Slashdot Mirror
SpreadFirefox Security Breached (again)
Kurt writes "The hugely popular SpreadFirefox project, a Firefox community marketing site, has recently fallen victim to a security breach in their TWiki software. This breach has forced the site to shutdown until October 19th. During this time, they will be performing a rebuild of the SpreadFirefox system, to hopefully curb more security breaches."
I noticed this message yesterday. I was wondering what it was about. Where did slashdot get this info? I didn't see it on Mozila's web site yesterday.
Bradley Holt
... venting frustration over seeing their office business go down the drain!
:-)
-Yogix
OSS isn't inherently any more secure than proprietary software. It's just that the nature of the typical OSS developer vs a corporation means that the OSS organization is more transparent when bad things do happen. It doesn't mean that the security breach didn't already happen, though.
Rex is 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
No reassurances this time that no personal data was stolen? Last time they made damn sure to point out that everyone's data was safe but it seems this time they've not told us about that. Could the hackers have a nice big list of email addresses to spam now?
It says the site is down until the 15th not the 19th...
Hey, things happen. And this isn't firefox we're talking about yet, so it doesn't matter.
To: announce@spreadfirefox.com
From: admin@spreadfirefox.com
Subject: Spread Firefox Security Notice
The Spread Firefox Team became aware this week that the server hosting
Spread Firefox, our community marketing site, has been accessed by
unknown remote attackers who attempted to exploit a security
vulnerability in TWiki software installed on the server. The TWiki
software was disabled as soon as we were aware of the attempts to access
SpreadFirefox.com. This exploit was limited to SpreadFirefox.com and
did not affect mozilla.org web sites or Mozilla software.
We have scanned Spread Firefox servers and at this time do not believe
any sensitive data was taken, but as a precautionary measure we have
shutdown the site and will be rebuilding the web site from scratch. We
also recommend that you change your Spread Firefox password and the
password of any accounts where you use the same password as your Spread
Firefox account. We will notify you again when the site is back up with
instructions on how to change your password. (Note: We do use MD5
hashing on the passwords, but MD5 cannot protect all passwords against
off-line dictionary style attacks.)
After Spread Firefox was compromised in July, we instituted procedures
to ensure that we apply all security fixes to the software running the
site (Drupal and PHP) as soon as they become available. Unfortunately,
those procedures overlooked the installation of the TWiki software since
it is not used by the main Spread Firefox site. When the system is
rebuilt, all the software will be audited to ensure that security
updates will be applied in a timely manner. We deeply regret this
incident and any inconvenience this may have caused you. Sincerely,
Spread Firefox Team
Mozilla Foundation
Posted by CmdrTaco on Wednesday December 31, @09:00PM
I think Slashdot editors have finally gone of the deepend.
I was wondering who beat me out of the time machine on Ebay.
Don't forget the crystals Taco! THE CRYSTALS!
Fractured Element
And soooo many people think that Mozilla is inherently safer, the people who develop it and revolve around it and so on the most saintly perfect people...
Wake up kids. They're as fallible as anyone at Microsoft and things like this will happen. Whether it is the browser or the websites hosting or the wikis, or whatever, mistakes are going to be made and patches and corrections will need to be done.
Microsoft isn't the only imperfect group of people out there. Everything is as vulnerable as the weakest link: the humans involved. Self-righteousness egged on by zealots can only weaken the link.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
It's not Mozilla software that got hacked. If it's indeed the Wiki part, then it's the MediaWiki software, which is also open source but has nothing to do with Mozilla or Firefox. Either way, that web site is very user based where tons of tools were hosted for the community like public forums and freely editable wikis, so it's not surprising that some of them may have issues. Until the actual mozilla.org site gets hacked, which I highly doubt it will ever happen, there's nothing to worry about.
I would have thought somebody who actually knows what Opera is would know the difference between that thing and that other thing . . . . . . .
Yeah, that totally sucks, man. Turnabout is most certainly NOT fair play. Overreaction, FUD, and political spin of vulnerabilities is OUR turf, and those MS boys should just STFU right now.
Shutting your corporate website down for 2 weeks?
Oh no! They breached Twiki...again!* Buck Rodgers is going to be so upset.
*And NO I don't want to know were he was breached. Some things are private.
While the "but open source is supposed to me more secure!" trolls will open their mouths about how this is evidence we're wrong - it's not.
All software and therefore all websites contain vulnerabilities.
The advantage of OSS is that these security holes are fixed promptly.
Thanks to someone posting the origional email announcement we know that this breach was due to poor server administration in that they didn't keep their software patched up to the latest version. This vulnerability is probably fixed in the latest TWiki releases being that someone is out there exploiting it.
