Slashdot Mirror
Firefox Community Site Hacked
Ryan Paul writes "The Mozilla Foundation reveals that remote attackers infiltrated the SpreadFirefox server by exploiting a site vulnerability. While it appears as though no personal information was accessed, e-mails were sent to inform all registered SpreadFirefox users of the breach. Ars Technica has the complete story." From the Ars article: "Preliminary analysis indicates that the exploit was limited to SpreadFirefox exclusively, meaning that other Mozilla Foundation web sites were not attacked or compromised. The vulnerability, which was exploited by 'unknown remote attackers,' could potentially have enabled the forces of computing darkness to obtain the username and password of every registered SpreadFirefox user, as well as any other optional information that users may have provided, including: real name, web site URL, e-mail address, IM screename, and home address."
Registered users at the promotional Mozilla community site SpreadFirefox.com were greeted this morning by an e-mail informing them that a July 10 security breach could potentially have enabled attackers to acquire a massive amount of private user data.
It is likely that exploit was facilitated by a recently discovered vulnerability in Drupal, the open source CMS utilized by SpreadFirefox and other community sites. I have not yet been able to verify my suspicions on the matter, as the Mozilla Foundation has not yet revealed exactly which vulnerability was exploited.
If it was due to the vulnerability present in older versions of Drupal (pre June 29th) then it was the admins of spreadfirefox.com that left it unpatched until July 10th (11 days). There is no excuse for that kind of delay in patching a vulnerability on a system that could affect as many users as SpreadFirefox caters to.
As an organization or community gains increased exposure it is more prone it will gain the attention of those with nefarious intents. Spread FF servers are running Apach on Rhat, so this was not a MS vulnerability but more likely Drupal CVS. Perhaps it was a local attack from Oregon itself? Incidents like this will only continue to rise. IT is the obligation of the F/OSS community to ensure the GNU/Linux vulnerabilities are eradicated to support other F/OSS projects like SpreadFireFox.
If we don't fight for ourselves no one will.
After reading in the article that they were using Drupal, I hope that they use some of that $10,000 in donations that they received to patch any additional security problems.
"What do you think?" "I think 'What, do you think?!'"
I am *so* glad I use random passwords that are coordinated in a deeply-encrypted PGP file on an encrypted smartcard :_) for my spreadthefox.net password.
Promote freedom; fight fascism.
How many people upon reading the headline immediatly suspected that Microsoft is behind this?
Technoli
Why would you ever give all that personal info to a random website? Even if you're a big Firefox advocate, what possible value does it add to the project to provide them with your home address? At best, you're going to get spammed. at worst, you get your identity stolen. duh.
I want to delete my account but Slashdot doesn't allow it.
could potentially have enabled the forces of computing darkness to obtain the username and password of every registered SpreadFirefox user
Wow. You mean to tell me that they (spreadfirefox.com) were storing passwords locally and in non-hashed (+salt) form?
They must have been running IIS, because we know that anything else is infallible. *rolleyes*
Sometimes, people get lazy.. Then they get hacked.
that means they would know my password is password, my name is jo daddy and my email is anonymous124341234@hotmail.com. oh no.
Evolution or ID?
If so, why?
If not, how would the passwords be obtained?
It's fortunate that the vast majority of people won't hear about this or something like it. Even though this hacker attack doesn't actually involve a flaw in the Firefox or Mozilla browsers, something like this could definitely scare away potential users who are weary of giving up their Internet Explorer anyway.
Aww... Our little baybe fox is growing up! Look, it just had a first big script kiddie attack trying to take over one of its' sites.. Ah, how this time passes. Only yesterday it was a tiny alpha project no one cared about... I think this only goes to show that Firefox is really becoming more popular nowdays.
I'm teminally incoherent
From: admin@spreadfirefox.com
Reply-To: admin@spreadfirefox.com
To: announce@spreadfirefox.com
Date: Jul 15, 2005 2:52 AM
Subject: Spread Firefox outage and privacy breach notice
On Tuesday, July 12, the Mozilla Foundation discovered that the server hosting Spread Firefox, our community marketing site, had been accessed on Sunday, July 10 by unknown remote attackers who exploited a security vulnerability in the software running the site. This exploit was limited to SpreadFirefox.com and did not affect other mozilla.org web sites or Mozilla software.
We don't have any evidence that the attackers obtained personal information about site users, and we believe they accessed the machine to use it to send spam. However, it is possible that the attackers acquired information site users provided to the site.
