Slashdot Mirror
Firefox Community Site Hacked
Ryan Paul writes "The Mozilla Foundation reveals that remote attackers infiltrated the SpreadFirefox server by exploiting a site vulnerability. While it appears as though no personal information was accessed, e-mails were sent to inform all registered SpreadFirefox users of the breach. Ars Technica has the complete story." From the Ars article: "Preliminary analysis indicates that the exploit was limited to SpreadFirefox exclusively, meaning that other Mozilla Foundation web sites were not attacked or compromised. The vulnerability, which was exploited by 'unknown remote attackers,' could potentially have enabled the forces of computing darkness to obtain the username and password of every registered SpreadFirefox user, as well as any other optional information that users may have provided, including: real name, web site URL, e-mail address, IM screename, and home address."
Registered users at the promotional Mozilla community site SpreadFirefox.com were greeted this morning by an e-mail informing them that a July 10 security breach could potentially have enabled attackers to acquire a massive amount of private user data.
It is likely that exploit was facilitated by a recently discovered vulnerability in Drupal, the open source CMS utilized by SpreadFirefox and other community sites. I have not yet been able to verify my suspicions on the matter, as the Mozilla Foundation has not yet revealed exactly which vulnerability was exploited.
If it was due to the vulnerability present in older versions of Drupal (pre June 29th) then it was the admins of spreadfirefox.com that left it unpatched until July 10th (11 days). There is no excuse for that kind of delay in patching a vulnerability on a system that could affect as many users as SpreadFirefox caters to.
As an organization or community gains increased exposure it is more prone it will gain the attention of those with nefarious intents. Spread FF servers are running Apach on Rhat, so this was not a MS vulnerability but more likely Drupal CVS. Perhaps it was a local attack from Oregon itself? Incidents like this will only continue to rise. IT is the obligation of the F/OSS community to ensure the GNU/Linux vulnerabilities are eradicated to support other F/OSS projects like SpreadFireFox.
If we don't fight for ourselves no one will.
After reading in the article that they were using Drupal, I hope that they use some of that $10,000 in donations that they received to patch any additional security problems.
"What do you think?" "I think 'What, do you think?!'"
I am *so* glad I use random passwords that are coordinated in a deeply-encrypted PGP file on an encrypted smartcard :_) for my spreadthefox.net password.
Promote freedom; fight fascism.
How many people upon reading the headline immediatly suspected that Microsoft is behind this?
Technoli
Why would you ever give all that personal info to a random website? Even if you're a big Firefox advocate, what possible value does it add to the project to provide them with your home address? At best, you're going to get spammed. at worst, you get your identity stolen. duh.
I want to delete my account but Slashdot doesn't allow it.
could potentially have enabled the forces of computing darkness to obtain the username and password of every registered SpreadFirefox user
Wow. You mean to tell me that they (spreadfirefox.com) were storing passwords locally and in non-hashed (+salt) form?
that means they would know my password is password, my name is jo daddy and my email is anonymous124341234@hotmail.com. oh no.
Evolution or ID?
It's fortunate that the vast majority of people won't hear about this or something like it. Even though this hacker attack doesn't actually involve a flaw in the Firefox or Mozilla browsers, something like this could definitely scare away potential users who are weary of giving up their Internet Explorer anyway.
Aww... Our little baybe fox is growing up! Look, it just had a first big script kiddie attack trying to take over one of its' sites.. Ah, how this time passes. Only yesterday it was a tiny alpha project no one cared about... I think this only goes to show that Firefox is really becoming more popular nowdays.
I'm teminally incoherent
From: admin@spreadfirefox.com
Reply-To: admin@spreadfirefox.com
To: announce@spreadfirefox.com
Date: Jul 15, 2005 2:52 AM
Subject: Spread Firefox outage and privacy breach notice
On Tuesday, July 12, the Mozilla Foundation discovered that the server hosting Spread Firefox, our community marketing site, had been accessed on Sunday, July 10 by unknown remote attackers who exploited a security vulnerability in the software running the site. This exploit was limited to SpreadFirefox.com and did not affect other mozilla.org web sites or Mozilla software.
We don't have any evidence that the attackers obtained personal information about site users, and we believe they accessed the machine to use it to send spam. However, it is possible that the attackers acquired information site users provided to the site.
As a Spread Firefox user, you have provided us with a username and password. You may also have provided us with other information, including a real name, a URL, an email address, IM names, a street address, a birthday, and private messages to other users.We recommend that you change your Spread Firefox password and the password of any accounts where you use the same password as your Spread Firefox account. To change your Spread Firefox password, go to SpreadFirefox.com, log in with your current password, select "My Account" from the sidebar, select "Edit Account" from the sidebar, then enter your new password into the Password fields and press the "Save user information" button at the bottom of the page.
The Mozilla Foundation deeply regrets this incident and is taking steps to prevent it from happening again. We have applied the necessary security fixes to the software running the site, have reviewed our security plan to determine why we didn't previously apply those fixes in this case, and have modified that plan to ensure we do so in the future.
Sincerely,
The Mozilla Foundation
Firefox, I'd like to introduce you to "wide-spread" usage.
Wide spread usage, this is firefox.
(sarcastic comment overload)
In the very discusson about that exploit here on ./, several (highly upmoderated) posts were highlighting spreadfirefox as a popular user of that CMS.
No patching even after being presented as an example for a vulnerable site is more than just neglectance.
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
You can crack MD5 hashes.