If you cannot keep politics out of your moderation remove yourself from the Mod Lottery.. NOW!
Look at this! Now they're even taunting us by appending "(again)" to the duplicate subject entries!
Do you like German cars?
I also recently had my TWiki-based wiki farm broken into, for the 3rd time in 4 years, despite trying to stay up to date at least with Debian releases. Fortunately, I had each wiki set up to run suexec as an individual user, so the damage was reasonably well contained.
Since TWiki's security problems seem intractable (giant Perl codebase that's very difficult to audit and doesn't seem to have been designed to handle security) I decided that enough is enough and followed freedesktop.org's lead in moving the whole farm to MoinMoin. MoinMoin is written in Python rather than Perl, and seems to be better thought out in terms of security, although I had to hack up the source some to get what I wanted. Some open source migration tools will be made available shortly.
I wouldn't recommend to anyone that they run a publically-viewable TWiki installation at this point.
someone is scared. Very very scared!
Scott McNealy to Michael: "Suck my Sun!" Michael Dell to Scott : "Lick my Dell!"
Um, it's news. Unless you think these sorts of things should be swept under the rug to feed your "PR fight?"
what does watching an opera have to do with t he interweb thingy?
:)`
Look out i gatta go back to clicking up a storm. They are paying me to surf now
and ended up having to use google cache's of the pages I needed to read. Oh well. Poor SFF.
The Doormat
If you're not outraged, then you're not paying attention.
Cheers
"I wouldn't recommend to anyone that they run a publically-viewable TWiki installation at this point."
Actually the only one really taking a PR hit as it were, is Perl. Perl: the insecure language.
--
The "are you a script" phrase for today is sympathy for Perl.
That would constitute vacation, something of which I have not been familiar with in some time. So, no, I cannot imagine that.
Click here or here.
And I'm not trolling or insinuating anything, I'm genuinely asking.
Does TWiki even use taintperl? Not that that provides much more than minimal security help anyway.
http://lkml.org/lkml/2005/8/20/95
Mod -5: showing the hypocrisy inherent in the system.
Come see the hypocrisy inherent in the system!
isn't that Firefox is more secure than Internet Explorer or Mozilla is infinitely better than Microsoft. Both are hackable and exploitable. The difference is in their response. When something happens at Microsoft, it's not announced until significantly after the fact and it takes forever for them to do something about it. Mozilla's response is to immediately shut down their site and rebuild it from scratch to be certain there is nothing left to exploit and get everything taken care of. I can't imagine Microsoft ever taking anything down to fix it; they would feel that too much revenue would be lost.
In class and barely paying attention :-P The subject should be: The difference between Mozilla and Microsoft
*cough* Feel free to mod me down for typos :-\
And then we say that OpenSource software is easier to secure, manage and maintain?
It is. It doesn't mean you can't find lazy admins using it, or sloppy software engineers writing it. Thats the difference between necessary and sufficient conditions.
.... Likely a Microsoft employee. These days, they'll do anything to avoid a flying chair.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
read the message more carefully. It was security breech with Twiki. This is not a mozilla product. This is an open source project they are using.
everybody is expressing concern, instead of derision --- oh wait, it's not microsoft that fucked up!
NOOOOOOOOOO...
o well.
This stuff is happening so much these days i dont think it really should be considered 'news'.
Sure, its sad we have reached this point, but its a sign of society in general.
When was the last time a home break-in was on the front page of the paper? ( unless it was someone 'special' of course.. )
Crime has just become part of the 'background noise' in life today.. Almost like the world of marketing has..
---- Booth was a patriot ----
What on earth is it about perl that makes it any less secure than python? I've seen some doosies in python caused by people casually encoding object.repr() into a link parameter and then eval()'ing it on the webserver when someone clicks on the link.
Perl, not having a default repr() method that spits out eval()-able code doesn't encourage that particular brand of insecurity. Also, one would think that taint mode would prevent many similar web programming bugs. (No, taint mode isn't a panacea, but it's better than nothing)
And yet, I'll agree that the press for perl has lately been exceedingly bad. What's going on here?
((The particular commercial python application referenced above was still doing this last I checked, only now they use some homegrown encryption scheme on the repr() bit and tag each link with a checksum of the included data and the session id. They aren't using a real stream or block cipher (the same characters in the same string position always map to the same characters, regardless of what precedes or follows), and the checksum appears to be only 16 bits, so they're still moderately insecure, but I haven't gone through the exercise of cracking it. At least it's no longer a big huge red flashing light saying "hack us here; we're flamingly insecure".))
... the counter is still up. With less than 5 million to go before 100,000,000, I don't want to miss the final tick as it goes by.
