Wine HQ Password Database Compromised

← Back to Stories (view on slashdot.org)

Wine HQ Password Database Compromised

Posted by Unknown on Tuesday October 11, 2011 @10:00AM from the assailant-reportedly-doped-up-on-php dept.

With his first accepted submission, tyler.russell writes with a report that the WineHQ database systems were compromised. Quoting the official announcement: "We are sorry to report that recently our login database for the Wine HQ Application Database was compromised. We know that the entire contents of the login database was stolen by hackers. The password was encrypted, but with enough effort and depending on the quality of your old password, it could be cracked. We have closed the hole in our system that allowed read access to our database tables. To prevent further damage we have reset your password to what is shown below. We strongly suggest that if you shared your AppDB password on any other sites that you change that password as soon as possible.". He adds: "A new username and password were included with this email."

124 comments

Min score:

Reason:

Sort:

Ah Hell by masternerdguy · 2011-10-11 10:03 · Score: 1

Welp, there goes my information.

--
To offset political mods, replace Flamebait with Insightful.
1. Re:Ah Hell by Anonymous Coward · 2011-10-11 10:11 · Score: 1
  
  Same here... I shudder to think of the consequences if I had the same password everywhere. Given what the stats says about people's habits on passwords, there are probably a lot of people that are at risk with other online accounts when this sort of thing occurs.
  The really frightening thing is that for each of the break-in we hear about, there are probably countless others done successfully (IE, without detection) that we don't know about.
2. Re:Ah Hell by Anonymous Coward · 2011-10-11 10:13 · Score: 4, Funny
  
  entire contents of the login database was stolen by hackers
  Dammit. They didn't steal it. They made a copy. Okay?!
3. Re:Ah Hell by black3d · 2011-10-11 10:17 · Score: 1
  
  According to the dictionary, they stole it. Perhaps you have a personal, very narrow definition of Steal. The word means more than you think it does.
  
  --
  "The true measure of a person is how they act when they know they won't get caught." - DSRilk
4. Re:Ah Hell by Anonymous Coward · 2011-10-11 10:20 · Score: 0
  
  Somebody didn't get the joke. well played, AC.
5. Re:Ah Hell by TechLA · 2011-10-11 10:22 · Score: 1
  
  It's not stealing since they still have the original data left. Hackers only made a copy of that. No harm was done.
  
  ... that is, according to the Pirate Party and pirates on /.
6. Re:Ah Hell by Anonymous Coward · 2011-10-11 10:28 · Score: 0
  
  tyler.russell is a name that means nothing to me, and never will.
  I further don't care that this is his first accepted submission.
  I am annoyed that screen real-estate was wasted on the suggestion that this trivia is important.
  Slashdot continues its downhill slide.
7. Re:Ah Hell by cheekyjohnson · 2011-10-11 10:37 · Score: 1
  
  Right. Every pirate claims that all things that involve copying in any way must be harmless. According to my straw man, at least.
  
  --
  Filthy, filthy copyrapists!
8. Re:Ah Hell by cheekyjohnson · 2011-10-11 10:38 · Score: 1
  
  I think that's true.
  
  --
  Filthy, filthy copyrapists!
9. Re:Ah Hell by black3d · 2011-10-11 10:41 · Score: 1, Insightful
  
  Right, and I often hear them say that, except the problem is that no part of the definition of steal ever involves deprivation. Usually stealing leads to deprivation, but it's not required. Since the early 1900s, the definition of steal has included obtaining without permission, no deprivation involved whatsoever, especially in legal dictionaries which are what matters in this context.
  Similarly, if you take control of a bus, but continue to drive all passengers to their destination and allow them to alight, you're still guilty of kidnapping (actually, the definition of this varies between States, however in my country there is one legal definition, and it includes conveyance without legal permission.)
  I know the pirates want to hold onto a single, antiquidated definition of the word to try and force their views, but language changes - geeks are usually at the forefront of this adoption, and it's sad to see people so eager to give up societal advancement for personal gain. For all our pretence of social and moral superiority over our forebears, folks are as self-indulgent as ever - this hyporitical stance against the modern definition of "steal" is a great example.
  
  --
  "The true measure of a person is how they act when they know they won't get caught." - DSRilk
10. Re:Ah Hell by black3d · 2011-10-11 10:43 · Score: 1
  
  Alas, it's a common feeling around these parts. If only they were all joking..
  
  --
  "The true measure of a person is how they act when they know they won't get caught." - DSRilk
11. Re:Ah Hell by DanTheStone · 2011-10-11 10:58 · Score: 1
  
  They did steal it, because now the original owners are deprived of their old username and password. Did you not even read TFS?
12. Re:Ah Hell by NoSig · 2011-10-11 11:02 · Score: 2
  
  The word steal invokes the mental image of taking away, while copyright infringement doesn't, so steal is an inaccurate label for copyright infringement since no taking away is involved. The same thing that makes it inaccurate is exactly what makes it a great rhetorical trick. It's like referring to a speeder as a "dangerous criminal" or someone who thinks that trains should run on time as someone who "holds certain views in common with Nazis". You can think and argue that copyright infringement is bad without reducing yourself to that level, so whether copyright infringement is good or bad is irrelevant to the topic.
13. Re:Ah Hell by julian67 · 2011-10-11 11:18 · Score: 2
  
  In the UK the definition of theft explicitly sets out several tests including:
  "dishonestly acquire, with the intention to permanently deprive"
  This is why we have other laws such as the offence of "Taking without consent" of a motor vehicle, which covers situations where the acquisition can be proven dishonest but no intent to permanently deprive can be proven i.e. the offender takes, uses and abandons a vehicle, maybe even at or near where the owner left it.
  Most of the English speaking (officially/legally) world outside of the USA is likely to be the same.
14. Re:Ah Hell by black3d · 2011-10-11 11:31 · Score: 1
  
  I concur, good sir. But we were talking about the word "steal" not "theft". Contrary to my comments about "steal", "theft" almost universally does involve the removing of products, and deprivation. To recap, GP made a common /, rail against the word "stole", to describe the actions of people who made a copy of the database. I pointed out that "steal" doesn't necessarily involve deprivation, and the legal definition includes taking without permission - even if no deprivation occurs. Talking about a verb here, not the crime itself.
  Completely agreed - the crime of theft almost always involves deprivation of property in legal definition.
  