RTJKJAS
SpreadFirefox.com is based on Drupal CMS, and is in no way a sign that Mozilla can be hacked because of this. Yes, anything and anyone can be hacked, but I keep seeing a lot of people think that the Mozilla Foundation is at risk. But not with this hack, because they (Mozilla) don't run Drupal. Drupal has had vulnerabilities like this before in their older versions (I got attacked with it on my Online Portfolio site, which ran a vulnerable version of Drupal).
Just clearing that up for people.
As mentioned previously, it happens to the best of us, so we all need to be on top of keeping up with patches and installing them.
Get some.
as well as any other optional information that users may have provided, including: real name, web site URL, e-mail address, IM screename, and home address.
That's precisely why you should always treat information submitted to a site like Spread Firefox as though it will be released to the public sometime in the future. If you aren't ready for everybody to have access to your home address, then simply don't release your home address.
Do you like German cars?
they'll be turned inned..if they're lucky.
Evil people don't think they're evil. - George Lucas, Making of Ep III
Lots of people probably use the same password for their email and websites such as SpreadFirefox. If any users use webmail and provided their email address, this could be a big problem. I would have thought that SpreadFirefox would have used hashes and salt on their passwords, but apparently this isn't the case.
It looks like the Mozilla Foundation realized this too:
While there is currently no evidence that the attackers acquired user data, the Mozilla Foundation suggests that registered users change their password and "the password of any accounts where you use the same password as your Spread Firefox account."
When I read this the first thing that went through my mind is that someone targeted the site. But it sounds like a spammer just used it to send out emails (as far as I know now). Based upon this I doubt that the site was even targeted at all. I bet an automated script searched through google and is looking for drupal sites to exploit. phpBB has this happen quite a bit. Once a site is found the script automates the hack and then sends out the spam.
My guess it that the spammer didn't even know what site they hacked.
Quality Hosting e3 Servers
I really doubt that any passwords were even there. Any site with brains is storing it as an MD5 hash. In fact I've never used any content management systems or forum software that stored it as plain text.
It's unfortunate when hard working people have this done to their site. It must test their resolve when they see people with no dignity do this.
Voice your opinion!
No worries. All that means is some geek in a Dr. Doom custom might show up at other nerds' parents' home looking for the comic book convention being held in the basement.
EvilCON - Made Famous by
(Yes, I saw "they didn't get any personal data" on the page. But are you certain of this?)
Tangentially, my copy of FF 1.04 still hasn't realised that there is an upgrade, and even more worrisome, can't find one when I tell it to go looking. Seeing that I don't use it as a primary browser, I'm not too concerned for my installation. (Also, I've already downloaded the 1.05 release thru Opera, I'm just waiting to see if 1.04 wakes up before I install the update.) If this is a widespread problem, this could cause problems down the road.
.. paranoid crackpot leftover from the days of Amiga.
http://drupal.org/mailing-lists
You have to be on mailing lists so you know as soon as a sec update is out. Being on BugTrac and SecFocus is recommended too, but AT LEAST be on lists for daeons or things like this you're running!
bad_outlook
--
Is this vague enough for you?
What you are saying is, if I have a door and the lock breaks, it is my fault if I get robbed because I did not change the lock?
Nice way to twist the arguement.
Except that if it was widely publicized that ABC, Inc locks had a fatal flaw in them, but there was a modification to make it secure. But you didn't and somebody exploited that flaw to steal stuff.
Yes you'd bear some responsibility since you're housing OTHER peoples data and not doing everything reasonable to protect that data...and applying patches is plenty reasonable.
People in cars cause accidents....accidents in cars cause people
The sad fact is that if you left you front door open and an address available to pretty much everyone across the globe how soon do you think someone would come through to steal stuff ?
"It doesn't look like the attacker accessed any personal data on the site, but to be safe, we're encouraging all of our users to log in and change their passwords."
Why should I trust their competency now? They let their server be compromised by a very well-known, well-publicized, and fixed/patch-available vulnerability. How can I be sure that the operators of the attacked site are capable of properly analyzing the attack? I mean, if they can't even keep up to date with the latest patches, then how can the even be remotely capable of giving an intelligent assessment of the intrusion?
But I digress. Does anybody have a list of other well-known sites administered by these same individuals? I want to make sure that if I'm using any of those sites that my data is safe (or removed from such sites).
Cyric Zndovzny at your service.
What you are saying is, if I have a door and the lock breaks, it is my fault if I get robbed because I did not change the lock??
The above poster said nothing of the kind. He did not blame the site for getting hacked, he blamed the administrators for not providing enough security. Let me rewrite your analogy.
Yesterday at the local businessman's meeting, security expert Mr. Smith revealed that the cheap, Walmart brand padlocks in use on many stores can be broken into very easily with a ordinary pen. Mr. Smith said that these locks should be replaced and are even in use on the jewelry store down the street where a number of us have our membership rings being resized... and two weeks later the jewelry store is broken into with a pen but someone happened by and the robbers ran away without stealing much.
Would it or would it not be correct to criticize the store owner for not changing the locks, even after they were shown faulty and after the whole group was told that he was using them?
How do we stop people from hacking websites and causing disturbances?
How do we stop people from robbing jewelry stores? Well we make sure the cops enforce the laws and we put in good locks and a security system. Nothing will ever stop all robberies or all cracks, but that does not mean we should not do our best to make any given store or server a hard target. Nor does it mean we should ignore security warnings.
So the solution is to do away with the police and simply build our homes out of 2ft thick titanium. And then when they find a way to cut through that, the news will report it, and then it'll be your fault for not upgrading to diamond plate armor.
If they broke in and the system was properly designed, shouldn't they have what amounts to an /etc/passwd file which they then have to crack? In other words, if you used strong passwords, you should be safer than if you used "Z1ON101" or "secret" as the password?
