Slashdot Mirror
SpreadFirefox Security Breached (again)
Kurt writes "The hugely popular SpreadFirefox project, a Firefox community marketing site, has recently fallen victim to a security breach in their TWiki software. This breach has forced the site to shutdown until October 19th. During this time, they will be performing a rebuild of the SpreadFirefox system, to hopefully curb more security breaches."
I noticed this message yesterday. I was wondering what it was about. Where did slashdot get this info? I didn't see it on Mozila's web site yesterday.
Bradley Holt
... venting frustration over seeing their office business go down the drain!
:-)
-Yogix
OSS isn't inherently any more secure than proprietary software. It's just that the nature of the typical OSS developer vs a corporation means that the OSS organization is more transparent when bad things do happen. It doesn't mean that the security breach didn't already happen, though.
Rex is 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
No reassurances this time that no personal data was stolen? Last time they made damn sure to point out that everyone's data was safe but it seems this time they've not told us about that. Could the hackers have a nice big list of email addresses to spam now?
It says the site is down until the 15th not the 19th...
Hey, things happen. And this isn't firefox we're talking about yet, so it doesn't matter.
It's not Mozilla software that got hacked. If it's indeed the Wiki part, then it's the MediaWiki software, which is also open source but has nothing to do with Mozilla or Firefox. Either way, that web site is very user based where tons of tools were hosted for the community like public forums and freely editable wikis, so it's not surprising that some of them may have issues. Until the actual mozilla.org site gets hacked, which I highly doubt it will ever happen, there's nothing to worry about.
I would have thought somebody who actually knows what Opera is would know the difference between that thing and that other thing . . . . . . .
Shutting your corporate website down for 2 weeks?
While the "but open source is supposed to me more secure!" trolls will open their mouths about how this is evidence we're wrong - it's not.
All software and therefore all websites contain vulnerabilities.
The advantage of OSS is that these security holes are fixed promptly.
Thanks to someone posting the origional email announcement we know that this breach was due to poor server administration in that they didn't keep their software patched up to the latest version. This vulnerability is probably fixed in the latest TWiki releases being that someone is out there exploiting it.
If you cannot keep politics out of your moderation remove yourself from the Mod Lottery.. NOW!
Look at this! Now they're even taunting us by appending "(again)" to the duplicate subject entries!
Do you like German cars?
I also recently had my TWiki-based wiki farm broken into, for the 3rd time in 4 years, despite trying to stay up to date at least with Debian releases. Fortunately, I had each wiki set up to run suexec as an individual user, so the damage was reasonably well contained.
Since TWiki's security problems seem intractable (giant Perl codebase that's very difficult to audit and doesn't seem to have been designed to handle security) I decided that enough is enough and followed freedesktop.org's lead in moving the whole farm to MoinMoin. MoinMoin is written in Python rather than Perl, and seems to be better thought out in terms of security, although I had to hack up the source some to get what I wanted. Some open source migration tools will be made available shortly.
I wouldn't recommend to anyone that they run a publically-viewable TWiki installation at this point.
Um, it's news. Unless you think these sorts of things should be swept under the rug to feed your "PR fight?"
Actually, it's Rogers (no "d"). From Wikipedia,
OK, let's have a show of hands: how many of you guys around here do this as well?
Come on...
what does watching an opera have to do with t he interweb thingy?
:)`
Look out i gatta go back to clicking up a storm. They are paying me to surf now
and ended up having to use google cache's of the pages I needed to read. Oh well. Poor SFF.
The Doormat
If you're not outraged, then you're not paying attention.
But this isn't the Mozilla project. And Mozilla is inherently safer than IE.
Why? Because Mozilla isn't port of the OS. Exploits in IE have tended to open up the entire OS to virus and malware. Exploits in Mozilla tend to crash Mozilla. Same thing with Outlook and Thunderbird.
Finally to answer this statement of yours
"Wake up kids. They're as fallible as anyone at Microsoft and things like this will happen. Whether it is the browser or the websites hosting or the wikis, or whatever, mistakes are going to be made and patches and corrections will need to be done."
If you look at the spreadfirefox.org website you will see this statement "This site is not connected to the Mozilla Foundation"
So... your point is? The cracking of this website that is in not connected to the Mozilla Foundation proves what????
I agree that Mozilla is not perfect just better than IE.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
The difference is that (in theory) Mozilla and other open source projects have far more developers that can fix problems as they occur far faster, and have no commercial motive to suppress vulnerability reports. This means that, in theory, Mozilla's bugs will not only be fixed faster, but reported to the public faster so they'll know to be particularly vigilant in watching for attacks. The net result is an overall more secure experience with a popular open source project than with a commercial product.
This stuff doesn't tend to work as well when an open source project only has one or two developers willing to fix problems, but with an enormously popular project like Firefox, it has worked very well.
Right. Of course.