  --
  "The true measure of a person is how they act when they know they won't get caught." - DSRilk
15. Re:Ah Hell by black3d · 2011-10-11 11:36 · Score: 1
  
  I'm not arguing about whether or not copyright infringement is good or bad. Sorry if my message came across that way. What I was criticising was the fact that geeks are at the forefront of every advancement in society, and embrace new ideas and modern movements, but they make a special case for the word "steal" (which has evolved with the language, and includes obtaining without permission), and pretend it doesn't have that meaning simply so they can keep saying that copyright infringement isn't "stealing". I wasn't commenting on the stealing itself whatsoever, or whether it's good or bad. Apologies for not being more clear. I do disagree with you that copyright infringement isn't stealing, but I agree it's not theft. :)
  
  --
  "The true measure of a person is how they act when they know they won't get caught." - DSRilk
16. Re:Ah Hell by julian67 · 2011-10-11 11:57 · Score: 2
  
  In English Law "steal" refers to "theft". It's the same.
  From the Theft Act 1968 (current English Law):
  "A person is guilty of theft, if he dishonestly appropriates property belonging to another with the intention of permanently depriving the other of it; and "thief" and "steal" shall be construed accordingly."
  Dishonestly appropriating the contents of another person's database wouldn't be theft in England, though it would be a very serious offence under the Computer Misuse Act. The penalty could be as high as 5 years imprisonment.
17. Re:Ah Hell by EdIII · 2011-10-11 13:44 · Score: 0
  
  Sorry, but that definition still is, and always will be, complete and utter bullshit.
  All of your points involved the physical world. The act of theft, or stealing, can ONLY occur in the physical world . It blows my mind that anyone can come to a different conclusion once all things are considered. You cannot steal an idea, thoughts, etc. All you can do is share in them.
  Regardless of how one feels about intellectual property, we should be able to not treat each other like idiots and stop using the word theft or steal.
  It is copyright infringement. In cyberspace, stealing/theft can not ever occur. Only copying or destruction. Unlike space/time where energy can be neither created nor destroyed, which apparently has been extended to include "information" by scientists, cyberspace does allow for the destruction of information. It occurs all the time, either through intent or malice.
  The attempts to attribute the word steal, theft, etc. to the copying of information are all part of a disingenuous tactic to apply a reality distortion field.
  What is actually happening is quite important to understand, in fact critically important. These acts of copying and distributing data, which are called "piracy" so often, are just acts of copyright infringement.
  Copyright infringement, when done the way it is being done on the Internet, is considered by law to be civil disputes by most countries. This is quite inarguable actually. If it was stealing or theft, district attorneys would be involved (in the US) and the plaintiff would be the United States and the defendant would be John Smith. This is not true is it? Nope. Only time it is ever true is in criminal cases that involve physical distribution and profiting at fairly large scales. What we have in reality is large legal firms starting thousands, or hundreds of thousands of civil lawsuits.
  For the record, a copyright is a set of legal entitlements granted by society to the creators. We do this, according to the appropriate philosophies, to encourage innovation by rewarding those who do it, and to provide a valuable wealth of art and knowledge that all of society, and all societies as well, can use to create ever more new works of art and technologies.
  One cannot steal a set of legal entitlements, but infringe upon them. Totally different concept.
  And also for the record.... I support reasonable and sane copyrights and their interpretations. Not the reality distorted views and representations by groups of companies, people, legislators, etc. that outright lie and warp the facts to harm society with their actions. Taking away our rights, privacy, and anonymity to protect some legal entitlements is insanity. Sometimes poison can be used to cure, but this is not one of those cases.
  Copyright infringement DOES NOT HAVE ANYTHING TO DO WITH THIS ARTICLE EITHER! :)
  This is actual hacking. The malicious intent by a person to disrupt a system, copy information, for whatever purposes they want without the authorization by the people who own it.
  It will not be copyright laws that are ultimately brought to bear upon the person responsible for this, but laws expressly written to punish people who cause harm to companies and systems through their actions.
  The poster who brought this point up was not being pedantic, but only pointing out what you immediately attacked as untrue. No actual theft occurred here. However, yes, there were crimes committed.
18. Re:Ah Hell by black3d · 2011-10-11 14:32 · Score: 1
  
  I never brought up copyright infringement? I wasn't arguing for or against copyright infringement at any point in time. I was purely talking about the word "steal".
  You seem to be confusing the verb as a word, as I'm talking about it, and the criminal act. You're setting out with the notion that to "steal" only involves the physical world. May I ask where you got this notion? Not from the dictionary (although I'm certain you can find a dictionary with physical removal as the only definition of the word "steal", there are plenty also available which don't), The entire point I was trying to make is that this act IS covered under the modern definition of steal.
  I was only *ever* talking about the word, and how some geeks prefer to keep a singular definition for the word and excise all others that don't happen to suit their point of view or their argument.
  Here are some definitions for Steal from various dictionaries:
  - "to commit or practice theft."
  - "to obtain surreptitiously"
  - "to appropriate (ideas, etc) without acknowledgment, as in plagiarism"
  - "to take or appropriate without right or consent and with intent to keep or make use of"
  What I was commenting on, in reply to GP, was that many folks around here choose to ignore the latter three and make the argument that "stealing" is only ever the first definition there, and that all other definitions are false, and therefore, plagiarism (to use the example in the definition) isn't stealing. The truth of the matter, is if plagiarism is a definition of stealing, then plagiarism is stealing. Words have multiple definitions, and /.ers and pirates like to pretend this particular word only has one.
  It was just a comment on GPs attempt to dismiss the matter of "stealing" having occurred, when, if you accept the latter three definitions above, it did. If you choose to dismiss any dictionary which defines "steal" as also involving non-physical objects, that's your choice - but that doesn't resolve a dispute on the topic. Geeks need to man up about this and accept that words change. It's like folks are treating "steal" as a dirty word, and something they like to pretend they're not involved with; Denying any modern meaning of the word is how they go about setting themselves apart, and feel better about what they do.
  
  --
  "The true measure of a person is how they act when they know they won't get caught." - DSRilk
19. Re:Ah Hell by black3d · 2011-10-11 14:37 · Score: 1
  
  TL;DR version:
  
  You cannot steal an idea, thoughts, etc
  Dictionary definition:
  Steal
  "to appropriate (ideas, etc) without acknowledgment, as in plagiarism"
  My point was only ever that geeks are trying to ignore any definition of the word steal which doesn't suit them - I'm not arguing the merits of or against any act.
  