Not that this by any stretch of the imagination implies that a "strong" password can't be cracked in this situation, just that it's more trouble.
How do we stop people from hacking websites and causing disturbances?
You immediately patch when the coders tell you that it's in your best interests to do so. Regardless of "outdated and wrong thinking" it protects you.
The GP post says there's no excuse, it is not entirely the admins fault, but they could have prevented it. I bet they won't get caught like that again. That's the answer.
I keep hearing about how products like PHP-Nuke, phpBB and now Drupal are quite vulnerable and easily cracked or exploited. Is this caused by inherent flaws within PHP, or is it because of improper installations? If it is because of improper installations, is that because it is extremely difficult or time consuming to properly secure a PHP installation?
I have been considering moving some sites to a PHP-based system for some time now, but after hearing stuff like this I just don't know about PHP anymore.
Cyric Zndovzny at your service.
If I give my valuables to someone who puts them in his unlocked car, and they are subsequently stolen, you can bet I'm going to be pissed at him despite his protestations that he should be allowed to park his car without locking it. We all know the ultimate wrong-doer is the person who broke in. That doesn't excuse the person who was lax in protecting valuables.
So where one encoded password could have many decoded representations?
Transcend Humanity. Please.
Drupal requires security patching, shipped XML_RPC pear library in php vulnerable, phpBB open to spam hacks, phpnuke and derivs allow remote url inclusion for DDOS hackers :: pants as he sends out client update emails and applies patches::
This is just another PHP growing pain. Sysadmins continue to watch the patches. Perl mongers.. "I told you so" is over rated...
My Thoughts, Kyndig
If this was just someones lame "Look at pictures of my puppies" website that held no personal information about anyone and it got hacked, the fault would lie totally with the hacker.
You house other peoples private data, you better be securing the site, or you are negligent.What you are saying is, if I have a door and the lock breaks, it is my fault if I get robbed because I did not change the lock??
I would hold you responsible. The admin being responsible and the hacker being responsible are not mutually exclusive ideas. If the lock on your door was broken, you knew about it for at least 11 days, you knew that potential thieves knew about your broken lock for at least 11 days, you knew that potential thieves would have a strong motive for breaking in, and you were responsible for something of mine in your house, then I would hold you responsible.
It's the same here. SpreadFirefox knew about the problem with their site for at least 11 days, they knew that potential hackers knew about the exploit for at least 11 days, SpreadFirefox knew that hackers would have a strong motive for hacking in (usernames, passwords, email addresses, etc.), they knew they were responsible for the list of registered users (and various personal information), and they didn't timely fix the problem. Both the hacker(s) and SpreadFirefox are responsible here.
the forces of computing darkness better get the cyberjustice league...
I thought MD5 was irreversible?
---
I started with nothing and I still have most of it left.
Generated by SlashdotRndSig via GreaseMonkey
Why is it that when you believe something it's an opinion, but when I believe something it's a manifesto?
So the owner of the store is at fault for storing his customers valuables somewhere that it is easy to steal?
Is that the kind of laws we want? I know my lock does not work. I take in your valuables to store them. Then someone steals everything, and I am to blame for not replacing the locks?
What if the Jewlery store did not want any locks? What if all they wanted was for people to obey the law?
Are we living in a society with no honor? Are we living in a time when everything that is wrong is okay, the "poor me" I did not mean to do it, but it was too tempting?
The only reason I say I don't know what the anwser to this problem is, is because the jails are over crowded as it is. We did not have a lack of respect of other people 50 years ago, in the Leave it to Beaver age. Many fewer people stole, lied, and cheated. So why is it today we have more people who steal, lie, and cheat? Is it the aninimity the internet offers? Or is it the way society is changing, no more norms and standards, no more shame? It seems like every deviant lifestyle is being accepted as normal. Nobody can call a crook a crook anymore, because the crook might sue for pain and suffering.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
It's a bit early to suggest that it was an automated attack. While that is of course a possibility, there has been very little actual information from the SpreakFirefox people. Until they disclose far more information about this attack to the public (which may not happen if they are pursuing this matter via the authorities), it is a false reassurance to suggest that it was only automated and that no data was maliciously stolen.
Cyric Zndovzny at your service.
Are you living in an alternate reality? Or are you just smoking some good shit...
We're not living in a society with no honor. We're living in a society that preys upon naivity, and rightly so.
If you take in other's personal property, and you do nothing to secure that property, then you are negligent and not deserving of trust until you prove you are no longer negligent.
...yes, it would be at least partially your fault for not fixing your lock when you knew about it. Contributory negligence, something like that, at least in a *practical* sense, although not in a strictly legal sense. The real world has badguys,always has, always will, and to just wish them away is sorta silly, because it just isn't going to happen, ever.
> So the owner of the store is at fault for storing his customers valuables somewhere that it is easy to steal?
If there are consequences for his customers, then yes he may be. It's called negligence, and he could easily be in a lot of trouble for it.
Having said that, you seem to think that this implies a lack of guilt for the robber. It clearly does not. The robber is just as guilty as if the store owner had practiced good security.
The two variables (guilts) are independant.
Throw the bums out!
Then you haven't been reading this site very long, there have been stories about its flaws every month or so. It's not a secure hash.
I am trolling
Why is it no story can be posted about some server vulnerability being exploited without someone very quickly having to make a locked door analogy?
I think that Godwin's law should be expanded to cover this phenomenon.
Creationists are a lot like zombies. Slow, but powerful and numerous. And they all want to eat our brains. - Evilest Doe
Don't you mean ACME?