As a Spread Firefox user, you have provided us with a username and password. You may also have provided us with other information, including a real name, a URL, an email address, IM names, a street address, a birthday, and private messages to other users.We recommend that you change your Spread Firefox password and the password of any accounts where you use the same password as your Spread Firefox account. To change your Spread Firefox password, go to SpreadFirefox.com, log in with your current password, select "My Account" from the sidebar, select "Edit Account" from the sidebar, then enter your new password into the Password fields and press the "Save user information" button at the bottom of the page.
The Mozilla Foundation deeply regrets this incident and is taking steps to prevent it from happening again. We have applied the necessary security fixes to the software running the site, have reviewed our security plan to determine why we didn't previously apply those fixes in this case, and have modified that plan to ensure we do so in the future.
Sincerely,
The Mozilla Foundation
Firefox, I'd like to introduce you to "wide-spread" usage.
Wide spread usage, this is firefox.
(sarcastic comment overload)
In the very discusson about that exploit here on ./, several (highly upmoderated) posts were highlighting spreadfirefox as a popular user of that CMS.
No patching even after being presented as an example for a vulnerable site is more than just neglectance.
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
SpreadFirefox.com is based on Drupal CMS, and is in no way a sign that Mozilla can be hacked because of this. Yes, anything and anyone can be hacked, but I keep seeing a lot of people think that the Mozilla Foundation is at risk. But not with this hack, because they (Mozilla) don't run Drupal. Drupal has had vulnerabilities like this before in their older versions (I got attacked with it on my Online Portfolio site, which ran a vulnerable version of Drupal).
Just clearing that up for people.
I for one welcome our new forces of computing darkness overlords.
As mentioned previously, it happens to the best of us, so we all need to be on top of keeping up with patches and installing them.
Get some.
as well as any other optional information that users may have provided, including: real name, web site URL, e-mail address, IM screename, and home address.
That's precisely why you should always treat information submitted to a site like Spread Firefox as though it will be released to the public sometime in the future. If you aren't ready for everybody to have access to your home address, then simply don't release your home address.
Do you like German cars?
they'll be turned inned..if they're lucky.
Evil people don't think they're evil. - George Lucas, Making of Ep III
This kind of thinking is wrong and outdated.
What you are saying is, if I have a door and the lock breaks, it is my fault if I get robbed because I did not change the lock??
The problem is with the criminal who breaks into websites. If I wanted zero security for my website, I should be allowed to have zero security and not have anyone hack in.
I don't know the anwser. Do we increase jail time for hackers? Do we lock out countries where we know there are problems, have an internet embargo. Nothing in and nothing out? Do we change the whole internet to require some form of identification from everyone who uses it, something more than an IP address that can be spoofed. How do we stop people from hacking websites and causing disturbances?
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
Lots of people probably use the same password for their email and websites such as SpreadFirefox. If any users use webmail and provided their email address, this could be a big problem. I would have thought that SpreadFirefox would have used hashes and salt on their passwords, but apparently this isn't the case.
It looks like the Mozilla Foundation realized this too:
While there is currently no evidence that the attackers acquired user data, the Mozilla Foundation suggests that registered users change their password and "the password of any accounts where you use the same password as your Spread Firefox account."
When I read this the first thing that went through my mind is that someone targeted the site. But it sounds like a spammer just used it to send out emails (as far as I know now). Based upon this I doubt that the site was even targeted at all. I bet an automated script searched through google and is looking for drupal sites to exploit. phpBB has this happen quite a bit. Once a site is found the script automates the hack and then sends out the spam.
My guess it that the spammer didn't even know what site they hacked.
Quality Hosting e3 Servers
I really doubt that any passwords were even there. Any site with brains is storing it as an MD5 hash. In fact I've never used any content management systems or forum software that stored it as plain text.
It's unfortunate when hard working people have this done to their site. It must test their resolve when they see people with no dignity do this.
Voice your opinion!
No worries. All that means is some geek in a Dr. Doom custom might show up at other nerds' parents' home looking for the comic book convention being held in the basement.
EvilCON - Made Famous by
well obviously one jackass thought of it, and two jackasses modded it "insightful".
(Yes, I saw "they didn't get any personal data" on the page. But are you certain of this?)
Tangentially, my copy of FF 1.04 still hasn't realised that there is an upgrade, and even more worrisome, can't find one when I tell it to go looking. Seeing that I don't use it as a primary browser, I'm not too concerned for my installation. (Also, I've already downloaded the 1.05 release thru Opera, I'm just waiting to see if 1.04 wakes up before I install the update.) If this is a widespread problem, this could cause problems down the road.
