Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wine HQ Password Database Compromised

Posted by Unknown on from the assailant-reportedly-doped-up-on-php dept.

With his first accepted submission, tyler.russell writes with a report that the WineHQ database systems were compromised. Quoting the official announcement: "We are sorry to report that recently our login database for the Wine HQ Application Database was compromised. We know that the entire contents of the login database was stolen by hackers. The password was encrypted, but with enough effort and depending on the quality of your old password, it could be cracked. We have closed the hole in our system that allowed read access to our database tables. To prevent further damage we have reset your password to what is shown below. We strongly suggest that if you shared your AppDB password on any other sites that you change that password as soon as possible.". He adds: "A new username and password were included with this email."

86 of 124 comments (clear)

  1. Ah Hell by masternerdguy · · Score: 1

    Welp, there goes my information.

    --
    To offset political mods, replace Flamebait with Insightful.
    1. Re:Ah Hell by Anonymous Coward · · Score: 1

      Same here... I shudder to think of the consequences if I had the same password everywhere. Given what the stats says about people's habits on passwords, there are probably a lot of people that are at risk with other online accounts when this sort of thing occurs.
      The really frightening thing is that for each of the break-in we hear about, there are probably countless others done successfully (IE, without detection) that we don't know about.

    2. Re:Ah Hell by Anonymous Coward · · Score: 4, Funny

      entire contents of the login database was stolen by hackers

      Dammit. They didn't steal it. They made a copy. Okay?!

    3. Re:Ah Hell by black3d · · Score: 1

      According to the dictionary, they stole it. Perhaps you have a personal, very narrow definition of Steal. The word means more than you think it does.

      --
      "The true measure of a person is how they act when they know they won't get caught." - DSRilk
    4. Re:Ah Hell by TechLA · · Score: 1

      It's not stealing since they still have the original data left. Hackers only made a copy of that. No harm was done.

      ... that is, according to the Pirate Party and pirates on /.

    5. Re:Ah Hell by cheekyjohnson · · Score: 1

      Right. Every pirate claims that all things that involve copying in any way must be harmless. According to my straw man, at least.

      --
      Filthy, filthy copyrapists!
    6. Re:Ah Hell by cheekyjohnson · · Score: 1

      I think that's true.

      --
      Filthy, filthy copyrapists!
    7. Re:Ah Hell by black3d · · Score: 1, Insightful

      Right, and I often hear them say that, except the problem is that no part of the definition of steal ever involves deprivation. Usually stealing leads to deprivation, but it's not required. Since the early 1900s, the definition of steal has included obtaining without permission, no deprivation involved whatsoever, especially in legal dictionaries which are what matters in this context.

      Similarly, if you take control of a bus, but continue to drive all passengers to their destination and allow them to alight, you're still guilty of kidnapping (actually, the definition of this varies between States, however in my country there is one legal definition, and it includes conveyance without legal permission.)

      I know the pirates want to hold onto a single, antiquidated definition of the word to try and force their views, but language changes - geeks are usually at the forefront of this adoption, and it's sad to see people so eager to give up societal advancement for personal gain. For all our pretence of social and moral superiority over our forebears, folks are as self-indulgent as ever - this hyporitical stance against the modern definition of "steal" is a great example.

      --
      "The true measure of a person is how they act when they know they won't get caught." - DSRilk
    8. Re:Ah Hell by black3d · · Score: 1

      Alas, it's a common feeling around these parts. If only they were all joking..

      --
      "The true measure of a person is how they act when they know they won't get caught." - DSRilk
    9. Re:Ah Hell by DanTheStone · · Score: 1

      They did steal it, because now the original owners are deprived of their old username and password. Did you not even read TFS?

    10. Re:Ah Hell by NoSig · · Score: 2

      The word steal invokes the mental image of taking away, while copyright infringement doesn't, so steal is an inaccurate label for copyright infringement since no taking away is involved. The same thing that makes it inaccurate is exactly what makes it a great rhetorical trick. It's like referring to a speeder as a "dangerous criminal" or someone who thinks that trains should run on time as someone who "holds certain views in common with Nazis". You can think and argue that copyright infringement is bad without reducing yourself to that level, so whether copyright infringement is good or bad is irrelevant to the topic.

    11. Re:Ah Hell by julian67 · · Score: 2

      In the UK the definition of theft explicitly sets out several tests including:

      "dishonestly acquire, with the intention to permanently deprive"

      This is why we have other laws such as the offence of "Taking without consent" of a motor vehicle, which covers situations where the acquisition can be proven dishonest but no intent to permanently deprive can be proven i.e. the offender takes, uses and abandons a vehicle, maybe even at or near where the owner left it.