Exploit they used:
1 2241&tid=169&tid=8
"I found out that there's a "new" drupal exploit which allows posters to inject arbitrary code into the system for execution on the server -by way of comments. The Drupal.org site is presently down, and apparently has been last night. If you're running Drupal 4.5.1 or 4.6.2, turn off your comments. For visitors here, I'm sorry that you presently cannot comment and I'll turn them back on as soon as possible."
http://www.knowprose.com/node/2866
Sample source code of the exploit:
http://www.milw0rm.com/id.php?id=1088
Red Hat Advanced Server 3.0 powers spreadfirefox.com:
Response Headers - http://www.spreadfirefox.com/
Date: Fri, 15 Jul 2005 20:01:52 GMT
Server: Apache/2.0.52 (Red Hat)
This vulnerability has been known for over 2 weeks. Was there no Redhat patch available or did the admins slack off?
Also, isn't it strange how Drupal gets 2 posts on Slashdot in the same day?
Community, OSL and Sun Jump to Drupal's Rescue - http://it.slashdot.org/article.pl?sid=05/07/15/12
-Joe
Assume that the landlord of your apartment building uses ABC, Inc. locks with said flaw, and fails to fix that flaw in a timely manner, despite the fact that the fix is moderately simple and free to implement. You, the tennant, have no ability to apply this change yourself. Now, when the burglars come and exploit that flaw to steal all of your stuff, wouldn't you want to hold the landlord at least partially to blame as well as the burglars?
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
That is extortion. What you are saying is nobody can start an internet buisness where they have customers data unless they hire a competent administrator?
Say I want to sell the Worlds Best Cookies, they are homemade by me, nobody else has them. I decide to set up a simple website, use tomact and write some code where people enter in their names, addresses and credit card numbers. I don't want to pay for a third company on the web to process the credit cards, I call them all in myself in the morning. But the way my website is set up, all the orders are just appended to a text file on my server. I open that file in the morning, and validate all the orders.
What you are saying is, if someone hacks in and steals that text file with credit card numbers, the store owner would be at fault?
Now lets look at it your way. Instead, I hire an administrator at $75 an hour. He is the cheapest admin with a good work history, an admin that has his MSCE and other certifications that the industry accepts as proving competence. He works for 50 hours setting up my server and website, and also tells me to subscribe to an on-line credit card processing service, but they charge 9% of all transactions, plus a monthly fee. The admin also has an 1 hour per month fee, for maintinance and consulting and keeping my account active.
Do any people know what my cookies would now cost? It would probably cost more for the admin and banks than the flour, butter, suger, and chocolate chips that goes in the cookies. The cost would go way high.
Now, if it was 50 years ago, people would not confuse the issue. There is only one wrong doer, the criminal who steals. It is the theft that is wrong, not the weakness of the target.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
Thanks for the patch, helped a lot. :)
If you run a bank and someone robs it because the bank did not fix a broken lock the bank is ALSO responsible.
The bank did not commit a crime but they have some responsibility. If nothing else a reduction if the trust of it's customers.
The same could be said of a website. While not criminally responsible they are at least a little bit responsible
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
The issues are not due to PHP but due to the code being written. If you have stuff like register_globals on, you open a whole slew of possible issues.
But it's not just PHP, it's also the system administrator who runs the server. For example, if there is an issue with the way a php web application issues a system() type command, if the system was setup with SELinux, it wouldn't matter since Apache would be severely limited in what it could read or write.
Regardless of who is to blame, I have seen far too many issues with CMS programs - I just write my own. The only place where I go premade is with forums - I like phpBB. As long as you sit on a mailing list and patch when issues appear, you will be okay.
SearchIRC - Now with live chat directory!
Nah...I like my possessions to make up stories about how bad Republicans are...so it's an ABC, Inc. lock for me!
Crime is lower today in many places in America than it was 50 years ago. Just think of how dangerous a place New York City used to be. Sure, it's still a gritty urban environment, but the city has been drastically cleaned up in our lifetimes.
In every time people have looked back on the past and thought it was better. Even the ancient Greeks believed in a golden age of peace that was lost forever. Life wasn't better with less crime in the "Live It to Beaver" era, and believing so is the height of naivete.
Actually, you can crack an MD5 hash in less than a minute now.
RTJKJAS
1) Mozilla's the good guys. Microsoft's the evil empire.
Good and evil are completely subjective. Someone pro-Microsoft could think Firefox is the devil incarnate (let's not discuss why someone would be pro-Microsoft and just grant the premise that there could exist a tech savvy zealot with either something against Mozilla or a hard-on for MS)
2) As said in the summary, these guys could get, "real names, web site URLs, e-mail addresses, IM screenames, and home addresses." No credit card information, no bank account numbers, nothing of value other than matching a name&address to a login. Since nobody's sharing any MP3s or warez or doing anything illegal, how does a name&address hurt anybody?
Web site URLs, email addresses, IM screennames = new targets for spamming. If we assume the intruders acted with spamming in mind, electronic contact info of any kind is key.
3) I myself haven't even heard of SpreadFireFox's website until today. It's not a big-name deal. I doubt anybody's going to get their name on CNN for this. So, no publicity beyond Slashdot.
So, why hack SpreadFirefox?
Why do hackers hack anything?
Because they can.
I can't answer the third point directly, but a hacker's motivation is partially driven by "can I do this?"
I really doubt that the passwords were ever vulnerable since SpreadFirefox runs on Drupal and I'm fairly certain that Drupal hashes them (MD5) before storing them in the database. Worst case then would be that people got the hashes and could hack them, but it's quite a chore for a fairly unimportant login (it's not like it's my banking data).
Anyone else get creeped out when big commercial sites don't hash passwords (and can therefore recover them)?
How secure would a hashed password be, if it uses the user name and another key as the salt?