Just blame it on Microsoft and move on next topic...as usual on slashdot!
and
I was assured by a Mozilla Foundation employee, even if he was speaking for himself and not the foundation, that an incident like this would not happen again.
Frankly, in the world of computer security and server administration, I'd say two strikes are more than enough. Perhaps it is time to get rid of those who cannot maintain a server properly, and protect the data of many thousands of users.
Perhaps it's even time for a public inquiry into this matter. We need to know the name of the person(s) who is/are responsible for these numerous lapses. We need accountability. While an open source project does need all the help it can get, it does not need help that leads to the data of so many users being compromised.
While I am an ardent open source supporter, I will not use Mozilla products until people are held responsible for these mistakes. I will stick to Konqueror and Opera, thank you.
Cyric Zndovzny at your service.
You act like it's exemplary of them to alert their users to security breaches that may have compromised those users' data, just because many commercial entities won't do that. I'd say that's an incorrect attitude to take.
SpreadFirefox isn't any better off for alerting the community to these incidents. They're just doing what they should be doing. It's those who do not send out alerts who are truly the awful ones.
Sending out this alert does not right the situation, however. Since this isn't the first incident, it is time for an inquiry to be held. We need to know the names of the people who are responsible for this incident. Taking decisive action like that will give Mozilla true credibility.
Of course, open source projects need all the help they can get. But they don't need help in the form of compromised servers. Sometimes it's better to go without than to go with that which is harmful.
Cyric Zndovzny at your service.
After the last incident I was promised by a Mozilla Foundation employee, even if not talking on behalf of the foundation, that steps were being taken to prevent such incidents from ever happening again (let alone a few months later).
= 13079208= 13079261
Please see the Slashdot comments:
http://it.slashdot.org/comments.pl?sid=155997&cid
http://it.slashdot.org/comments.pl?sid=155997&cid
We were promised that this would not happen again. Yet it did.
Cyric Zndovzny at your service.
SpreadFirefox Security Breached (again)
Posted by CmdrTaco on Wednesday December 31, @08:00PM
None of the other posts have the wrong date...and date is corrected once you enter the story. Bizzare.
In Croatia, artist Sinisa Labrovic has launched a satire of reality shows, starring sheep instead of people. After a 10-day competition, the winning sheep will be honored with poetry. The losers will be eaten.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
The TWiki community has a well established security alert process, summarised at TWikiSecurity. The security team acted very quickly on the last incident, as documented in the timeline.
Like other web based software, TWiki is safe to use on public sites if site administrators establish the right security process and act quickly on an incident.
While it is certainly easy to use regular expressions in this manner to produce code that qualifies as poor engineering from a security standpoint, the regular expressions that SpreadSheetPlugin uses are actually simple enough to be easily verifiable, or would be if they reduced their excessive use of backslashes down to something readable.
For instance, I would rewrite the first half of their safeEvalPerl subroutine as:I will admit that the excessive use of eval elsewhere in that module (why are they using the string form of eval, and not the block form?) gives me the security heebie-jeebies. Every spot I found was good, but I had to check too closely.
In your "For Developers" section I would add these suggestions:
Just proves that good coders make lousy SysAdmins. They should stop futzing around and get someone who actually knows how to run a secure infrastructure.
Besides that the codebase got an complete overhaul for better maintainance and stability. Installing it is a breeze with the new configure script!
Beta 2 is already out (http://twiki.org/cgi-bin/view/Plugins/TWiki) , is rock solid and best of all SAFE! We decided 2 months ago, that it is stable and so our customers already run TWiki-Dakar with its new security features
The site is on fire.
If you can read this, I forgot to post anonymously.
I work for Microsoft, and we did it. Ha ha ha ha haaaaaah.
We're gonna have this new stuff called RSS in the next IE, you should get it. we pwned j00!
Summary contains factual error. SpreadFirefox runs (ran?) on Drupal, not TWiki.
my sstream of consciousness
I blame Kevin Mitnick. Or that Mumia guy. Probably Kevin Mitnick.
There is little, if any, thought given to security by Wiki software developers. Honestly, almost all (if not all) Wiki's are just a great big hole waiting to be exploited.
It's a big black mark for the Firefox team that they really aren't paying enough attention to the basic concepts of security. This potential hole should have be blatantly obvious to anyone calling themselves security concious. And appropriate steps should've been taken so that when (not if) the Wiki was exploited, it shouldn't have resulted in the current fiasco.
I'm a big fan of Firefox, but this is a big screwup. It would give me some confidence in the Firefox team if they acknowledged it as such.
I'm also willing to bet that the so-called auditing will still let in another attack. It takes a certain mindset to do security right; and I don't see that mindset yet.
I do wish them luck, however. But luck won't make a system secure.