  --
  "The true measure of a person is how they act when they know they won't get caught." - DSRilk
20. Re:Ah Hell by Anonymous Coward · 2011-10-11 15:12 · Score: 0
  
  That's why we have crimes related to IP and computers.
21. Re:Ah Hell by EdIII · 2011-10-11 15:50 · Score: 0
  
  It was just a comment on GPs attempt to dismiss the matter of "stealing" having occurred, when, if you accept the latter three definitions above, it did. If you choose to dismiss any dictionary which defines "steal" as also involving non-physical objects, that's your choice - but that doesn't resolve a dispute on the topic. Geeks need to man up about this and accept that words change. It's like folks are treating "steal" as a dirty word, and something they like to pretend they're not involved with; Denying any modern meaning of the word is how they go about setting themselves apart, and feel better about what they do.
  You're wrong, and on many levels.
  Plagiarism is not a form of stealing. Just like copyright infringement, it is a separate act, that for exactly the same reasons, had the word steal misappropriated to benefit the copyright holders.
  Geeks do not need to "man up". We need to bunker down and refuse to allow people like you to change the word. Saying that change is just part of life, and like oh well, just go with the flow is harmful bullshit.
  I don't "pretend" anything. I have fully admitted, that on many occasions, both past and present, that I willfully perform acts of copyright infringement. I did so in my youth due to availability and in inability to pay, and as an adult because I choose to not respect any form of copyrights or patents that are older than 20 years. I find them to be harmful and detrimental to society and I will continue to treat them as if they were in the Public Domain. Because they should be. Period.
  As for words changing meaning, yes that is inevitable. What I will always fight is WHY. IT IS THE WHY THAT I FIGHT.
  The word steal is continually being misappropriated to the act of copyright infringement for a purpose.
  Just as you say I am denying the word to make myself feel better about what I am doing, "they" are changing the word to better support their positions and what they are doing.
  "They" are quite often referred to as Big Content, Big Media, etc. It is simply, a group of people and companies that represent large portfolios of copyrighted works that want to change the laws that govern our society to suit their interests. These interests are not in the best interests of The People, but rather themselves, which they conveniently and constantly spin to be "providing shareholder value".
  No. NO. NO.
  I will not participate with you in allowing the perversion of the word to suit a small group of people that want to apply a reality distortion field to a dispute and argument that affects all societies everywhere, and at an important and fundamental level.
  So for the exact same reasons you outlined, I am not letting Big Content get away with it. There is no stealing in cyberspace. Period. Once you take that away, we can start seeing these acts for what they are. Civil disputes between two parties, wherein one party has had their legal entitlements infringed upon by the other and they seek restitution as provided for by law.
  You allow that word to change and you are merely collaborating with a group of people that most certainly care nothing about your interests or freedoms, but whatever it takes, regardless of harm, to serve their own selfish interests.
  Why I am so fanatical about this?
  Big Content has done tremendous damage to our rights and privacy/anonymity to aid them in their civil disputes simply because they are unable to enforce their own legal entitlements. Use of the word steal is merely part of their propaganda and warped logic to erode our civil liberties, harm copyrights and the Public Domain, and to ultimately destroy the Public Domain.
  It is killing innovation and doing the exact opposite that one might think.
  No sir, I will not participate, I will not give up my rights, and I will fight to my last breath to protect the best interests of The People. That means copyright/patent reform and the realization that nothing is important enough to give up my Freedoms. That is not even logical. We fought to hard for our Freedoms to give it up to help criminalize even the smallest form of copyright infringement.
  No.
22. Re:Ah Hell by black3d · 2011-10-11 16:26 · Score: 1
  
  Whom do you suggest should decide on the definition of a word? Where do you think Oxford, et al, draw their current definitions from?
  Aside from that, I agree with every aspect of your stance against the criminalisation of copyright infringement. I concur that copyright has been warped and distorted completely from its original purpose, and that copyright now almost serves the opposite purpose that it was intended to. It was intended to provide an author with a modest fee, to encourage the author to continue and produce more works, knowing that it can provide an income - and the need for that income would cease once the author died. In fact, the terms used to be short enough as to encourage the author/artist to continue producing for the rest of their life.
  Thesedays, consideration for the author/artist is the smallest piece of the copyright pie. It's almost entirely about protecting corporate profit, and extending these profits from a single work for as long as possible after the death of the original author. It in fact stifles further originality, as a single IP (eg, LOTR) can be milked indefinitely without the need for new works.
  I'm just not hung up on the word. Perhaps it's because I don't fall victim to propaganda wars by big media. Probably it's because I speak multiple languages and I'm just not concerned about the colloquial definition of a single word - if it changes, so be it. I don't care if downloading movies adopts the name "murder". As long as people doing so aren't being charged with the crime which shares the same name, the adaptation of the word doesn't have a lot of meaning to me. In fact, it would actually weaken the seriousness attached to the word "murder".
  Likewise, if every civil dispute is to be known as "stealing", it weakens people's reactions to "stealing" - if it were an agenda by Big Media to attach the label, it would have the reverse effect to what they desire. It wouldn't make "copying movies" more serious, it'd make "stealing" less serious. Don't get me wrong, I do recognise that they want to fool people into believing this (the ads on DVDs/in cinemas comparing downloading a movie to robbery). I just don't think the term being used is the thing to get upset about.
  
  --
  "The true measure of a person is how they act when they know they won't get caught." - DSRilk
23. Re:Ah Hell by bjourne · 2011-10-11 21:08 · Score: 2
  
  You may have heard the quote "Immature poets imitate; mature poets steal" which is from T.S Eliot in 1921. That plagiarism is a form of "stealing" is well established in the English language and you are the one who want to redefine the word so that you have to call it "copyright infringement" instead, not Big Content.
  
  --
  Football Odds
24. Re:Ah Hell by maxwell+demon · 2011-10-11 21:15 · Score: 1
  
  So you think the only think that can do harm is stealing? So I guess it's OK if someone burns your house down, because after all, it's not stealing.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
25. Re:Ah Hell by Zugok · 2011-10-11 21:59 · Score: 1
  
  I concur, good sir. But we were talking about the word "steal" not "theft".
  Take a look at this in New Zealand law
  http://www.legislation.govt.nz/act/public/1961/0043/latest/DLM329897.html#DLM329897
  I do not know what the codified definition of theft or steal is your jurisdiction or if its even the same as in New Zealand. The point is depending on what is written in the law chances are your definition does matter.
  
  --
  "I just can't sit while people are saying nonsense in a meeting without saying it's nonsense" J Watson, Sci Am 288:(4)51
26. Re:Ah Hell by pnewhook · 2011-10-12 00:17 · Score: 1
  
  So what you are saying is that it is by definition impossible to steal someone else's idea for something.
  
  --
  Tesla was a genius. Edison however was a overrated hack who liked to torture puppies.
27. Re:Ah Hell by pnewhook · 2011-10-12 00:21 · Score: 1
  
  You are completely wrong in your assertions. You are only making this stand to justify your own actions of theft. Get off your high horse and stop pretending your actions are to protect your rights or protect the interest of the People - they are NOT. You are stealing by copying copyright information pure and simple.
  