For example, say my username is SoCalChris, and my password is 12345. When it hashes the password, it would hash "SoCalChris12345SomeRandomKey".
Would that be more secure than just using a key, so that all password hashes use the same salt?
I'm thinking that by using the username in the salt, it makes it impossible to do a brute force attack for all users at the same time, but would instead make it so that you have to brute force each account's hash on it's own.
Does that make sense, or am I way off?
0a37cdfc8175b5805cd2d5a8d9d9e3ac
Or to run out the old line, "Forget about security fixes. Why did the developers write insecure, buggy code to start with?"
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
That is extortion. What you are saying is nobody can start an internet buisness where they have customers data unless they hire a competent administrator?
No. A better example would be the following: You start up Worlds Best Cookies. You use some free CMS made by someone else. You are emailed by the author of the CMS that there is an exploit, and that you need to upgrade. You refuse for at least 11 days. In addition, you know that the layout of your site gives away what CMS you are using. You know that the CMS you are using is popular, and you know that lots of other people know about the exploit in your CMS. You know that the credit card information would be valuable to hackers. But you still don't upgrade after 11(!) days.
There was no money transfer here. I also didn't say that it wasn't possible for only the hacker to be responsible in certain situations. But in this particular situation the informed admin should have known that his site was about to be hacked, because he was told this by others for free. It should have been obvious to this experienced admin that his site was about to be hacked. And he still didn't update it after 11 days.
You need to look at crime statistics for the 50's they had much less crime in back then. Now, if you were talking about the late 80's/early 90's, then yes we are safer today. Here is the homicide rate:
http://www.infoplease.com/ipa/A0873729.html
The bug appeared on July 8th only a week ago on his blog. So the well-known and well-publicized part of your argument is questionable. Second, the last patch from Drupal is dated in June 29th, 2005 as of this writing (check their website, Drupal.org), which means there's NO patch available. Their only fixes being disabling the comment section, which might be unacceptable due to the nature Spread Firefox operates.
So stop jumping into conclusion. At least they publicizes their attacks. Imagine all those websites you visited by company, how do you know if they got hacked and they never told you?
In US, you can easily buy enough major firearms to wipe out your neighbourhood but a few little fireworks are banned.
Microsoft was seen whistling and acting all too casual while leaving the area.
MadOgre.com
SpreadFirefox uses a variant to Drupal, named CivicSpace. Does that make much difference with patching? Maybe only a few aspects are different. I installed it, I've only noticed just some minor changes, nothing too major really (of course, I spent only a few minutes with it), but personally I'd probably stick to Drupal. Larger community base.
- Teja
A good analogy, but a better one would use a bank instead of a jewelery store.
You're storing other peoples valuables (be it information or money) and have an obligation to do your best to protect it. Free market forces aside, the moral obligation remains.
=======
Science -- Sealed, Delivered.
How would you feel if this was a bank, and the banks NEGLECT allowed hackers to transfer funds from your account?
Now I know this isn't as serious (althouh with identity theft I guess it could have the potential to be.. (to start anyways... you'd still need a SSN/SIN #).
It's not your fault for the actions of the hackers... it's your fault for not taking procautions to secure the machines. Doesn't make the hacker any less guilty.
If I can't smoke and swear I'm fucked.
I got the email at 1:52 AM this morning... I'm surprised no one submitted the story until just now.
I think this is the appropriate space (and time) to ask a question that I have not yet been able to figure out how to answer. I'm writing an application which needs to store usernames/passwords of various users but not to be authenticated into my application. Rather, that data is needed so that the program I am writing could check email on the behalf of these users. So essentially, there's a third system (let's call it GMail POP server) that needs to know the usernames/passwords that I stored for my users. What is the best way that I could store this information in my database and still have it be safely encrypted. If you think about this, you can't really use a one-way hash function ... So the best I could come up with is to use a simple XOR function to encrypt the passwords and then for my program to use the same XOR function to get them back, but it's very weak and could be easily guessed. Is there a more powerful way to do what I am trying to do?
--
http://unk1911.blogspot.com/
The rational is quite simple: Because they can.
Coderz 4 Life
Less than a minute, eh? That was the MD5 of "I think you're full of bullshit."
You're being a moron. You've got more chance of stopping the sun from rising than you do of catching all the "criminals" who have access to the internet. They're a fact of life, and if you don't realize that, you're living in a fantasy world.
That being the case, it is incumbent upon administrators to secure, monitor, and protect their systems. If they don't do that, sure as hell no one's going to get caught, and it'll happen over and over and over again.
So instead of wishing for pie in the sky or some other such fairy tale, stop whining and secure your damn machines.
Block whole countries? What a extrememly bad idea. You know how many evil hackers live in the US and in Europe? Not much of an internet without those two. We could switch to all encrypted connections, which would solve the problem, but cause tons of others, and it's hard to imagine asking regular users to do it. There is, however a way to stop people from Hacking websites...SECURE THEM!
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Boycott cnet. They are a crappy company and they ruin everthing they touch.
TVtome was a completely functional website that brought together volumes of information and opinions, and conveniently organized it all. It was created with literally thousands of man-hours, forming the finest source of information on television on the internet. It was one of the websites, combined with imdb and wikipedia, that proved to me how great the internet was at organizing information. Cnet, in one fell swoop, destroyed all of this.
could potentially have enabled the forces of computing darkness to obtain the username and password of every registered SpreadFirefox user, as well as any other optional information that users may have provided
I argued that this should be a prime reason for OpenID or some other distributed authentication system should start being used on the web. That way, you never have to give any unnecessary sensitive information to any website.
God became man to enable men to become sons of God. -C.S. Lewis
You can't "crack" a hash, by definition. If you could, md5 would the most incredible compression algorithm ever discovered.