.. paranoid crackpot leftover from the days of Amiga.
Goodbye Firefox. Welcome Firefix!
http://drupal.org/mailing-lists
You have to be on mailing lists so you know as soon as a sec update is out. Being on BugTrac and SecFocus is recommended too, but AT LEAST be on lists for daeons or things like this you're running!
bad_outlook
--
Is this vague enough for you?
"How many people upon reading the headline immediatly suspected that Microsoft is behind this?"
How many think this place is becomming predictable?
I suppose I just did a double-take. Kinda like when I heard when Iraqi terrorists kidnapped the diplomat of Egypt. Why hackers hack SpreadFirefox?
1) Mozilla's the good guys. Microsoft's the evil empire.
2) As said in the summary, these guys could get, "real names, web site URLs, e-mail addresses, IM screenames, and home addresses." No credit card information, no bank account numbers, nothing of value other than matching a name&address to a login. Since nobody's sharing any MP3s or warez or doing anything illegal, how does a name&address hurt anybody?
3) I myself haven't even heard of SpreadFireFox's website until today. It's not a big-name deal. I doubt anybody's going to get their name on CNN for this. So, no publicity beyond Slashdot.
So, why hack SpreadFirefox?
"It doesn't look like the attacker accessed any personal data on the site, but to be safe, we're encouraging all of our users to log in and change their passwords."
Why should I trust their competency now? They let their server be compromised by a very well-known, well-publicized, and fixed/patch-available vulnerability. How can I be sure that the operators of the attacked site are capable of properly analyzing the attack? I mean, if they can't even keep up to date with the latest patches, then how can the even be remotely capable of giving an intelligent assessment of the intrusion?
But I digress. Does anybody have a list of other well-known sites administered by these same individuals? I want to make sure that if I'm using any of those sites that my data is safe (or removed from such sites).
Cyric Zndovzny at your service.
If they broke in and the system was properly designed, shouldn't they have what amounts to an /etc/passwd file which they then have to crack? In other words, if you used strong passwords, you should be safer than if you used "Z1ON101" or "secret" as the password?
Not that this by any stretch of the imagination implies that a "strong" password can't be cracked in this situation, just that it's more trouble.
The GP post says there's no excuse, it is not entirely the admins fault, but they could have prevented it. I bet they won't get caught like that again. That's the answer.
I keep hearing about how products like PHP-Nuke, phpBB and now Drupal are quite vulnerable and easily cracked or exploited. Is this caused by inherent flaws within PHP, or is it because of improper installations? If it is because of improper installations, is that because it is extremely difficult or time consuming to properly secure a PHP installation?
I have been considering moving some sites to a PHP-based system for some time now, but after hearing stuff like this I just don't know about PHP anymore.
Cyric Zndovzny at your service.
So where one encoded password could have many decoded representations?
Transcend Humanity. Please.
Drupal requires security patching, shipped XML_RPC pear library in php vulnerable, phpBB open to spam hacks, phpnuke and derivs allow remote url inclusion for DDOS hackers :: pants as he sends out client update emails and applies patches::
This is just another PHP growing pain. Sysadmins continue to watch the patches. Perl mongers.. "I told you so" is over rated...
My Thoughts, Kyndig
the forces of computing darkness better get the cyberjustice league...
Down with Druplicon!
http://drupal.org/node/9068
It's a bit early to suggest that it was an automated attack. While that is of course a possibility, there has been very little actual information from the SpreakFirefox people. Until they disclose far more information about this attack to the public (which may not happen if they are pursuing this matter via the authorities), it is a false reassurance to suggest that it was only automated and that no data was maliciously stolen.
Cyric Zndovzny at your service.
...yes, it would be at least partially your fault for not fixing your lock when you knew about it. Contributory negligence, something like that, at least in a *practical* sense, although not in a strictly legal sense. The real world has badguys,always has, always will, and to just wish them away is sorta silly, because it just isn't going to happen, ever.