  --
  Tesla was a genius. Edison however was a overrated hack who liked to torture puppies.
28. Re:Ah Hell by julian67 · 2011-10-12 00:47 · Score: 1
  
  In English law, yes. In common speech, no. In other legal systems, I don't know.
  Common useage is often very different to strict or technical useage or even dictionary definition, and not just in law, so 'yes', 'no' and 'maybe, it depends' are all valid answers to your question (challenge?).
29. Re:Ah Hell by Anonymous Coward · 2011-10-12 01:30 · Score: 0
  
  Take a real quick look at the dictionary when you have time. Look up the word "humor". Let us know how that goes.
30. Re:Ah Hell by Anonymous Coward · 2011-10-12 10:03 · Score: 0
  
  Oh, so I'm a little too dry for you? I'll spell it out.
  He was making the argument that it's not stealing because it was only a copy (analogous to the whole "file sharing isn't theft" thing).
  The reason why file sharing isn't theft is that, according to practitioners, the original owner is not deprived of his copy of the thing being copied.
  I pointed out that, in this case, the original owner is deprived. So if you're making the file sharing comparison, this is "theft" similar to the copying of bitcoins, despite it not being literal theft.
  TL;DR: I did get the joke. I just thought I'd point out that the analogy didn't hold anyway.
Oh that's secure by theswade · 2011-10-11 10:10 · Score: 4, Interesting

So their solution to a security breach is to send out everyone's logins via clear text?
1. Re:Oh that's secure by Amouth · 2011-10-11 10:13 · Score: 1
  
  that was my thoughts exactly.. i figured it would be a forced reset on long-on and an e-mail with a unique id to use during that (think of it as a second factor token)..
  but to just reset the password and send it.. that is just ...........
  
  --
  '...if only "Jumping to a Conclusion" was an event in the Olympics.'
2. Re:Oh that's secure by Anonymous Coward · 2011-10-11 10:15 · Score: 2, Insightful
  
  Do you have another, better solution?
3. Re:Oh that's secure by Unreal+One · 2011-10-11 10:16 · Score: 1
  
  They wanted to see who would wine about it.
4. Re:Oh that's secure by Jello+B. · 2011-10-11 10:31 · Score: 1
  
  Let's mod this parent up, I'd like to hear some suggestions.
5. Re:Oh that's secure by Carnildo · 2011-10-11 10:47 · Score: 2
  
  So their solution to a security breach is to send out everyone's logins via clear text?
  It's much harder to intercept email than it is to decrypt an encrypted password: assuming that WineHQ users are typical in their password habits, about 75% of the passwords in the database are vulnerable to a dictionary attack and thus should be considered known to the attackers. By giving everyone a new password and emailing them in the clear to the users, they ensure that only those users who also have their email intercepted by the attackers are compromised.
  What the WineHQ admins have done is reduce the number of compromised users from approximately 75% to approximately 0%.
  
  --
  "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
6. Re:Oh that's secure by Anonymous Coward · 2011-10-11 12:16 · Score: 0
  
  that was my thoughts exactly.. i figured it would be a forced reset on long-on and an e-mail with a unique id to use during that (think of it as a second factor token)..
  but to just reset the password and send it.. that is just ...........
  So instead of sending a new password and recommend changing it, you suggest sending a one-use link so the user can change their password...
  
  Don't really see the advantage in this instance; if someone can get into your email, either way they're into your account.
7. Re:Oh that's secure by NoobixCube · 2011-10-11 13:07 · Score: 1
  
  Password reset confirmations sent to your recorded email when you try to log in again.
  
  --
  Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
8. Re:Oh that's secure by Anonymous Coward · 2011-10-11 18:08 · Score: 0
  
  Because they aren't targeting a single account. Yeah, they can get the password reset links if they can intercept the emails, but with the links then they also need to act on those links which will be far more difficult than just passively collecting the new passwords.
  I think what's being missed by the OP is that no one gives a crap about the new passwords as they won't be linked to any of those user's existing accounts elsewhere. The value in the passwords is that they might also be the passwords those people use at their bank.
9. Re:Oh that's secure by Anonymous Coward · 2011-10-11 18:53 · Score: 0
  
  Hmmm. Assuming, of course, that those users don't use the same (old) password for WineHQ and their e-mail. (I'm aware that the audience of WineHQ might be more technically minded than your average BFU, but it still strikes me as a very charitable assumption.)
10. Re:Oh that's secure by maxwell+demon · 2011-10-11 21:23 · Score: 1
  
  Don't really see the advantage in this instance; if someone can get into your email, either way they're into your account.
  With sending a new username/password combination, someone who can read your mail but doesn't have the old password can get into your account. While with a personalized link, you'd hopefully still have to authenticate with your old password, so only someone who has both access to your mail and your old password can get into your account.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
11. Re:Oh that's secure by Anonymous Coward · 2011-10-12 00:13 · Score: 0
  
  ROFL
  that is exactly what I was thinking.
12. Re:Oh that's secure by RivenAleem · 2011-10-12 02:21 · Score: 1
  
  They should have done it with white text on a white background, so that you couldn't see it through the e-nvelope. Only once you open the email and highlight or copy/paste the details will it become readable.
  That's how I send all my private messages anyway
13. Re:Oh that's secure by Reapman · 2011-10-12 02:38 · Score: 1
  
  So basically your saying that assuming these hackers have gone in, recovered your password, AND you used the same password for your email, it's safe to assume they didn't change your password to lock you out?
  Although no answer is perfect, in your solution you are requiring that the original WineHQ accounts are still uncompromised which is an unsafe assumption. Assuming the email is still safe is generally the safer of the two options. Using the email the only people that MIGHT get burned are those that used the same password on both. Both options involve risk.
14. Re:Oh that's secure by asdfghjklqwertyuiop · 2011-10-12 02:56 · Score: 1
  
  They were being sent in clear text all along anyway. The login isn't done over SSL.
15. Re:Oh that's secure by maxwell+demon · 2011-10-12 03:43 · Score: 1
  
  So basically your saying that assuming these hackers have gone in, recovered your password, AND you used the same password for your email, it's safe to assume they didn't change your password to lock you out?
  That's absolutely not what I said. Here's a relevant portion of my post: "someone who can read your mail but doesn't have the old password can get into your account" (the emphasis was even there in the original). That is, you are not only vulnerable against the original hackers, but in addition to others who manage to get access to your mail (reading is sufficient!). And that's independent of whether you used the same password for your email and WineHQ because those others do not need to know the password you used for WineHQ; indeed they need not even have guessed before that you have an account on WineHQ. And it may be that the original attackers did not find out your password (because you used a sufficiently good one).
  
  Although no answer is perfect, in your solution you are requiring that the original WineHQ accounts are still uncompromised which is an unsafe assumption.
  A changed password is equivalent to a forgotten password. Therefore the procedures set forth for that case may be used. Yes, they are most probably not any more secure; but then, you only need to use them if your account already was compromised as opposed to if your account only might be compromised (i.e. you only have the risk to get your account compromised in those cases where it already happened).
  