      Most of the English speaking (officially/legally) world outside of the USA is likely to be the same.

    12. Re:Ah Hell by black3d · · Score: 1

      I concur, good sir. But we were talking about the word "steal" not "theft". Contrary to my comments about "steal", "theft" almost universally does involve the removing of products, and deprivation. To recap, GP made a common /, rail against the word "stole", to describe the actions of people who made a copy of the database. I pointed out that "steal" doesn't necessarily involve deprivation, and the legal definition includes taking without permission - even if no deprivation occurs. Talking about a verb here, not the crime itself.

      Completely agreed - the crime of theft almost always involves deprivation of property in legal definition.

      --
      "The true measure of a person is how they act when they know they won't get caught." - DSRilk
    13. Re:Ah Hell by black3d · · Score: 1

      I'm not arguing about whether or not copyright infringement is good or bad. Sorry if my message came across that way. What I was criticising was the fact that geeks are at the forefront of every advancement in society, and embrace new ideas and modern movements, but they make a special case for the word "steal" (which has evolved with the language, and includes obtaining without permission), and pretend it doesn't have that meaning simply so they can keep saying that copyright infringement isn't "stealing". I wasn't commenting on the stealing itself whatsoever, or whether it's good or bad. Apologies for not being more clear. I do disagree with you that copyright infringement isn't stealing, but I agree it's not theft. :)

      --
      "The true measure of a person is how they act when they know they won't get caught." - DSRilk
    14. Re:Ah Hell by julian67 · · Score: 2

      In English Law "steal" refers to "theft". It's the same.

      From the Theft Act 1968 (current English Law):

      "A person is guilty of theft, if he dishonestly appropriates property belonging to another with the intention of permanently depriving the other of it; and "thief" and "steal" shall be construed accordingly."

      Dishonestly appropriating the contents of another person's database wouldn't be theft in England, though it would be a very serious offence under the Computer Misuse Act. The penalty could be as high as 5 years imprisonment.

    15. Re:Ah Hell by black3d · · Score: 1

      I never brought up copyright infringement? I wasn't arguing for or against copyright infringement at any point in time. I was purely talking about the word "steal".

      You seem to be confusing the verb as a word, as I'm talking about it, and the criminal act. You're setting out with the notion that to "steal" only involves the physical world. May I ask where you got this notion? Not from the dictionary (although I'm certain you can find a dictionary with physical removal as the only definition of the word "steal", there are plenty also available which don't), The entire point I was trying to make is that this act IS covered under the modern definition of steal.

      I was only *ever* talking about the word, and how some geeks prefer to keep a singular definition for the word and excise all others that don't happen to suit their point of view or their argument.

      Here are some definitions for Steal from various dictionaries:
        - "to commit or practice theft."
        - "to obtain surreptitiously"
        - "to appropriate (ideas, etc) without acknowledgment, as in plagiarism"
        - "to take or appropriate without right or consent and with intent to keep or make use of"

      What I was commenting on, in reply to GP, was that many folks around here choose to ignore the latter three and make the argument that "stealing" is only ever the first definition there, and that all other definitions are false, and therefore, plagiarism (to use the example in the definition) isn't stealing. The truth of the matter, is if plagiarism is a definition of stealing, then plagiarism is stealing. Words have multiple definitions, and /.ers and pirates like to pretend this particular word only has one.

      It was just a comment on GPs attempt to dismiss the matter of "stealing" having occurred, when, if you accept the latter three definitions above, it did. If you choose to dismiss any dictionary which defines "steal" as also involving non-physical objects, that's your choice - but that doesn't resolve a dispute on the topic. Geeks need to man up about this and accept that words change. It's like folks are treating "steal" as a dirty word, and something they like to pretend they're not involved with; Denying any modern meaning of the word is how they go about setting themselves apart, and feel better about what they do.

      --
      "The true measure of a person is how they act when they know they won't get caught." - DSRilk
    16. Re:Ah Hell by black3d · · Score: 1

      TL;DR version:

      You cannot steal an idea, thoughts, etc

      Dictionary definition:
      Steal
      "to appropriate (ideas, etc) without acknowledgment, as in plagiarism"

      My point was only ever that geeks are trying to ignore any definition of the word steal which doesn't suit them - I'm not arguing the merits of or against any act.

      --
      "The true measure of a person is how they act when they know they won't get caught." - DSRilk
    17. Re:Ah Hell by black3d · · Score: 1

      Whom do you suggest should decide on the definition of a word? Where do you think Oxford, et al, draw their current definitions from?