A hash is considered weak if it has collisions: when more than one plaintext results in an identical hash value. Hashes are usually used for verification, so non-unique results are a critical failure.
Attacks against hashed passwords are done by brute force. The mitigation against this attack is to use a salted hash, which adds a few bytes of randomness to the password.
The extra bits of randomness make it exponentially (^16, ^24, ^32, usually) more difficult to pregenerate a hash results dictionary. However, they don't make it any harder to brute force a single password, after the hashed version is obtained.
\Given that Spreadfirefox by its very mission had such sensitive information that could have been used to destroy so many users lives, it is deplorable that the admins were not more tight about security.\
KLAATU, BORADA, NIh*ahem*
Ah, yes. Wrong terminology on my part. Thanks for clearing that up.
RTJKJAS
How about this analogy:
There's a "webserver", and this "webserver" is running "software". The people that make the "software" have released a "patch" 2 weeks ago that "fixes" a number of "security holes" in the "software".
Then, the people who run this "webserver" didn't apply the "patch", and "webserver" got "hacked".
The "webserver" was also storing "3rd party contact information"; ergo, the people who run the "webserver" should have applied the "patch" more quickly.
Come on, folks. Every thread on slashdot lately, it seems everyone tries to make analogies, and everyone else is correcting them. We're all geeks, it's not hard to understand the concept of "unpatched webserver gets haked" or "non-encrypted wireless internet used by passerby", or a hundred other things that seem foreign to the talking heads on CNN's "technology report". We get it. It is what it is.
~Wil
sig?
Okay, you can't "crack" one in that time, but you can get the result of one in that time with a lot of disk space and the proper program which many people probably know and I'm not going to post here. I'll tell you that it does involve matching the hash with a list of possible hashes already stored in tables on your hard drive.
RTJKJAS
We at Diamond Plate Armored Homes Inc. would like to remind you of an amazing offer on our latest 900mm SurroundWall "Better-Than-Cops"(TM) residential security system.
But wait, if you call today, you'll also get 30% off our Enhanced Titanium Adobe-feel roof, providing NSA-grade penetration security in style!
All our products come with build-in machine gun mounts, and are blast and impact proof up to 300 kg of TNT.
When you care about the safety of your family, you protect it with "Armored Homes"!
Call your representative TODAY to take advantage of this great offer!
"Piter, too, is dead."
Which was already addressed: don't use weak passwords. Use one for which the hash won't be pre-stored.
Are we living in a society with no honor? Are we living in a time when everything that is wrong is okay, the "poor me" I did not mean to do it, but it was too tempting?
What you're selling is personal irresponsibility under the guise of personal responsibility.
If I open a bank and leave the place empty and unlocked at night, it is not my fault that people walk in and take all the money. It is their fault.
But it is absolutely my fault that I didn't lock things up securely. There ARE bad people out there. To imagine otherwise is one's own fault - there is more than enough evidence to support that notion. The bank in the example is being irresponsible. It is their fault that they didn't take the appropriate precautions.
I think you need to change the analogy to perhaps put it in slightly better perspective.
Say you purchased a car from Foo Motor Company in 2000. In 2001, they release a "recall" for a brake spring that is faulty. In this recall it states that the part failure may result in the serious malfunction of the braking system and could render the brakes useless. All parts and labor are covered on the repair, just take to your nearest dealer.
For whatever reason (probably because you are busy) you never take the vehicle to the dealer and have the work done. Then in 2002 you are cruising down the road and a small child runs in front of your car. You slam on the brakes and NOTHING. They just don't work. You smoosh the kid.
Is Foo Motor Company at fault? After all they did warn you and provide a method to fix the problem.
What you are saying is, if I have a door and the lock breaks, it is my fault if I get robbed because I did not change the lock??
The problem is with the criminal who breaks into websites. If I wanted zero security for my website, I should be allowed to have zero security and not have anyone hack in.
Ugh, I am so sick of the never-ending analogies in this friggin place! Try this non-analogous rebuttal on for size:
negligence Audio pronunciation of "negligence" ( P ) Pronunciation Key (ngl-jns) n.
1. The state or quality of being negligent.
2. A negligent act or a failure to act.
3. Law. Failure to exercise the degree of care considered reasonable under the circumstances, resulting in an unintended injury to another party.
All locks are flawed. No security is perfect. Since you chose not to move into Fort Knox, you knew that your security was not perfect. Hence I saw you are 120% to blame, since you chose not to move into Fort Knox. See, I'm holding you responsible for stuff stolen from your neighbors, and replacing the lock. If you didn't have all that high priced stuff, the burglars wouldn't have broken in.
Now, here's side B. Admins rush to integrate the fix, but it turns out the fix changes component X's behavior slightly, and erases all your data. Now who's fault is it?
Oh, and side C. When you show up to bitch about how I run my network that you aren't paying for, and that my time is worthless, I get to kick you in the crotch, repeatedly.
My other car is a Popemobile
Q: What do you get when you break a cryptographic hashing algorithm?
A: An excellent compression algorithm.
I hate doing this... but needed.
Get your Unix fortune now!
No, duh. The kid's at fault. Didn't you read the grandparent?
So, Microsoft finds a security hole in their software and release a patch. Then Sasser or some other virus or worm exploits the hole in unpatched Windows and rades the Internet. Yet this Slashdot community rails Microsoft for the holes in the first place.
Now take FireFox's open source software based web site. If it has a hole, and it's not patched in time, it's THEIR fault??!! Why can't it be the Windows-users' fault when they don't patch THEIR machines??!