  Assuming the email is still safe is generally the safer of the two options. Using the email the only people that MIGHT get burned are those that used the same password on both. Both options involve risk.
  A solution which is not only perfectly safe as long as the email is safe, but in addition is still safe when the email is not safe, but the one who got access to your email does not know your old password is definitely more safe than a solution which is perfectly safe as long as the email is safe, but is completely unsafe otherwise.
  Yes, both options involve risk. But the dedicated link + old password solution involves less risk because it is safe in all situations where the original version is safe, but is also safe in some situations where the original one is not.
  And BTW, on that link they could also allow the password which was set just before the security breach happened (the hashes should still be on some backup). Which would bypass any problems caused by the attackers changing passwords while only marginally reducing security.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
16. Re:Oh that's secure by Anonymous Coward · 2011-10-12 04:00 · Score: 0
  
  that was my thoughts exactly.. i figured it would be a forced reset on long-on and an e-mail with a unique id to use during that (think of it as a second factor token)..
  What difference would that make? So instead of sending a password, send something equivalent to a password for the purpose of changing the password... If the email is intercepted, then someone can get into the account again either way. No difference.
  If you cannot trust plain text email, then might I suggest using PGP.
17. Re:Oh that's secure by Anonymous Coward · 2011-10-12 22:12 · Score: 0
  
  That seems like a good solution, but how easy is it to implement with their setup?
Automatic Resets? by Anonymous Coward · 2011-10-11 10:12 · Score: 0

Did they have to automatically reset my password? No I have no fucking idea which password I need to change elsewhere!
1. Re:Automatic Resets? by Anonymous Coward · 2011-10-11 10:16 · Score: 0
  
  They wouldn't know what your password was to send to you. All the passwords in the database were hashed.
2. Re:Automatic Resets? by bell.colin · 2011-10-11 10:41 · Score: 2
  
  "but with enough effort and depending on the quality of your old password, it could be cracked."
  So just wait for the torrent to come out and check the list then.
3. Re:Automatic Resets? by scrib · 2011-10-11 11:12 · Score: 1
  
  So, you don't remember what your password was on the site?
  Check your browser saved passwords!
  
  --
  Help! Help! I'm being repressed!
How secure... by justdiver · 2011-10-11 10:13 · Score: 1

is sending out passwords via mass email in plain text? No wonder they had their system compromised.
1. Re:How secure... by DarwinSurvivor · 2011-10-11 10:47 · Score: 1
  
  Well I guess they could have just left the old one in there. Or do you have any better ideas that you are for some reason keeping to yourself...?
2. Re:How secure... by Carnildo · 2011-10-11 10:52 · Score: 3, Insightful
  
  How secure...is sending out passwords via mass email in plain text?
  
  Sending passwords in clear-text emails is only a minor security risk: in general, only network providers, system administrators, and three-letter agencies are in a position where they can intercept or read a user's email. If the people who attacked the WineHQ database don't fall into one of those categories, resetting passwords and sending the new ones in clear-text emails represents a dramatic reduction in the impact of the database compromise. If the attackers *do* fall into one of those categories, sending the emails does not increase the impact.
  
  --
  "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
3. Re:How secure... by justdiver · 2011-10-11 11:04 · Score: 1
  
  Better ideas? No. I don't. But then again, I'm not a network administrator in charge of a system that just had a massive security breach. I would've thought that having procedures in place for something like this would be part of a system / network administrators job. If even a lowly, green-behind-the-ears tech can see that your "email passwords in plain text" idea is lacking thorough planning, then something is wrong. My first reaction to this would have been to disable all accounts until a better idea is formed instead of going with a response to a security breach that has obvious security flaws of its own. Yes it would be inconvenient for the userbase, but it'd be better than half-assing it, which is likely how they got into this situation in the first place.
4. Re:How secure... by Dunbal · 2011-10-11 11:25 · Score: 1
  
  Unless you are sending the new login and password to an email account which the hacker already controls because, you see, he already grabbed your password and you probably use the same password for your email, and your email (if not also stolen) is probably login@yahoo/hot/gmail.com. In fact if he was smart he would just make note of the new login and password and delete the email, and you would be stuck wondering why you can't log in to a website in a couple months' time, while he's had a couple months of reading all your mail and possibly even contacting people on your behalf through your email. Dad could you email me your login/password for that website again? I forgot it...
  
  --
  Seven puppies were harmed during the making of this post.
5. Re:How secure... by Anonymous Coward · 2011-10-11 11:35 · Score: 1
  
  just as secure as resetting your password via email by clicking on the "I forgot my password link", If someone can intercept your email they can easily change your passwords.
6. Re:How secure... by CastrTroy · 2011-10-11 11:53 · Score: 1
  
  They should just have reset everybody's password to some really long (20 character?) random string (different string for each user) and not recorded the result. Any user who wanted to log in would have to use the "lost password" feature.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
7. Re:How secure... by Anonymous Coward · 2011-10-11 16:55 · Score: 0
  
  Sending out the password plain text shows they still have not implemented one way hashing and usually means there is no encryption in the database.
  I'm always scared when I see my password plaintext in an email.
  Kj
8. Re:How secure... by motd2k · 2011-10-11 19:07 · Score: 1
  
  No it doesn't, it indicates that they sent you the password during the hashing process.
9. Re:How secure... by maxwell+demon · 2011-10-11 21:30 · Score: 1
  
  while he's had a couple months of reading all your mail and possibly even contacting people on your behalf through your email. Dad could you email me your login/password for that website again? I forgot it...
  More likely, using the password reset feature of many sites which works by sending out an email.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
10. Re:How secure... by DarwinSurvivor · 2011-10-14 20:48 · Score: 1
  
  Actually, the common way of doing that is to make the hash impossible to achieve. Adding an invalid character such as a ! to the beginning is a unix favorite and works quite well.
  
  But then you run into the whole issue of the resets being sent in cleartext anyways, so not much improvement there...
  
  The big problem with this method is when the website uses one those absolutely asinine recovery systems that asks you for the answer to a secret question. Most security-wise people fill that field full of gibberish making recovery impossible.
Re:A smear campaign by masternerdguy · 2011-10-11 10:14 · Score: 0, Troll

Don't worry. M$ has been allowing people to control other people's computers over the internet for years with innovative technologies like ActiveX and Internet Explorer.