Exploit they used:
1 2241&tid=169&tid=8
"I found out that there's a "new" drupal exploit which allows posters to inject arbitrary code into the system for execution on the server -by way of comments. The Drupal.org site is presently down, and apparently has been last night. If you're running Drupal 4.5.1 or 4.6.2, turn off your comments. For visitors here, I'm sorry that you presently cannot comment and I'll turn them back on as soon as possible."
http://www.knowprose.com/node/2866
Sample source code of the exploit:
http://www.milw0rm.com/id.php?id=1088
Red Hat Advanced Server 3.0 powers spreadfirefox.com:
Response Headers - http://www.spreadfirefox.com/
Date: Fri, 15 Jul 2005 20:01:52 GMT
Server: Apache/2.0.52 (Red Hat)
This vulnerability has been known for over 2 weeks. Was there no Redhat patch available or did the admins slack off?
Also, isn't it strange how Drupal gets 2 posts on Slashdot in the same day?
Community, OSL and Sun Jump to Drupal's Rescue - http://it.slashdot.org/article.pl?sid=05/07/15/12
-Joe
Thanks for the patch, helped a lot. :)
The issues are not due to PHP but due to the code being written. If you have stuff like register_globals on, you open a whole slew of possible issues.
But it's not just PHP, it's also the system administrator who runs the server. For example, if there is an issue with the way a php web application issues a system() type command, if the system was setup with SELinux, it wouldn't matter since Apache would be severely limited in what it could read or write.
Regardless of who is to blame, I have seen far too many issues with CMS programs - I just write my own. The only place where I go premade is with forums - I like phpBB. As long as you sit on a mailing list and patch when issues appear, you will be okay.
SearchIRC - Now with live chat directory!
Well as I pointed out The community has created expectations through it's "advocacy" that are presently both blinding it, and coming back to bite it.
I really doubt that the passwords were ever vulnerable since SpreadFirefox runs on Drupal and I'm fairly certain that Drupal hashes them (MD5) before storing them in the database. Worst case then would be that people got the hashes and could hack them, but it's quite a chore for a fairly unimportant login (it's not like it's my banking data).
Anyone else get creeped out when big commercial sites don't hash passwords (and can therefore recover them)?
How secure would a hashed password be, if it uses the user name and another key as the salt?
For example, say my username is SoCalChris, and my password is 12345. When it hashes the password, it would hash "SoCalChris12345SomeRandomKey".
Would that be more secure than just using a key, so that all password hashes use the same salt?
I'm thinking that by using the username in the salt, it makes it impossible to do a brute force attack for all users at the same time, but would instead make it so that you have to brute force each account's hash on it's own.
Does that make sense, or am I way off?
Or to run out the old line, "Forget about security fixes. Why did the developers write insecure, buggy code to start with?"
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
The bug appeared on July 8th only a week ago on his blog. So the well-known and well-publicized part of your argument is questionable. Second, the last patch from Drupal is dated in June 29th, 2005 as of this writing (check their website, Drupal.org), which means there's NO patch available. Their only fixes being disabling the comment section, which might be unacceptable due to the nature Spread Firefox operates.
So stop jumping into conclusion. At least they publicizes their attacks. Imagine all those websites you visited by company, how do you know if they got hacked and they never told you?
In US, you can easily buy enough major firearms to wipe out your neighbourhood but a few little fireworks are banned.
Microsoft was seen whistling and acting all too casual while leaving the area.
MadOgre.com
SpreadFirefox uses a variant to Drupal, named CivicSpace. Does that make much difference with patching? Maybe only a few aspects are different. I installed it, I've only noticed just some minor changes, nothing too major really (of course, I spent only a few minutes with it), but personally I'd probably stick to Drupal. Larger community base.
- Teja
...this entire thread would be different... Admit it, Linux is not that secure!
I got the email at 1:52 AM this morning... I'm surprised no one submitted the story until just now.
I think this is the appropriate space (and time) to ask a question that I have not yet been able to figure out how to answer. I'm writing an application which needs to store usernames/passwords of various users but not to be authenticated into my application. Rather, that data is needed so that the program I am writing could check email on the behalf of these users. So essentially, there's a third system (let's call it GMail POP server) that needs to know the usernames/passwords that I stored for my users. What is the best way that I could store this information in my database and still have it be safely encrypted. If you think about this, you can't really use a one-way hash function ... So the best I could come up with is to use a simple XOR function to encrypt the passwords and then for my program to use the same XOR function to get them back, but it's very weak and could be easily guessed. Is there a more powerful way to do what I am trying to do?
--
http://unk1911.blogspot.com/
You're being a moron. You've got more chance of stopping the sun from rising than you do of catching all the "criminals" who have access to the internet. They're a fact of life, and if you don't realize that, you're living in a fantasy world.