      Aside from that, I agree with every aspect of your stance against the criminalisation of copyright infringement. I concur that copyright has been warped and distorted completely from its original purpose, and that copyright now almost serves the opposite purpose that it was intended to. It was intended to provide an author with a modest fee, to encourage the author to continue and produce more works, knowing that it can provide an income - and the need for that income would cease once the author died. In fact, the terms used to be short enough as to encourage the author/artist to continue producing for the rest of their life.

      Thesedays, consideration for the author/artist is the smallest piece of the copyright pie. It's almost entirely about protecting corporate profit, and extending these profits from a single work for as long as possible after the death of the original author. It in fact stifles further originality, as a single IP (eg, LOTR) can be milked indefinitely without the need for new works.

      I'm just not hung up on the word. Perhaps it's because I don't fall victim to propaganda wars by big media. Probably it's because I speak multiple languages and I'm just not concerned about the colloquial definition of a single word - if it changes, so be it. I don't care if downloading movies adopts the name "murder". As long as people doing so aren't being charged with the crime which shares the same name, the adaptation of the word doesn't have a lot of meaning to me. In fact, it would actually weaken the seriousness attached to the word "murder".

      Likewise, if every civil dispute is to be known as "stealing", it weakens people's reactions to "stealing" - if it were an agenda by Big Media to attach the label, it would have the reverse effect to what they desire. It wouldn't make "copying movies" more serious, it'd make "stealing" less serious. Don't get me wrong, I do recognise that they want to fool people into believing this (the ads on DVDs/in cinemas comparing downloading a movie to robbery). I just don't think the term being used is the thing to get upset about.

      --
      "The true measure of a person is how they act when they know they won't get caught." - DSRilk
    18. Re:Ah Hell by bjourne · · Score: 2

      You may have heard the quote "Immature poets imitate; mature poets steal" which is from T.S Eliot in 1921. That plagiarism is a form of "stealing" is well established in the English language and you are the one who want to redefine the word so that you have to call it "copyright infringement" instead, not Big Content.

      --
      Football Odds
    19. Re:Ah Hell by maxwell+demon · · Score: 1

      So you think the only think that can do harm is stealing? So I guess it's OK if someone burns your house down, because after all, it's not stealing.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    20. Re:Ah Hell by Zugok · · Score: 1

      I concur, good sir. But we were talking about the word "steal" not "theft".

      Take a look at this in New Zealand law
      http://www.legislation.govt.nz/act/public/1961/0043/latest/DLM329897.html#DLM329897

      I do not know what the codified definition of theft or steal is your jurisdiction or if its even the same as in New Zealand. The point is depending on what is written in the law chances are your definition does matter.

      --
      "I just can't sit while people are saying nonsense in a meeting without saying it's nonsense" J Watson, Sci Am 288:(4)51
    21. Re:Ah Hell by pnewhook · · Score: 1

      So what you are saying is that it is by definition impossible to steal someone else's idea for something.

      --
      Tesla was a genius. Edison however was a overrated hack who liked to torture puppies.
    22. Re:Ah Hell by pnewhook · · Score: 1

      You are completely wrong in your assertions. You are only making this stand to justify your own actions of theft. Get off your high horse and stop pretending your actions are to protect your rights or protect the interest of the People - they are NOT. You are stealing by copying copyright information pure and simple.

      --
      Tesla was a genius. Edison however was a overrated hack who liked to torture puppies.
    23. Re:Ah Hell by julian67 · · Score: 1

      In English law, yes. In common speech, no. In other legal systems, I don't know.

      Common useage is often very different to strict or technical useage or even dictionary definition, and not just in law, so 'yes', 'no' and 'maybe, it depends' are all valid answers to your question (challenge?).

  2. Oh that's secure by theswade · · Score: 4, Interesting

    So their solution to a security breach is to send out everyone's logins via clear text?

    1. Re:Oh that's secure by Amouth · · Score: 1

      that was my thoughts exactly.. i figured it would be a forced reset on long-on and an e-mail with a unique id to use during that (think of it as a second factor token)..

      but to just reset the password and send it.. that is just ...........

      --
      '...if only "Jumping to a Conclusion" was an event in the Olympics.'
    2. Re:Oh that's secure by Anonymous Coward · · Score: 2, Insightful

      Do you have another, better solution?

    3. Re:Oh that's secure by Unreal+One · · Score: 1

      They wanted to see who would wine about it.

    4. Re:Oh that's secure by Jello+B. · · Score: 1

      Let's mod this parent up, I'd like to hear some suggestions.