Because the guys behind Mozilla/Firefox are clearly the same people as those who write TWiki, right? And the guys who run the Firefox marketing site are clearly exactly the same guys who do the hardcore browser development too.
I'm all for pointing out when anyone fucks up, regardless of if they're saintly Firefox developers or "t3h evil 0ne5" at Microsoft. Nevertheless, if we're going to start pointing fingers at anyone and scoring cheap points, can we at least make sure it's, y'know... their fault?
Short-sightedly knee-jerking and implying a marketing-run website crack is in any way a reflection of the security of an entirely separate developer-run product is just as bad as the people you're having a go at that think FL/OSS developers' shit smells of roses.
Everything in moderation, including moderation itself
That would constitute vacation, something of which I have not been familiar with in some time. So, no, I cannot imagine that.
Click here or here.
And I'm not trolling or insinuating anything, I'm genuinely asking.
Does TWiki even use taintperl? Not that that provides much more than minimal security help anyway.
http://lkml.org/lkml/2005/8/20/95
isn't that Firefox is more secure than Internet Explorer or Mozilla is infinitely better than Microsoft. Both are hackable and exploitable. The difference is in their response. When something happens at Microsoft, it's not announced until significantly after the fact and it takes forever for them to do something about it. Mozilla's response is to immediately shut down their site and rebuild it from scratch to be certain there is nothing left to exploit and get everything taken care of. I can't imagine Microsoft ever taking anything down to fix it; they would feel that too much revenue would be lost.
In class and barely paying attention :-P The subject should be: The difference between Mozilla and Microsoft
*cough* Feel free to mod me down for typos :-\
.... Likely a Microsoft employee. These days, they'll do anything to avoid a flying chair.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
Only when followed by "... that's all folks!"
In the mid-1950's, Zenith engineers created the first wireless TV remote control, eliminating the need to have a child.
This stuff is happening so much these days i dont think it really should be considered 'news'.
Sure, its sad we have reached this point, but its a sign of society in general.
When was the last time a home break-in was on the front page of the paper? ( unless it was someone 'special' of course.. )
Crime has just become part of the 'background noise' in life today.. Almost like the world of marketing has..
---- Booth was a patriot ----
What on earth is it about perl that makes it any less secure than python? I've seen some doosies in python caused by people casually encoding object.repr() into a link parameter and then eval()'ing it on the webserver when someone clicks on the link.
Perl, not having a default repr() method that spits out eval()-able code doesn't encourage that particular brand of insecurity. Also, one would think that taint mode would prevent many similar web programming bugs. (No, taint mode isn't a panacea, but it's better than nothing)
And yet, I'll agree that the press for perl has lately been exceedingly bad. What's going on here?
((The particular commercial python application referenced above was still doing this last I checked, only now they use some homegrown encryption scheme on the repr() bit and tag each link with a checksum of the included data and the session id. They aren't using a real stream or block cipher (the same characters in the same string position always map to the same characters, regardless of what precedes or follows), and the checksum appears to be only 16 bits, so they're still moderately insecure, but I haven't gone through the exercise of cracking it. At least it's no longer a big huge red flashing light saying "hack us here; we're flamingly insecure".))
... the counter is still up. With less than 5 million to go before 100,000,000, I don't want to miss the final tick as it goes by.
You act like it's exemplary of them to alert their users to security breaches that may have compromised those users' data, just because many commercial entities won't do that. I'd say that's an incorrect attitude to take.
SpreadFirefox isn't any better off for alerting the community to these incidents. They're just doing what they should be doing. It's those who do not send out alerts who are truly the awful ones.
Sending out this alert does not right the situation, however. Since this isn't the first incident, it is time for an inquiry to be held. We need to know the names of the people who are responsible for this incident. Taking decisive action like that will give Mozilla true credibility.
Of course, open source projects need all the help they can get. But they don't need help in the form of compromised servers. Sometimes it's better to go without than to go with that which is harmful.
Cyric Zndovzny at your service.
After the last incident I was promised by a Mozilla Foundation employee, even if not talking on behalf of the foundation, that steps were being taken to prevent such incidents from ever happening again (let alone a few months later).
= 13079208= 13079261
Please see the Slashdot comments:
http://it.slashdot.org/comments.pl?sid=155997&cid
http://it.slashdot.org/comments.pl?sid=155997&cid
We were promised that this would not happen again. Yet it did.
Cyric Zndovzny at your service.
The TWiki community has a well established security alert process, summarised at TWikiSecurity. The security team acted very quickly on the last incident, as documented in the timeline.
Like other web based software, TWiki is safe to use on public sites if site administrators establish the right security process and act quickly on an incident.
If you look at the spreadfirefox.org website you will see this statement "This site is not connected to the Mozilla Foundation"
.org you quoted looks to be someone's unaffiliated contribution to the spreading effort.
So... your point is? The cracking of this website that is in not connected to the Mozilla Foundation proves what????