That being the case, it is incumbent upon administrators to secure, monitor, and protect their systems. If they don't do that, sure as hell no one's going to get caught, and it'll happen over and over and over again.
So instead of wishing for pie in the sky or some other such fairy tale, stop whining and secure your damn machines.
Block whole countries? What a extrememly bad idea. You know how many evil hackers live in the US and in Europe? Not much of an internet without those two. We could switch to all encrypted connections, which would solve the problem, but cause tons of others, and it's hard to imagine asking regular users to do it. There is, however a way to stop people from Hacking websites...SECURE THEM!
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Boycott cnet. They are a crappy company and they ruin everthing they touch.
TVtome was a completely functional website that brought together volumes of information and opinions, and conveniently organized it all. It was created with literally thousands of man-hours, forming the finest source of information on television on the internet. It was one of the websites, combined with imdb and wikipedia, that proved to me how great the internet was at organizing information. Cnet, in one fell swoop, destroyed all of this.
could potentially have enabled the forces of computing darkness to obtain the username and password of every registered SpreadFirefox user, as well as any other optional information that users may have provided
I argued that this should be a prime reason for OpenID or some other distributed authentication system should start being used on the web. That way, you never have to give any unnecessary sensitive information to any website.
God became man to enable men to become sons of God. -C.S. Lewis
\Given that Spreadfirefox by its very mission had such sensitive information that could have been used to destroy so many users lives, it is deplorable that the admins were not more tight about security.\
KLAATU, BORADA, NIh*ahem*
Q: What do you get when you break a cryptographic hashing algorithm?
A: An excellent compression algorithm.
I hate doing this... but needed.
Get your Unix fortune now!
So, Microsoft finds a security hole in their software and release a patch. Then Sasser or some other virus or worm exploits the hole in unpatched Windows and rades the Internet. Yet this Slashdot community rails Microsoft for the holes in the first place.
Now take FireFox's open source software based web site. If it has a hole, and it's not patched in time, it's THEIR fault??!! Why can't it be the Windows-users' fault when they don't patch THEIR machines??!
Can't you Slashdot community see that you are being unfair to Microsoft? You blame them for everything, and excuse open source for the very same things! It's alright for open source to have a security hole, because they patch it, and if users of the software don't apply the patch, it's the users' fault. But when MS has a patch, and users don't apply it, it's MS' fault, is it? You hypocrites!
Umm, it was a vulnerability in the *website* not the browser.
I'd muse about whether or not you RTFA, but you appear to have not even read the summary...
Err, unless you were going to compare the widespread use of Apache vs. IIS or something, so as to compare at least one of the products actually hacked into... Or perhaps your post timewarped away from the story about the actual firefox & windows vulnerabilities patched a while back.
Wierd, netcraft reports it's running Apache on Linux, but according to the slashdot luser group, Windows and Microsoft products are the only thing with security problems...
i bet they were running linux servers...
Life is like a bag of chips you never know whats next
Speel
At least it isn't a waste of time like your post is. And this one too.
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
I'm sure their bad karma played into this some how. Empty promises and covering up for incompetence doesn't go unpunished or unnoticed.
So why not let the spindoctors turn the situation into a positive event. Since the issue is fixed, why not address the usual media and tell everybody that the "Firefox web site is now safer than ever". Others are doing the same and earn billions.
Serves people right for using Firefox in the first place.
I tried to download Firefox 1.05 to my work computer. I got a pop up saying the firewall blocked me and that mirrors.playboy was not an appropriate site!
Religion is the main cause of atheism.
Passwd Composer
n.b. I would have linked the authors website, but it's not responding.
I'm a foundation employee and the guy who wrote the message we sent to Spread Firefox users. A few notes:
Made with DRUPAL, then you continue to help this piece of crap?
ah shucks
(I am a foundation employee, but I am now speaking for myself, not for the foundation.)
You should trust our competency because we almost always stay up-to-date with the latest security updates to all installed software and because we're revising our security plan and procedures to seal up the cracks that this particular software update fell through.
You should trust the foundation's competency because they almost always stay up-to-date with the latest security updates to all installed software and because they are revising their security plan and procedures to make ensure that this lapse in the application of security updates does not recur.
On a model 2005 PC, and MD5 hash can be computed in less than a microsecond. A dictionary of 10 million entries can be explored in 10 seconds. Dictionary attacks are really very effective.
And if the site forgo to add per-user salt for each passowrd, the attacker will be able to essentially break all the passwords "in parallel".
If a password was composed by a user and not randomly generated, than it will be cracked by a well tuned dictionary attack.