    5. Re:Oh that's secure by Carnildo · · Score: 2

      So their solution to a security breach is to send out everyone's logins via clear text?

      It's much harder to intercept email than it is to decrypt an encrypted password: assuming that WineHQ users are typical in their password habits, about 75% of the passwords in the database are vulnerable to a dictionary attack and thus should be considered known to the attackers. By giving everyone a new password and emailing them in the clear to the users, they ensure that only those users who also have their email intercepted by the attackers are compromised.

      What the WineHQ admins have done is reduce the number of compromised users from approximately 75% to approximately 0%.

      --
      "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
    6. Re:Oh that's secure by NoobixCube · · Score: 1

      Password reset confirmations sent to your recorded email when you try to log in again.

      --
      Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
    7. Re:Oh that's secure by maxwell+demon · · Score: 1

      Don't really see the advantage in this instance; if someone can get into your email, either way they're into your account.

      With sending a new username/password combination, someone who can read your mail but doesn't have the old password can get into your account. While with a personalized link, you'd hopefully still have to authenticate with your old password, so only someone who has both access to your mail and your old password can get into your account.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    8. Re:Oh that's secure by RivenAleem · · Score: 1

      They should have done it with white text on a white background, so that you couldn't see it through the e-nvelope. Only once you open the email and highlight or copy/paste the details will it become readable.

      That's how I send all my private messages anyway

    9. Re:Oh that's secure by Reapman · · Score: 1

      So basically your saying that assuming these hackers have gone in, recovered your password, AND you used the same password for your email, it's safe to assume they didn't change your password to lock you out?

      Although no answer is perfect, in your solution you are requiring that the original WineHQ accounts are still uncompromised which is an unsafe assumption. Assuming the email is still safe is generally the safer of the two options. Using the email the only people that MIGHT get burned are those that used the same password on both. Both options involve risk.

    10. Re:Oh that's secure by asdfghjklqwertyuiop · · Score: 1

      They were being sent in clear text all along anyway. The login isn't done over SSL.

    11. Re:Oh that's secure by maxwell+demon · · Score: 1

      So basically your saying that assuming these hackers have gone in, recovered your password, AND you used the same password for your email, it's safe to assume they didn't change your password to lock you out?

      That's absolutely not what I said. Here's a relevant portion of my post: "someone who can read your mail but doesn't have the old password can get into your account" (the emphasis was even there in the original). That is, you are not only vulnerable against the original hackers, but in addition to others who manage to get access to your mail (reading is sufficient!). And that's independent of whether you used the same password for your email and WineHQ because those others do not need to know the password you used for WineHQ; indeed they need not even have guessed before that you have an account on WineHQ. And it may be that the original attackers did not find out your password (because you used a sufficiently good one).

      Although no answer is perfect, in your solution you are requiring that the original WineHQ accounts are still uncompromised which is an unsafe assumption.

      A changed password is equivalent to a forgotten password. Therefore the procedures set forth for that case may be used. Yes, they are most probably not any more secure; but then, you only need to use them if your account already was compromised as opposed to if your account only might be compromised (i.e. you only have the risk to get your account compromised in those cases where it already happened).

      Assuming the email is still safe is generally the safer of the two options. Using the email the only people that MIGHT get burned are those that used the same password on both. Both options involve risk.

      A solution which is not only perfectly safe as long as the email is safe, but in addition is still safe when the email is not safe, but the one who got access to your email does not know your old password is definitely more safe than a solution which is perfectly safe as long as the email is safe, but is completely unsafe otherwise.

      Yes, both options involve risk. But the dedicated link + old password solution involves less risk because it is safe in all situations where the original version is safe, but is also safe in some situations where the original one is not.

      And BTW, on that link they could also allow the password which was set just before the security breach happened (the hashes should still be on some backup). Which would bypass any problems caused by the attackers changing passwords while only marginally reducing security.

      --
      The Tao of math: The numbers you can count are not the real numbers.
  3. How secure... by justdiver · · Score: 1

    is sending out passwords via mass email in plain text? No wonder they had their system compromised.

    1. Re:How secure... by DarwinSurvivor · · Score: 1

      Well I guess they could have just left the old one in there. Or do you have any better ideas that you are for some reason keeping to yourself...?

    2. Re:How secure... by Carnildo · · Score: 3, Insightful

      How secure...is sending out passwords via mass email in plain text?

      Sending passwords in clear-text emails is only a minor security risk: in general, only network providers, system administrators, and three-letter agencies are in a position where they can intercept or read a user's email. If the people who attacked the WineHQ database don't fall into one of those categories, resetting passwords and sending the new ones in clear-text emails represents a dramatic reduction in the impact of the database compromise. If the attackers *do* fall into one of those categories, sending the emails does not increase the impact.