Can't you Slashdot community see that you are being unfair to Microsoft? You blame them for everything, and excuse open source for the very same things! It's alright for open source to have a security hole, because they patch it, and if users of the software don't apply the patch, it's the users' fault. But when MS has a patch, and users don't apply it, it's MS' fault, is it? You hypocrites!
That's not "much less." It's also very much worth pointing out that homicide rate isn't necessarily an accurate index of crime as a whole, and chances are the statistics mentioned don't take into account all sorts of things completely unrelated to the moral state of man that would boost the statistics. Yes, it's bad to rob a store. It's also foolish to leave a store undefended against robbery, and you are responsible if you lose other people's property because of your failure to take appropriate measures against a known threat. Just like if you lost their stuff or exposed it to corrosive materials on accident. You aren't responsible for the robbery, but you are responsible for the loss. Alternatively: You put something in a safety deposit box at a local company. The building burns down / is robbed / blows up / melts / ceases to exist. You want your something back, right? The company which promised to hold it for you owes it back, right?
drupal != linux. There was available patches for 11 days. i don't like to point the blame, ok i lie, but it IS the admins fault for not patching. If it was an IIS patch the blame would still lie with the admin. He should be aware of publicly known vulnerabilities in the software he runs. It is a community site and I doubt he recieves any money from it so i can't be too harsh. It can be done but drupal being OSS has nothing to do with this.
Do you know what your cookies would cost after you lost the class-action lawsuit and paid damages to all your ex-customers?
"What you are saying is, if someone hacks in and steals that text file with credit card numbers, the store owner would be at fault?"
HELL YES. If you do something as stupid as putting credit card numbers in a text file with no security, you shouldn't be allowed to have those numbers.
Any transaction implies that the users information will be held in confident. If you hand your friend your wallet and ask him to hold on to it while you run into the restroom, wouldn't it be frustrating to come back and see him standing there, wallet on the table next to him, while he has his eyes closed, ears plugged, and sings "lah lah lah"? 50 years ago or not, that's neglecting your JOB, namely securing the individuals belongings.
YES, criminals are responsible for their actions. YES, it would be nice to live in a world where we didn't have to protect ourselves. But in a world where we both have to protect ourselves and have the knowledge and capacity in most cases to do so, we have an OBLIGATION to be smart, ESPECIALLY when handling other people's valuable property.
No, you shouldn't be held guilty of theft. You SHOULD be prosecuted to the fullest extent of the law if you caused someone loss by neglecting to secure their property.
The mentality you are advocating is like saying "We shouldn't repair bridges. In an ideal world, there would be no entropy and no decay and bridges would just stand there, invincible. Since that's the way it should be, we'll pretend that's the way it IS. Therefore, if a bridge falls down, it's gravity's fault. Don't look at us just because we didn't run out there with some duct tape when the pavement started to form ravines.
It's just plain stupid to say what you are saying.
Its called Status Quo VS Best Practice.
Look it up somewhere geessh.
These days they will give trained monkeys any Certs they can pay for.
Ill take someone with best practice depth and breadth experience and no certs over the Cert Monkeys any day.
Just like the access db only geeks pretend to be programmers, so do some alleged security professionals.
And we security professional geeks are tired of the bad image these slackers give us as professional experienced nerds.
The sick thing about spamming is it wouldn't be profitable if people would stop clicking them and actually buying from them. %/ When will people learn.
You see, when a product gets popular, people start the visit the websi...ahhh never mind.
Get back to me when you find your sense of humor.
i bet they were running linux servers...
Life is like a bag of chips you never know whats next
Speel
At least it isn't a waste of time like your post is. And this one too.
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
So why not let the spindoctors turn the situation into a positive event. Since the issue is fixed, why not address the usual media and tell everybody that the "Firefox web site is now safer than ever". Others are doing the same and earn billions.
Come on, folks. Every thread on slashdot lately, it seems everyone tries to make analogies, and everyone else is correcting them.
So it's like when you write a book, and something in it is confusing, and then some editor scribbles something less confusing in the margin, but everyone still ends up confused?
I tried to download Firefox 1.05 to my work computer. I got a pop up saying the firewall blocked me and that mirrors.playboy was not an appropriate site!
Religion is the main cause of atheism.
Passwd Composer
n.b. I would have linked the authors website, but it's not responding.
I'm a foundation employee and the guy who wrote the message we sent to Spread Firefox users. A few notes:
(I am a foundation employee, but I am now speaking for myself, not for the foundation.)
You should trust our competency because we almost always stay up-to-date with the latest security updates to all installed software and because we're revising our security plan and procedures to seal up the cracks that this particular software update fell through.
You should trust the foundation's competency because they almost always stay up-to-date with the latest security updates to all installed software and because they are revising their security plan and procedures to make ensure that this lapse in the application of security updates does not recur.
Then again, the people who are submitting their personal data to the SpreadFirefox servers assume that it is safe to do so, regardless of whether or not it actually is. It all depends on how you want to place liability - caveat emptor (the users are liable) or negligence liability (the admins are liable).
I am scientifically inaccurate.
On a model 2005 PC, and MD5 hash can be computed in less than a microsecond. A dictionary of 10 million entries can be explored in 10 seconds. Dictionary attacks are really very effective.
And if the site forgo to add per-user salt for each passowrd, the attacker will be able to essentially break all the passwords "in parallel".
If a password was composed by a user and not randomly generated, than it will be cracked by a well tuned dictionary attack.
It had everything to do with site admins not updating their CMS software after a 10 day old critical bug had been patched.
-- No matter how great your triumphs or how tragic your defeats, approximately one billion Chinese couldn't care less.