--
To offset political mods, replace Flamebait with Insightful.
I just read about this by Maquis196 · 2011-10-11 10:15 · Score: 1

And went to my email and sure enough it's in my spam filter. So check there if you have missed it.
PHP software apparently at fault YET AGAIN. by Anonymous Coward · 2011-10-11 10:16 · Score: 0

The email in the mailing list archives clearly mentions that phpmyadmin was involved with this breach.
When will people learn that software written in PHP is generally among the worst there possibly is? PHP is a language that attracts the most stupid developers out there, and they in turn create some of the most insecure software around. They are too ignorant to even realize how badly they're screwing up.
Sure, there are a small number of large sites who have used PHP successfully, but if you look at their code they basically use PHP as little as possible. They might as well be using a real language like Perl or Python, given how much core PHP functionality they end up having to rewrite themselves.
1. Re:PHP software apparently at fault YET AGAIN. by GioMac · 2011-10-11 10:34 · Score: 1
  
  YET AGAIN?
  And when it was problematic before?
  Come oon... I'm pretty sure PHP itself is not the problem. The problem is how do you secure your system so it can't access all the information. You can just store passwords on the system, which will never give you complete list of hashes of all accounts at once (dumb, but simple solution that works) and will send alert to admin.
  Grenade in the hands of the monkey is dangerous and may kill you, but not in the hands of Rambo.
  If you write code in a bad way, it can't be the fault of the language you use.
  Python and perl itself works on the web server other way. You just can't isolate and limit it as it's possible with PHP.
  "PHP is designed specifically to be a more secure language for writing CGI programs than Perl or C, and with _correct selection_ of _compile-time_ and _runtime configuration options_, and _proper coding practices_, it can give you exactly the combination of freedom and security you need."
  http://php.net/manual/en/security.php
  You just can't simply isolate Python or Perl program from the paths it's serving with anything. Only possible solution is LSM like Apparmor or SELinux.
  
  --
  "It feels like I'm at the Zoo when reading this thread - I'm frightened, but it's interesting" (c)
2. Re:PHP software apparently at fault YET AGAIN. by Carnildo · 2011-10-11 10:58 · Score: 2
  
  It's not PHP that's the problem here, it's the specific software package phpMyAdmin. It's software that should never be deployed on an Internet-facing computer because of its security problems: about a third of the malicious traffic on my webserver is people probing for phpMyAdmin installations.
  
  --
  "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
3. Re:PHP software apparently at fault YET AGAIN. by duguk · 2011-10-11 12:19 · Score: 1
  
  It's not PHP that's the problem here, it's the specific software package phpMyAdmin. It's software that should never be deployed on an Internet-facing computer because of its security problems: about a third of the malicious traffic on my webserver is people probing for phpMyAdmin installations.
  This. phpMyAdmin has security problems. However, this was likely an authentication breach.
  
  It doesn't matter that what software they use; the fact they have complete database management online, makes it a lot easier for user details to be taken.
4. Re:PHP software apparently at fault YET AGAIN. by kassah · 2011-10-11 14:36 · Score: 1
  
  I remember the days when Perl was considered the language that attracted the crappy coders. Oh the security wonders I went through back with those CGI form mailers. I don't use Linux on my desktop because it attracts less idiots, I use Linux on my desktop because I like how it works. I use PHP in most websites because it's cheap to host, C or Python in desktop applications (C because I can code it extremely light on memory, Python because it has excellent support for gui libraries), and Java for certain enterprise pieces of my applications. Use a programming language because it's strengths fit your project and team, not because there are idiots who code with it. I hope you filter out the idiots long before you program it, or no matter the language, you'll have issues.
damn by Anonymous Coward · 2011-10-11 10:17 · Score: 0

enough said...
At least they found out about it... by iamachode · 2011-10-11 10:17 · Score: 1

Most site admins are clueless about security, so the fact that they caught the intrusion at all is a very good sign.
I always wonder how many sites are actually compromised out there.
Remember, folks, it's always a good idea to USE A UNIQUE PASSWORD ON EVERY SITE! Of course, I'm probably preaching to the choir here.
1. Re:At least they found out about it... by Baloroth · 2011-10-11 10:25 · Score: 1
  
  Unique passwords are hard to remember (at least, if they're any good). Password managers help (a lot) but if the main password gets keylogged, you're screwed. We really need a better system than ID + password.
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
2. Re:At least they found out about it... by iamachode · 2011-10-11 10:39 · Score: 1
  
  Unique passwords are hard to remember (at least, if they're any good). Password managers help (a lot) but if the main password gets keylogged, you're screwed. We really need a better system than ID + password.
  I have a algorithm I use in my head that's based on the site name. It's not perfect, and if someone *really* wanted to figure it out and they had one of my passwords, they could do it. But, the barrier has been raised at least so most hackers will just test it out on various major sites then ignore it if it doesn't work.
  For instance, say your main password is "bur_rito" (too short, but it's an example), and the site here is slashdot.org. To create a unique password, you could do something like:
  * Take the 2nd and 4th letters of the website and insert them into a specific spots in your password, like:
  * buSr_rLito
  * Then, take the site extension and give it a numbering system in your head (i.e., 1 for .com, 2 for .org, 3 for .edu, 4 for .us, 5 for everything else), then insert it into specific spots like:
  * bu2r_rLit2o
  If you want to change your passwords regularly, it gets a little trickier, but it's better than using a unique one everywhere. It's also annoying that every site has its own restrictions on non-alphanumerics and password lengths.
3. Re:At least they found out about it... by h4rr4r · 2011-10-11 10:41 · Score: 1
  
  No they are not. Come up with better passwords. Use phrases instead of total randomness. "This Is The Worst Password any 1 has ever |-|ad", is one such password that is easy to remember and very secure.
4. Re:At least they found out about it... by Baloroth · 2011-10-11 10:57 · Score: 2
  
  And remembering which one you used on every single site you use regularly? Sure, for email and the like, but there are at least a dozen (probably more) sites I visit semi-regularly. Remembering such passwords for each site is quite a trick. You can vary the password based on the site name (as others have suggested) or some such scheme, but it gets tricky if you use even a fair number of internet sites.
  I only remember the passwords for 3-4 sites I visit (which I might want to access from random computers), and use random ones stored in Lastpass for the rest. Works for me.
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
5. Re:At least they found out about it... by c++0xFF · 2011-10-11 11:02 · Score: 1, Insightful
  
  Good, unique passwords are fine until you have more than a handful of accounts. Even using a base password with something unique per site will only get you so far.
  Password managers are the next step, but they have to be available wherever you happen to be. That either means a smartphone (but typing in the password from my phone defeats the purpose and is a pain with truly strong passwords, a lost/stolen phone becomes a nightmare, and I don't have a smartphone anyway) or a website I can log into and copy/paste from (which then puts all my eggs in one basket, and brings up a whole mess of other issues, especially with public terminals), or a USB drive (which hopefully isn't locked out on the system you need to use, and has the potential for spreading viruses to every computer it touches).
  Oh, and then there's password resets ... which effectively turn your password into your mother's maiden name. Stored in the clear, of course.
  I agree. Passwords are a mess. The problem is, I have no clue how to replace them. Do you?
  And remember, the biggest problem isn't the major sites you visit every day ... it's the 100 small sites you visit less often (such as Wine HQ). Having a SecurID token for each site won't work, for example.
6. Re:At least they found out about it... by Carnildo · 2011-10-11 11:05 · Score: 1
  
  My password database just passed the 300-entry mark. How on Earth am I supposed to remember that many unique passphrases, especially for sites I might not visit for years at a time?
  