      --
      "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
    3. Re:How secure... by justdiver · · Score: 1

      Better ideas? No. I don't. But then again, I'm not a network administrator in charge of a system that just had a massive security breach. I would've thought that having procedures in place for something like this would be part of a system / network administrators job. If even a lowly, green-behind-the-ears tech can see that your "email passwords in plain text" idea is lacking thorough planning, then something is wrong. My first reaction to this would have been to disable all accounts until a better idea is formed instead of going with a response to a security breach that has obvious security flaws of its own. Yes it would be inconvenient for the userbase, but it'd be better than half-assing it, which is likely how they got into this situation in the first place.

    4. Re:How secure... by Dunbal · · Score: 1

      Unless you are sending the new login and password to an email account which the hacker already controls because, you see, he already grabbed your password and you probably use the same password for your email, and your email (if not also stolen) is probably login@yahoo/hot/gmail.com. In fact if he was smart he would just make note of the new login and password and delete the email, and you would be stuck wondering why you can't log in to a website in a couple months' time, while he's had a couple months of reading all your mail and possibly even contacting people on your behalf through your email. Dad could you email me your login/password for that website again? I forgot it...

      --
      Seven puppies were harmed during the making of this post.
    5. Re:How secure... by Anonymous Coward · · Score: 1

      just as secure as resetting your password via email by clicking on the "I forgot my password link", If someone can intercept your email they can easily change your passwords.

    6. Re:How secure... by CastrTroy · · Score: 1

      They should just have reset everybody's password to some really long (20 character?) random string (different string for each user) and not recorded the result. Any user who wanted to log in would have to use the "lost password" feature.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    7. Re:How secure... by motd2k · · Score: 1

      No it doesn't, it indicates that they sent you the password during the hashing process.

    8. Re:How secure... by maxwell+demon · · Score: 1

      while he's had a couple months of reading all your mail and possibly even contacting people on your behalf through your email. Dad could you email me your login/password for that website again? I forgot it...

      More likely, using the password reset feature of many sites which works by sending out an email.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    9. Re:How secure... by DarwinSurvivor · · Score: 1

      Actually, the common way of doing that is to make the hash impossible to achieve. Adding an invalid character such as a ! to the beginning is a unix favorite and works quite well.

      But then you run into the whole issue of the resets being sent in cleartext anyways, so not much improvement there...

      The big problem with this method is when the website uses one those absolutely asinine recovery systems that asks you for the answer to a secret question. Most security-wise people fill that field full of gibberish making recovery impossible.

  4. I just read about this by Maquis196 · · Score: 1

    And went to my email and sure enough it's in my spam filter. So check there if you have missed it.

  5. At least they found out about it... by iamachode · · Score: 1

    Most site admins are clueless about security, so the fact that they caught the intrusion at all is a very good sign.

    I always wonder how many sites are actually compromised out there.

    Remember, folks, it's always a good idea to USE A UNIQUE PASSWORD ON EVERY SITE! Of course, I'm probably preaching to the choir here.

    1. Re:At least they found out about it... by Baloroth · · Score: 1

      Unique passwords are hard to remember (at least, if they're any good). Password managers help (a lot) but if the main password gets keylogged, you're screwed. We really need a better system than ID + password.

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    2. Re:At least they found out about it... by iamachode · · Score: 1

      Unique passwords are hard to remember (at least, if they're any good). Password managers help (a lot) but if the main password gets keylogged, you're screwed. We really need a better system than ID + password.

      I have a algorithm I use in my head that's based on the site name. It's not perfect, and if someone *really* wanted to figure it out and they had one of my passwords, they could do it. But, the barrier has been raised at least so most hackers will just test it out on various major sites then ignore it if it doesn't work.

      For instance, say your main password is "bur_rito" (too short, but it's an example), and the site here is slashdot.org. To create a unique password, you could do something like:
        * Take the 2nd and 4th letters of the website and insert them into a specific spots in your password, like:
          * buSr_rLito
        * Then, take the site extension and give it a numbering system in your head (i.e., 1 for .com, 2 for .org, 3 for .edu, 4 for .us, 5 for everything else), then insert it into specific spots like:
          * bu2r_rLit2o

      If you want to change your passwords regularly, it gets a little trickier, but it's better than using a unique one everywhere. It's also annoying that every site has its own restrictions on non-alphanumerics and password lengths.