So it's like when you write a book, and something in it is confusing, and then some editor scribbles something less confusing in the margin, but everyone still ends up confused?
Exactly.
sig?
Another thing to realize for back then, was that people were more willing and equipped to defend themselves. The old using a shotgun to run off a burgler or trespasser. People in the '50's were harder targets in many ways.
That and many crimes just didn't get reported, or were ignored.
I don't read AC A human right
So the owner of the store is at fault for storing his customers valuables somewhere that it is easy to steal?
Yes. As I recall from my Law professor, "If you take someone's dog for a walk, and it gets hit by a meteor, you ARE responsible for injury to the dog, because you took the dog to a place that was susceptible to meteor showers."
That's pretty much how the system works.
Is that the kind of laws we want?
Um, no. Take that up with your Representative, President, etc.
and I am to blame for not replacing the locks?
Yes.
What if the Jewlery store did not want any locks?
Then he's probably a dumbass. And an optimistic one at that.
What if all they wanted was for people to obey the law?
Aw. How sweet. Wouldn't that be nice. Maybe in Demolition Man. But even that system wasn't quite perfect.
Are we living in a society with no honor?
Um. Yes. Money is our new form of honor. Money and lawyers.
Are we living in a time when everything that is wrong is okay, the "poor me" I did not mean to do it, but it was too tempting?
This kind of reminds me of the story of the guy and the girl that both get wasted and both decide to hook up. For some reason the next morning, the guy is at fault, and the girl is a 'victim'.
Many fewer people stole, lied, and cheated.
Now we have computers, cooler cars, and all in all more cool shit to steal. It's more tempting.
It seems like every deviant lifestyle is being accepted as normal.
Yeah. And it sucks. We need to bring back corporal punishment.
I dunno what to tell you. Life's a bitch.
Partial Credit: The Engineer's Best friend
"Well, the bridge didn't fall all the way down!"
Please... your post is so wrong.
"What you are saying is, if I have a door and the lock breaks, it is my fault if I get robbed because I did not change the lock??"
It is your fault somewhat if you were responsible for other people's things and they trusted you to at least keep up with published problems that your lock was known to have. That trust was there in this case. Does that in any way weaken the guilt that the hacker has? No. Why do you think that just because someone else gets some additional blame it has to be a zero sum game and therefore take away blame from the thief? I'd say you are crazy.
--
WHO ATE MY BREAKFAST PANTS?
You infidel! I'M the Pope. I challenge you to a Deathmatch of Doom (tm) to prove which one of us is the proper pope!
But if MD5 is truly irreversible, and just has a few numbers that can generate each hash, the I figured for passwords they'd do something more like this:
- Gnereate MD5 hash of the password
- Append that to the end of the password
- Generate a new MD5 hash of that and store it in the passwords file
That way, even if someone access the passwords file, they can only get something that generates the last MD5 hash. When they use it in the login form, it won't work like the real password because you need to get through the second step, which a fake password would be very unlikely to do.Why is it that when you believe something it's an opinion, but when I believe something it's a manifesto?
Generally I don't agree with the users being liable arguement...given privacy policies dictate that there is a plan in place.
But looking at the SpreadFirefox site, it's not readily apparent they have even have one posted. Which given last weeks hullabaloo seems incredulous.
People in cars cause accidents....accidents in cars cause people
Are you serious? Keeping patches "almost always" up to date is a sign of competency? Tell me this is a big motherfucking joke.
It is no wonder this incident happened. You people put yourself in a position with great responsibility, and truth be told, you have failed the entire open source community.
Cyric Zndovzny at your service.
A week in the Internet world is equivalent to centuries offline. A week is far more than enough time for this problem to be known about, and then fixed. One would expect that these individuals would be capable of fixing the situation themselves, even if a patch wasn't immediately available. But expecting them to show some degree of systems administration competency is obviously far too much to expect from them.
Even if they did have to disable the comments temporarily as a last resort, that would be far better than compromizing such a massive amount of private data.
And why do you consider the fact that they publicized the attack a mitigating factor in any way? That is what they should have done regardless. It doesn't make them any better because they fucked up severely and told us about it. It just means they were doing exactly what they should have done: admitting their guilt in this matter.
Cyric Zndovzny at your service.
I think an organization that almost always does the right thing, owns up to errors, and makes changes to ensure those errors never recur is competent, yes. I'd much rather trust an organization like that than one which claims to be perfect.
Can you elaborate more on what is being done? I mean, I'd like to see a point-by-point analysis of what exactly went wrong, who failed to act, and what exact steps have been done to remedy the situation.
Will the administrators actually put together such a report once they get everything back on line? Will they be able to show us exactly what they have done to protect our personal information?
This incident reflects very poorly on the entire open source community. The very least those responsible for this fiasco could do is give us an extremely detailed report about the situation.
Cyric Zndovzny at your service.
Normal practice is to just store the MD5 of the password (Well, hopefully salted, but that's a technicality). If MD5 were truly irreversible then that would be enough, there's no way to work out the password from the hash. The way to deal with the flaws in MD5 isn't to MD5 twice, it's to switch to a stronger hash.
I am trolling
I really can't stand registering at every cockamamie web site left and right, just to see the info, or interact with the info Every time you use a password, or have to remember a password, you are giving someone the enticement of a lock to break, and one more burden for yourself. One day, you are going to use some easy to remember toss off of a password with someplace that has some real info and financial stake tied into it. Of course, the registration keeps away the riff raff that would NOT register, and abuse the site that way. And unfortunately, if it comes back to burn anybody, it doesn't come back to burn the web site that needlessly asked for too much info in the first place- it burns the users of that site. Well, maybe a bit of bad publicity might be spread for the site, but really like that actually hurts.