  --
  "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
7. Re:At least they found out about it... by c++0xFF · 2011-10-11 11:12 · Score: 1
  
  In addition to the other replies, I'll add that some (most?) sites implement passwords poorly. The worst offender is a length limit, which I've seen capped at 20 or less. I still have to use some old Unix systems that won't recognize anything beyond 8 (and "This Is " isn't exactly a good password).
  Until sites do things right, passphrases won't work.
8. Re:At least they found out about it... by J_Darnley · 2011-10-11 20:58 · Score: 1
  
  It's also annoying that every site has its own restrictions on non-alphanumerics and password lengths.
  This has got to be the worst thing about using a password manager, the fact that you have to remember which sites have what restrictions.
9. Re:At least they found out about it... by Terrasque · 2011-10-11 21:14 · Score: 1
  
  We really need a better system than ID + password.
  I've changed to Google's account for as many sites as I can (Google support OpenID), and I use two factor auth for my google account.
  Some things I like with openid:
  1. you don't need to have any special agreement or API key to services to add support for it to your site.
  2. If you don't trust provider A, then use provider B instead.. Or set up your own OpenID server.
  3. Since it's only one place you need to log in (and log out of), you can affort to have extra security there, which would otherwise be too annoying or expensive (SMS notification of login, SSL client certs, two factor auth and so on).
  
  --
  It's The Golden Rule: "He who has the gold makes the rules."
but.... but... but... by Anonymous Coward · 2011-10-11 10:18 · Score: 0

It's teh Linux!!!!onehundredeleven!!!!
Good thing I drink beer instead by dkleinsc · 2011-10-11 10:24 · Score: 1

But really, the important lesson from this is that you shouldn't share passwords between different sites. Use a variety of auth manager and a lot of the risk goes away.

--
I am officially gone from /. Long live http://www.soylentnews.com/
Dropbox+KeePassX by Maquis196 · 2011-10-11 10:26 · Score: 3, Interesting

If you accept that the internet will spit out your details at some point do this;
1. Sign up to dropbox (it's free and works on all platforms - including mobiles)
2. Get a copy of Keepassx, mac/windows version might have different name, never used them.
3. Store database of keepassx on dropbox so you've always got access to it.
4. Each website gets own generated password, short passwords for things you might need to type in on phone but still random.
This way, 1 bad event like this keeps you safe. I have both on my Android as well so it's with me always. /Maq
1. Re:Dropbox+KeePassX by Bios_Hakr · 2011-10-11 11:24 · Score: 1
  
  I have been using LastPass for a while now. And the more I use it, the more skittish I get.
  It's not that I'm really worried about losing access to the 500 or so sites in my database. Most of those I could reset via email.
  And my email password has to be rememberable because of my android phone and such.
  I just feel really skittish about relying on something that, in-effect, is an absolute book of knowledge about me. I used to keep that book inside my head. Now, it's out there. And it keeps me up some nights...
  
  --
  I'd rather you do it wrong, than for me to have to do it at all.
2. Re:Dropbox+KeePassX by unchiujar · 2011-10-11 11:25 · Score: 1
  
  You sir are my hero.
  
  --
  Shakespeare poems - infinite monkeys with infinite time.Computer tech support - a few trained ones working from 9 to 5.
3. Re:Dropbox+KeePassX by Anonymous Coward · 2011-10-11 11:26 · Score: 0
  
  So what happens if someone gains access to your dropbox and gets your password database file?
  http://nakedsecurity.sophos.com/2011/06/21/dropbox-lets-anyone-log-in-as-anyone/
4. Re:Dropbox+KeePassX by unchiujar · 2011-10-11 11:48 · Score: 2
  
  From the KeePassX site:
  Encryption- either the Advanced Encryption Standard (AES) or the Twofish algorithm are used - encryption of the database in 256 bit sized increments
  
  --
  Shakespeare poems - infinite monkeys with infinite time.Computer tech support - a few trained ones working from 9 to 5.
5. Re:Dropbox+KeePassX by lakeland · 2011-10-11 12:09 · Score: 1
  
  I use 1password with this setup.
  It works really well though it was a bit expensive to set up - I had to buy 1password for mac, windows and phone, so I think it cost about $60.
  Still, it got me onto dropbox which I now use for quite a few things :)
6. Re:Dropbox+KeePassX by lakeland · 2011-10-11 12:11 · Score: 1
  
  I don't know if LastPass is the same but I use 1Password and the data in that is encrypted with a password which is not stored in the database. By the sounds of the product name I'm guessing yours is similar.
  So even if someone does manage to get your password file they'd still have to crack your master password which I'd hope is exceedingly secure.
7. Re:Dropbox+KeePassX by Anonymous Coward · 2011-10-11 20:09 · Score: 0
  
  Kepassx is available for android as well. Iphone too.
Does this also affect the Wine forum accounts? by Anonymous Coward · 2011-10-11 10:27 · Score: 0

Anyone know? Are the Wine forums totally separate? I read the forum post about the AppDB compromise but it isn't mentioned whether this affects forum logins as well.
Reminder to Manage Your Passwords by Onymous+Coward · 2011-10-11 10:32 · Score: 1, Informative

Use a password manager like LastPass or KeePass, or, as I do, keep an encrypted file of your sites+logins+passwords.
You really need to manage your passwords. Reusing the same pass in multiple places is just a problem waiting to happen.
Re:A smear campaign by bonch · 2011-10-11 10:35 · Score: 0, Troll

Looks like you forgot to check "Post Anonymously" when replying to yourself.
Re:A smear campaign by masternerdguy · 2011-10-11 10:38 · Score: 0

keep telling yourself that.