    3. Re:At least they found out about it... by h4rr4r · · Score: 1

      No they are not. Come up with better passwords. Use phrases instead of total randomness. "This Is The Worst Password any 1 has ever |-|ad", is one such password that is easy to remember and very secure.

    4. Re:At least they found out about it... by Baloroth · · Score: 2

      And remembering which one you used on every single site you use regularly? Sure, for email and the like, but there are at least a dozen (probably more) sites I visit semi-regularly. Remembering such passwords for each site is quite a trick. You can vary the password based on the site name (as others have suggested) or some such scheme, but it gets tricky if you use even a fair number of internet sites.

      I only remember the passwords for 3-4 sites I visit (which I might want to access from random computers), and use random ones stored in Lastpass for the rest. Works for me.

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    5. Re:At least they found out about it... by c++0xFF · · Score: 1, Insightful

      Good, unique passwords are fine until you have more than a handful of accounts. Even using a base password with something unique per site will only get you so far.

      Password managers are the next step, but they have to be available wherever you happen to be. That either means a smartphone (but typing in the password from my phone defeats the purpose and is a pain with truly strong passwords, a lost/stolen phone becomes a nightmare, and I don't have a smartphone anyway) or a website I can log into and copy/paste from (which then puts all my eggs in one basket, and brings up a whole mess of other issues, especially with public terminals), or a USB drive (which hopefully isn't locked out on the system you need to use, and has the potential for spreading viruses to every computer it touches).

      Oh, and then there's password resets ... which effectively turn your password into your mother's maiden name. Stored in the clear, of course.

      I agree. Passwords are a mess. The problem is, I have no clue how to replace them. Do you?

      And remember, the biggest problem isn't the major sites you visit every day ... it's the 100 small sites you visit less often (such as Wine HQ). Having a SecurID token for each site won't work, for example.

    6. Re:At least they found out about it... by Carnildo · · Score: 1

      My password database just passed the 300-entry mark. How on Earth am I supposed to remember that many unique passphrases, especially for sites I might not visit for years at a time?

      --
      "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
    7. Re:At least they found out about it... by c++0xFF · · Score: 1

      In addition to the other replies, I'll add that some (most?) sites implement passwords poorly. The worst offender is a length limit, which I've seen capped at 20 or less. I still have to use some old Unix systems that won't recognize anything beyond 8 (and "This Is " isn't exactly a good password).

      Until sites do things right, passphrases won't work.

    8. Re:At least they found out about it... by J_Darnley · · Score: 1

      It's also annoying that every site has its own restrictions on non-alphanumerics and password lengths.

      This has got to be the worst thing about using a password manager, the fact that you have to remember which sites have what restrictions.

    9. Re:At least they found out about it... by Terrasque · · Score: 1

      We really need a better system than ID + password.

      I've changed to Google's account for as many sites as I can (Google support OpenID), and I use two factor auth for my google account.

      Some things I like with openid:
      1. you don't need to have any special agreement or API key to services to add support for it to your site.
      2. If you don't trust provider A, then use provider B instead.. Or set up your own OpenID server.
      3. Since it's only one place you need to log in (and log out of), you can affort to have extra security there, which would otherwise be too annoying or expensive (SMS notification of login, SSL client certs, two factor auth and so on).

      --
      It's The Golden Rule: "He who has the gold makes the rules."
  6. Good thing I drink beer instead by dkleinsc · · Score: 1

    But really, the important lesson from this is that you shouldn't share passwords between different sites. Use a variety of auth manager and a lot of the risk goes away.

    --
    I am officially gone from /. Long live http://www.soylentnews.com/
  7. Dropbox+KeePassX by Maquis196 · · Score: 3, Interesting

    If you accept that the internet will spit out your details at some point do this;

    1. Sign up to dropbox (it's free and works on all platforms - including mobiles)
    2. Get a copy of Keepassx, mac/windows version might have different name, never used them.
    3. Store database of keepassx on dropbox so you've always got access to it.
    4. Each website gets own generated password, short passwords for things you might need to type in on phone but still random.

    This way, 1 bad event like this keeps you safe. I have both on my Android as well so it's with me always. /Maq

    1. Re:Dropbox+KeePassX by Bios_Hakr · · Score: 1

      I have been using LastPass for a while now. And the more I use it, the more skittish I get.

      It's not that I'm really worried about losing access to the 500 or so sites in my database. Most of those I could reset via email.

      And my email password has to be rememberable because of my android phone and such.

      I just feel really skittish about relying on something that, in-effect, is an absolute book of knowledge about me. I used to keep that book inside my head. Now, it's out there. And it keeps me up some nights...