Just FYI, the hacked site under discussion is www.spreadfirefox.com which is "the official Mozilla site for Spreading Firefox". The
While it is certainly easy to use regular expressions in this manner to produce code that qualifies as poor engineering from a security standpoint, the regular expressions that SpreadSheetPlugin uses are actually simple enough to be easily verifiable, or would be if they reduced their excessive use of backslashes down to something readable.
For instance, I would rewrite the first half of their safeEvalPerl subroutine as:I will admit that the excessive use of eval elsewhere in that module (why are they using the string form of eval, and not the block form?) gives me the security heebie-jeebies. Every spot I found was good, but I had to check too closely.
In your "For Developers" section I would add these suggestions:
Besides that the codebase got an complete overhaul for better maintainance and stability. Installing it is a breeze with the new configure script!
Beta 2 is already out (http://twiki.org/cgi-bin/view/Plugins/TWiki) , is rock solid and best of all SAFE! We decided 2 months ago, that it is stable and so our customers already run TWiki-Dakar with its new security features
The site is on fire.
If you can read this, I forgot to post anonymously.
Summary contains factual error. SpreadFirefox runs (ran?) on Drupal, not TWiki.
my sstream of consciousness
Yea I noticed that after I posted. Is spreadfirefox.com owned and run by the Mozilla foundation?
BTW since the problem was in a piece of software on the site that was not written by the Mozilla foundation my comment still stands that it proves nothing about the quality and security of Mozilla.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
What makes you think that just because you've decided to use an open source product that they "own" you anything? I say you owe them!
It doesn't sound to me like you are an ardent OSS supporter - you don't seem to understand what it's about at all. I'll give you fanboy, though.
TODO: come up with a clever sig
They owe us all a full investigation into this matter. We need the name(s) of the person/people who failed to keep these servers updated. Why? Well, the SpreadFirefox site first needs to show that they take security seriously, especially after these numerous breaches. Thus they need to stop letting these people maintain their servers. Second, we all need to know who these people are so that we never have any serious business relationships with them. They are obviously unfit to run servers.
Cyric Zndovzny at your service.
I'm going to ravage your mother.
Brent Jones
"I'm going to ravage your mother."
You go ahead and do that. But don't forget to bring a shovel. You'll need it to dig her rotten corpse out of the ground.
Cyric Zndovzny at your service.
"If the headline had read "Get Internet Explorer website hacked... Again!" you and everyone else on Slashdot would have been all over Microsoft."
First, I would not have. You presume too much.
Secondly, I would have, however, stood by anyone who wanted to bash Microsoft for their lax patching schedule. Likewise, feel free to bash The SpreadFirefox crew for their lack of admin skills.
However, if someone had tried to imply that someone cracking a Microsoft site through a third-party application was in any way a reflection of the security of their browser, I would have told them to shut up and cease their twattery, just as I invited the GP to, and just as I invite you to now.
Had someone cracked a Microsoft site using a hole in IIS (a Microsoft product) I would have had more sympathy, since this is comparing apples with apples. I would not have weighed in, but I would not have had a go at them either.
Just out of interest, what part of "I'm all for pointing out when anyone fucks up, regardless of if they're saintly Firefox developers or "t3h evil 0ne5" at Microsoft." did you not understand?
For additional clarity, the bit about "t3h evil 0ne5 at Microsoft" is in quotes because I was being sarcastic, satirising the very childish partisan midset you both accuse me of and demonstrate yourself.
Short version:
Company X suffers a crack because of a security hole in their own software?
This casts doubt on their ability to produce secure software.
Company X suffers a crack because of a security hole in an unrelated product?
This casts a little doubt on their ability to produce secure software of the first type.
Company X suffers a website crack through a third-party product?
This implies nothing whatsoever about Company X's product's security, and you'd be a fucking tool to assume otherwise.
This holds true whether "Company X == Microsoft" or "Company X == Mozilla Foundation".
You seem to believe that pro-Firefox partisan fuckwittery excuses pro-Microsoft partisan fuckwittery.
It does not, and partisan fuckwits of all flavours merely cheapen the debate.
Everything in moderation, including moderation itself
Contributors to open source projects donate their personal skills and time. There's no contractual obligation or guarantee of any level of competence. If you can't handle that concept, then you should probably stick to commercial software or purchase commercial support. Although that won't get you any guarantees of competence either, at least you'll have someone to yell at.
TODO: come up with a clever sig
It doesn't matter if they're donating their time/services or getting paid. If what they're doing end up being more harmful than good (ie. running servers so as to have quarterly security breaches), then the project is better off if they get rid of such a volunteer.
If somebody were to volunteer their cleaning services at a church, for instance, and proceeded to repeatedly damage the pews and the flooring, then they would be politely asked to stop volunteering. It's time for SpreadFirefox to to the same, so as to protect the data of the site's users.
Cyric Zndovzny at your service.