get the preson responsible auto-canned for not making reasonable efforts to protect company data.
This is a special case, becasue the person who decided to implement a 'default password' in slashcode also works in the company where it is used. CmdrTaco also needs a good butt-kickin. Did feature lust could your judgement?
Also, the idea of storing the user database in clear text on a publically accessible server is also insane. Store nothing on publically accessible webservers.
I totally cringed when CmdrTaco decided to proclaim "No one would ever have gotten in if it wasn't for the default password".
OH MY GOD
I hope he takes a good look at his bliefs surrounding security. That's a very cocky and naive thing to say. I'd submit that someone who believes that enough to say that will most certainly get 'cracked' again. Have a nice day :)
Apologies to Sam Cooke (and Art Garfunkel)
// beldon@scamail.com
"Don't know much about TCP
Even less ICMP
Don't know how to make a subnet class
Even script kiddies would kick my ass
But if an OS that can be bought
Will install securely by default
What a wonderful thing that would be
Don't know much about LAND attack
Don't know how to spoof an IP stack
Don't know much about the port I'm on
Can't decide to leave a daemon on
If I install OpenBSD
And it does most of my work for me
What a wonderful thing that will be
Now I don't claim to be a sys admin
But now broadband's in my town
And I have to put something between me
And the people who know how to bring me down
Don't know much about DDoS
And my shell programming is a mess
Don't know how to build a firewall
Don't know much about nothin' at all
But if I can shield my root account
Without emptying my bank account
What a wonderful thing that would be."
-- Beldon
You have to wonder if someone is using a random moderation bot.
Hm. Easy way to karma whoredom.
Make a bot that meta moderates. Give it some general rules for acceptable moderation (that won't get negative meta moderation)
Wait for the inevitable moderation points to be given it. Set it loose moderating, repeat.
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
It's archived here.
---
Despite his attempts to use the ESR-friendly term "cracker" in this story, we see at the end that not even Taco really thinks that cracker is the correct terminology:
"Honestly, thats the best kind of hack. 2 years ago we had the bad kind of hacker: he rooted the whole damn system and never told us how they gained entry."
So next time Taco posts an article where he whinges about the difference between "hacker" and "cracker", it's pure pandering to the unwashed masses on /.
Is this what happens when you put PERLs before Swine?