      --
      I'd rather you do it wrong, than for me to have to do it at all.
    2. Re:Dropbox+KeePassX by unchiujar · · Score: 1

      You sir are my hero.

      --
      Shakespeare poems - infinite monkeys with infinite time.Computer tech support - a few trained ones working from 9 to 5.
    3. Re:Dropbox+KeePassX by unchiujar · · Score: 2

      From the KeePassX site:
      Encryption- either the Advanced Encryption Standard (AES) or the Twofish algorithm are used - encryption of the database in 256 bit sized increments

      --
      Shakespeare poems - infinite monkeys with infinite time.Computer tech support - a few trained ones working from 9 to 5.
    4. Re:Dropbox+KeePassX by lakeland · · Score: 1

      I use 1password with this setup.

      It works really well though it was a bit expensive to set up - I had to buy 1password for mac, windows and phone, so I think it cost about $60.

      Still, it got me onto dropbox which I now use for quite a few things :)

    5. Re:Dropbox+KeePassX by lakeland · · Score: 1

      I don't know if LastPass is the same but I use 1Password and the data in that is encrypted with a password which is not stored in the database. By the sounds of the product name I'm guessing yours is similar.

      So even if someone does manage to get your password file they'd still have to crack your master password which I'd hope is exceedingly secure.

  8. Reminder to Manage Your Passwords by Onymous+Coward · · Score: 1, Informative

    Use a password manager like LastPass or KeePass, or, as I do, keep an encrypted file of your sites+logins+passwords.

    You really need to manage your passwords. Reusing the same pass in multiple places is just a problem waiting to happen.

  9. Re:PHP software apparently at fault YET AGAIN. by GioMac · · Score: 1

    YET AGAIN?
    And when it was problematic before?
    Come oon... I'm pretty sure PHP itself is not the problem. The problem is how do you secure your system so it can't access all the information. You can just store passwords on the system, which will never give you complete list of hashes of all accounts at once (dumb, but simple solution that works) and will send alert to admin.
    Grenade in the hands of the monkey is dangerous and may kill you, but not in the hands of Rambo.

    If you write code in a bad way, it can't be the fault of the language you use.

    Python and perl itself works on the web server other way. You just can't isolate and limit it as it's possible with PHP.
    "PHP is designed specifically to be a more secure language for writing CGI programs than Perl or C, and with _correct selection_ of _compile-time_ and _runtime configuration options_, and _proper coding practices_, it can give you exactly the combination of freedom and security you need."
    http://php.net/manual/en/security.php

    You just can't simply isolate Python or Perl program from the paths it's serving with anything. Only possible solution is LSM like Apparmor or SELinux.

    --
    "It feels like I'm at the Zoo when reading this thread - I'm frightened, but it's interesting" (c)
  10. Re:Automatic Resets? by bell.colin · · Score: 2

    "but with enough effort and depending on the quality of your old password, it could be cracked."

    So just wait for the torrent to come out and check the list then.

  11. ... is not an emulator by gmuslera · · Score: 2

    but having security problems adds another layer of compatibility with windows.

  12. Re:PHP software apparently at fault YET AGAIN. by Carnildo · · Score: 2

    It's not PHP that's the problem here, it's the specific software package phpMyAdmin. It's software that should never be deployed on an Internet-facing computer because of its security problems: about a third of the malicious traffic on my webserver is people probing for phpMyAdmin installations.

    --
    "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
  13. Re:Automatic Resets? by scrib · · Score: 1

    So, you don't remember what your password was on the site?
    Check your browser saved passwords!

    --
    Help! Help! I'm being repressed!
  14. First kernel.org and now this? by diego.viola · · Score: 1

    WTF is going on?

  15. should have used apache by Gravis+Zero · · Score: 2, Informative

    those showoffs were running IIS on WINE.

    --
    Anons need not reply. Questions end with a question mark.
  16. Good thing by crossmr · · Score: 1

    They recently deleted my account. After not having used it for a few years, I started getting several messages about old comments and reports I'd made being deleted, then I got a message saying my account would be deleted as well.

    They kind of lost a lot of credibility with me when they insisted I make good on my pledge to buy a copy of the program when some random person claimed to have gotten my requested app to run. Except you couldn't open, work with, or save any files, and no one verified the report. But hey, give us your money now!

    1. Re:Good thing by shutdown+-p+now · · Score: 1

      They kind of lost a lot of credibility with me when they insisted I make good on my pledge to buy a copy of the program

      You can't buy Wine, it's community-supported FOSS. Are you confusing them with CodeWeavers (CrossOver etc), by chance?