It had everything to do with site admins not updating their CMS software after a 10 day old critical bug had been patched.
-- No matter how great your triumphs or how tragic your defeats, approximately one billion Chinese couldn't care less.
I remember of a cool screenshot (Goatse free, Harry Potter spoiler free, pr0n free) of firefox displaying this website.
Thinking of this poor 18 million people...
So the owner of the store is at fault for storing his customers valuables somewhere that it is easy to steal?
Yes. As I recall from my Law professor, "If you take someone's dog for a walk, and it gets hit by a meteor, you ARE responsible for injury to the dog, because you took the dog to a place that was susceptible to meteor showers."
That's pretty much how the system works.
Is that the kind of laws we want?
Um, no. Take that up with your Representative, President, etc.
and I am to blame for not replacing the locks?
Yes.
What if the Jewlery store did not want any locks?
Then he's probably a dumbass. And an optimistic one at that.
What if all they wanted was for people to obey the law?
Aw. How sweet. Wouldn't that be nice. Maybe in Demolition Man. But even that system wasn't quite perfect.
Are we living in a society with no honor?
Um. Yes. Money is our new form of honor. Money and lawyers.
Are we living in a time when everything that is wrong is okay, the "poor me" I did not mean to do it, but it was too tempting?
This kind of reminds me of the story of the guy and the girl that both get wasted and both decide to hook up. For some reason the next morning, the guy is at fault, and the girl is a 'victim'.
Many fewer people stole, lied, and cheated.
Now we have computers, cooler cars, and all in all more cool shit to steal. It's more tempting.
It seems like every deviant lifestyle is being accepted as normal.
Yeah. And it sucks. We need to bring back corporal punishment.
I dunno what to tell you. Life's a bitch.
Partial Credit: The Engineer's Best friend
"Well, the bridge didn't fall all the way down!"
see this is why I hate posting on slashdot. People mod these innocent posts down just because they think the post is lame. Is this joke funny? Maybe to some people and maybe not to others, but to mod this down just because you don't like it is stupid. Just ignore the post if you don't like it or don't agree with it. Why do you mod someone's post down especially since he's just trying to be funny, not offensive or bitchy.
You infidel! I'M the Pope. I challenge you to a Deathmatch of Doom (tm) to prove which one of us is the proper pope!
Are you serious? Keeping patches "almost always" up to date is a sign of competency? Tell me this is a big motherfucking joke.
It is no wonder this incident happened. You people put yourself in a position with great responsibility, and truth be told, you have failed the entire open source community.
Cyric Zndovzny at your service.
A week in the Internet world is equivalent to centuries offline. A week is far more than enough time for this problem to be known about, and then fixed. One would expect that these individuals would be capable of fixing the situation themselves, even if a patch wasn't immediately available. But expecting them to show some degree of systems administration competency is obviously far too much to expect from them.
Even if they did have to disable the comments temporarily as a last resort, that would be far better than compromizing such a massive amount of private data.
And why do you consider the fact that they publicized the attack a mitigating factor in any way? That is what they should have done regardless. It doesn't make them any better because they fucked up severely and told us about it. It just means they were doing exactly what they should have done: admitting their guilt in this matter.
Cyric Zndovzny at your service.
I think an organization that almost always does the right thing, owns up to errors, and makes changes to ensure those errors never recur is competent, yes. I'd much rather trust an organization like that than one which claims to be perfect.
Can you elaborate more on what is being done? I mean, I'd like to see a point-by-point analysis of what exactly went wrong, who failed to act, and what exact steps have been done to remedy the situation.
Will the administrators actually put together such a report once they get everything back on line? Will they be able to show us exactly what they have done to protect our personal information?
This incident reflects very poorly on the entire open source community. The very least those responsible for this fiasco could do is give us an extremely detailed report about the situation.
Cyric Zndovzny at your service.
I really can't stand registering at every cockamamie web site left and right, just to see the info, or interact with the info Every time you use a password, or have to remember a password, you are giving someone the enticement of a lock to break, and one more burden for yourself. One day, you are going to use some easy to remember toss off of a password with someplace that has some real info and financial stake tied into it. Of course, the registration keeps away the riff raff that would NOT register, and abuse the site that way. And unfortunately, if it comes back to burn anybody, it doesn't come back to burn the web site that needlessly asked for too much info in the first place- it burns the users of that site. Well, maybe a bit of bad publicity might be spread for the site, but really like that actually hurts.