--
To offset political mods, replace Flamebait with Insightful.
... is not an emulator by gmuslera · 2011-10-11 10:46 · Score: 2

but having security problems adds another layer of compatibility with windows.
1. Re:... is not an emulator by Anonymous Coward · 2011-10-11 11:36 · Score: 0
  
  Good show, old chap. Astute and true!
Most common password? by Anonymous Coward · 2011-10-11 11:13 · Score: 0

Ilovecock
First kernel.org and now this? by diego.viola · 2011-10-11 11:19 · Score: 1

WTF is going on?
1. Re:First kernel.org and now this? by Anonymous Coward · 2011-10-11 17:59 · Score: 0
  
  Do we see a pattern here...
  --> kernel.org
  -->mysql.com
  and now wineHQ
should have used apache by Gravis+Zero · 2011-10-11 11:22 · Score: 2, Informative

those showoffs were running IIS on WINE.

--
Anons need not reply. Questions end with a question mark.
Good thing by crossmr · 2011-10-11 11:22 · Score: 1

They recently deleted my account. After not having used it for a few years, I started getting several messages about old comments and reports I'd made being deleted, then I got a message saying my account would be deleted as well.
They kind of lost a lot of credibility with me when they insisted I make good on my pledge to buy a copy of the program when some random person claimed to have gotten my requested app to run. Except you couldn't open, work with, or save any files, and no one verified the report. But hey, give us your money now!
1. Re:Good thing by Anonymous Coward · 2011-10-11 12:39 · Score: 0
  
  They kind of lost a lot of credibility with me when they insisted I make good on my pledge to buy a copy of the program when some random person claimed to have gotten my requested app to run.
  Can you clarify this? The only pledge system I know of is on the CodeWeavers site, not WineHQ. Does Wine have a pledge system too? Link?
2. Re:Good thing by shutdown+-p+now · 2011-10-12 04:07 · Score: 1
  
  They kind of lost a lot of credibility with me when they insisted I make good on my pledge to buy a copy of the program
  You can't buy Wine, it's community-supported FOSS. Are you confusing them with CodeWeavers (CrossOver etc), by chance?
3. Re:Good thing by fgouget · 2011-10-12 10:23 · Score: 1
  
  This does not make sense. appdb.winehq.org has no pledge system and no program to sell.
4. Re:Good thing by crossmr · 2011-10-12 10:27 · Score: 1
  
  Right, I was thinking of Crossover. it's been a few years.
  my account from the appdb was deleted though.
phpmyadmin by Anonymous Coward · 2011-10-11 11:23 · Score: 0

Really? I guess the people at wine really like GUIs. If only they could do things via command line and no one would have been impacted.
Wait a frigging second, what's going on here? by WWWWolf · 2011-10-11 11:56 · Score: 1

They recently deleted my account. After not having used it for a few years, I started getting several messages about old comments and reports I'd made being deleted, then I got a message saying my account would be deleted as well.
They deleted my account as well - didn't mess with the pledge stuff and no malice on my part, just the fact that I got game consoles and Linux gaming didn't really keep me on grip. =)
But the weird thing is this: they just now sent me a new password. Did you get this notice as well? I tried to log in with the new password, and it said the account didn't exist. I re-registered, boom, there I was again, so it was not like it was somehow closed for all the eternity.
Did they keep my email and hashed password on file after they deleted my account? If so, why the hell did that happen? If they wanted consistency, couldn't they just change the email to "former_user_NNNN@dev.null.invalid" and blank the password? I don't think they really have a good grip on security over there...
1. Re:Wait a frigging second, what's going on here? by crossmr · 2011-10-11 12:59 · Score: 1
  
  I got no such e-mail from them.
LastPass and Yubikey, and client security by Cato · 2011-10-11 18:26 · Score: 1

LastPass (cloud service with browser plugins) supports Yubikey, a low-cost token for two-factor authentication - so someone would have to both install a keylogger on my system and physically steal the Yubikey token to get the LastPass passwords. http://www.yubico.com/
This makes it actually more secure to always use LastPass even if you remember the site password, because the LastPass login is Yubikey protected while the site password isn't (and the way LastPass sends the password to the site doesn't involve the keyboard.)
As with KeePass or 1Password, which are non-cloud services that would be used with Dropbox etc, you must still be very careful with security of the client system - non-keylogger trojans that attack the LastPass plugin or the KeePass/1Password client software could still steal passwords while the password database is open.
Everyone on Windows should be running the free Secunia PSI, which scans all third party and Microsoft apps every week for vulnerability, providing a link to easily update them, and even auto updates some of the most common ones. If everyone did this, drive-by download attacks would be virtually a thing of the past.
Sadly, Mac and Linux don't have this for any apps not handled by the standard MacOS updater or the Linux distro's package repository, but at least with Linux you can limit your use of non-repository apps to those with excellent auto-updating (Firefox, and Chrome as long as your distro doesn't go out of date making Chrome refuse to update!)
Linsux hacked again.. by Anonymous Coward · 2011-10-11 19:09 · Score: 0

Linsux hacked again..
1. Re:Linsux hacked again.. by V!NCENT · 2011-10-11 20:28 · Score: 1
  
  They hacked a database, not Linux :)
  If you troll, then at least get your facts straight. This is just lame.
  
  --
  Here be signatures
2. Re:Linsux hacked again.. by V!NCENT · 2011-10-11 20:30 · Score: 1
  
  I feel for this troll... He can't even make the difference between and OS kernel and a database application...
  
  --
  Here be signatures
3. Re:Linsux hacked again.. by Anonymous Coward · 2011-10-12 00:09 · Score: 0
  
  Didn't you get the memo? Apparently you have to blame everything on the OS even when its not at fault. Oh.. was that only for Windows?
4. Re:Linsux hacked again.. by V!NCENT · 2011-10-12 01:24 · Score: 1
  
  Touché (sort of)...
  
  --
  Here be signatures
Linsux hacked again.. by Anonymous Coward · 2011-10-11 19:18 · Score: 0

Linsux hacked again.. lol
wine security = wine code by Anonymous Coward · 2011-10-11 19:56 · Score: 0

I guess the wine project (~=codeweavers) treats security the same way it treats its code.
For decades the project has sucked up all the developer energy that could have been invested into making a good compatibility layer. Microsoft should be thankful that the wine effort was so poorly managed, designed and executed.
Thankfully, the need for the wine project is declining steadily, as native alternatives get better.
1. Re:wine security = wine code by Jorl17 · 2011-10-12 04:52 · Score: 1
  
  Two words: Not True.
  
  --
  Have you heard about SoylentNews?
Re:A smear campaign by V!NCENT · 2011-10-11 20:31 · Score: 0

Don't worry:
Microsoft crashed stock exchanges twice and they had some source code stolen from them during the hack.
The score is still Linux-Windows: 3-2 :P

--
Here be signatures
Bug databases should not require passwords by phtpht · 2011-10-12 07:08 · Score: 1

This is one of the downsides of forcing everyone to _register_ just to report a bug. (The other downside is the tremendous pain in the user's butt.) If they only used a simple solution like Request Tracker or so.