    2. Re:Good thing by fgouget · · Score: 1

      This does not make sense. appdb.winehq.org has no pledge system and no program to sell.

    3. Re:Good thing by crossmr · · Score: 1

      Right, I was thinking of Crossover. it's been a few years.
      my account from the appdb was deleted though.

  17. Wait a frigging second, what's going on here? by WWWWolf · · Score: 1

    They recently deleted my account. After not having used it for a few years, I started getting several messages about old comments and reports I'd made being deleted, then I got a message saying my account would be deleted as well.

    They deleted my account as well - didn't mess with the pledge stuff and no malice on my part, just the fact that I got game consoles and Linux gaming didn't really keep me on grip. =)

    But the weird thing is this: they just now sent me a new password. Did you get this notice as well? I tried to log in with the new password, and it said the account didn't exist. I re-registered, boom, there I was again, so it was not like it was somehow closed for all the eternity.

    Did they keep my email and hashed password on file after they deleted my account? If so, why the hell did that happen? If they wanted consistency, couldn't they just change the email to "former_user_NNNN@dev.null.invalid" and blank the password? I don't think they really have a good grip on security over there...

    1. Re:Wait a frigging second, what's going on here? by crossmr · · Score: 1

      I got no such e-mail from them.

  18. Re:PHP software apparently at fault YET AGAIN. by duguk · · Score: 1

    It's not PHP that's the problem here, it's the specific software package phpMyAdmin. It's software that should never be deployed on an Internet-facing computer because of its security problems: about a third of the malicious traffic on my webserver is people probing for phpMyAdmin installations.

    This. phpMyAdmin has security problems. However, this was likely an authentication breach.

    It doesn't matter that what software they use; the fact they have complete database management online, makes it a lot easier for user details to be taken.

  19. Re:PHP software apparently at fault YET AGAIN. by kassah · · Score: 1

    I remember the days when Perl was considered the language that attracted the crappy coders. Oh the security wonders I went through back with those CGI form mailers. I don't use Linux on my desktop because it attracts less idiots, I use Linux on my desktop because I like how it works. I use PHP in most websites because it's cheap to host, C or Python in desktop applications (C because I can code it extremely light on memory, Python because it has excellent support for gui libraries), and Java for certain enterprise pieces of my applications. Use a programming language because it's strengths fit your project and team, not because there are idiots who code with it. I hope you filter out the idiots long before you program it, or no matter the language, you'll have issues.

  20. LastPass and Yubikey, and client security by Cato · · Score: 1

    LastPass (cloud service with browser plugins) supports Yubikey, a low-cost token for two-factor authentication - so someone would have to both install a keylogger on my system and physically steal the Yubikey token to get the LastPass passwords. http://www.yubico.com/

    This makes it actually more secure to always use LastPass even if you remember the site password, because the LastPass login is Yubikey protected while the site password isn't (and the way LastPass sends the password to the site doesn't involve the keyboard.)

    As with KeePass or 1Password, which are non-cloud services that would be used with Dropbox etc, you must still be very careful with security of the client system - non-keylogger trojans that attack the LastPass plugin or the KeePass/1Password client software could still steal passwords while the password database is open.

    Everyone on Windows should be running the free Secunia PSI, which scans all third party and Microsoft apps every week for vulnerability, providing a link to easily update them, and even auto updates some of the most common ones. If everyone did this, drive-by download attacks would be virtually a thing of the past.

    Sadly, Mac and Linux don't have this for any apps not handled by the standard MacOS updater or the Linux distro's package repository, but at least with Linux you can limit your use of non-repository apps to those with excellent auto-updating (Firefox, and Chrome as long as your distro doesn't go out of date making Chrome refuse to update!)

  21. Re:Linsux hacked again.. by V!NCENT · · Score: 1

    They hacked a database, not Linux :)

    If you troll, then at least get your facts straight. This is just lame.

    --
    Here be signatures
  22. Re:Linsux hacked again.. by V!NCENT · · Score: 1

    I feel for this troll... He can't even make the difference between and OS kernel and a database application...

    --
    Here be signatures
  23. Re:Linsux hacked again.. by V!NCENT · · Score: 1

    Touché (sort of)...

    --
    Here be signatures
  24. Re:wine security = wine code by Jorl17 · · Score: 1

    Two words: Not True.

    --
    Have you heard about SoylentNews?
  25. Bug databases should not require passwords by phtpht · · Score: 1

    This is one of the downsides of forcing everyone to _register_ just to report a bug. (The other downside is the tremendous pain in the user's butt.) If they only used a simple solution like Request Tracker or so.