Slashdot Mirror
Mozilla Dumps Info of 76,000 Developers To Public Web Server
wiredmikey writes Mozilla warned on Friday that it had mistakenly exposed information on almost 80,000 members of its Mozilla Developer Network (MDN) as a result of a botched data sanitization process. The discovery was made around June 22 by one of Mozilla's Web developers, Stormy Peters, Director of Developer Relations at Mozilla, said in a security advisory posted to the Mozilla Security Blog on Friday. "Starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server," Peters wrote. According to Peters, the encrypted passwords were salted hashes and they by themselves cannot currently be used to authenticate with the MDN. However, Peters warned that MDN users may be at risk if they reused their original MDN passwords on other non-Mozilla websites or authentication systems.
"Committed to you, your privacy and an open Web"
Data is easy to keep but it's also easy to leak. And given the consequences of leaks, companies need to start asking themselves whether it is worth storing all this data in the first place.
How many times did Mozilla ever actually use all this personal data internally? How many times on average the data for each of the 76,000 developers used? How many records were never accessed at all?
If you don't need all this data, then just don't store it. It's easy!
May the Maths Be with you!
This is the one thing we didn't want to happen
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
At least they had enough sense to salt the hashes. It's gotta be annoying to have your email address floating around out there though.
Mistakes happen. You should look into the technical side of the healthcare industry...
Au Contraire! Per the summary, she found the problem on June 22nd - one day before it even started! That's amazing work! She should be commended for finding it so early. On the other hand, why she let it go on for 30 days when she found it before it started is anyone's guess. Maybe someone should learn to write a summary (one massively long run on there). Perhaps someone should fact check said summary too.
I find it rather laughable that mostly everyone in the comments has taken a "forgive and forget" attitude in regards to this post. I love Mozilla...as a developer who uses their mdn site actively, I applaud their active involvement in creating awareness of their mistake so people like me can take measures in protecting their accounts, however, if it was another company, most of these comments would be lambasting this breach of security and protocol on their part. That being said, I'm confident that Mozilla has taken every action they can to prevent this from happening in the future. And, I'm looking forward to looking up a reference section on mdn this week!
The name "Mozilla" used to be among the most respected names in computing. It represented integrity, honesty, innovation, and quality software.
Bugzilla was one of their first successes. It was widely used during the early 2000s, and some development teams still use it to this day. It's the kind of tool that helped make a lot of software development teams a lot more efficient, and it helped users do what they could to get a better experience out of the software they were using. People's lives were made better.
And then when Phoenix/Firebird/Firefox first came on the scene, it was revolutionary. Mozilla was graciously providing us with a high-quality open source web browser that was far more secure and usable than its competitors. This new browser offered a better browsing experience for pros and new users alike. A large number of people immediately found it to be useful, and it saw widespread adoption. People's lives were made better.
Then they released Thunderbird. Again, it was a great piece of software that many people rapidly found to be very useful. People's lives were made better.
But then something happened. I don't know exactly what it was, but around 2010 or so things really started to slide downhill for Mozilla. Maybe it was the rise of Google Chrome, which provided some serious competition for Firefox. Maybe it was how they reacted to this competition from Chrome, by throwing away everything that made Firefox good and usable in their rush to imitate Chrome to the very last detail. Maybe it was a change in culture, with more hipsters getting involved, and taking away influence from the sensible old guard who had founded Mozilla and achieved its early success. Maybe it was the rise of mobile computing.
Like I said, I don't know what it was. But since around 2010 we've seen nothing but total bullshit from Mozilla. All of the Firefox design changes have ruined it for a lot of users. The user experience is similar to or worse than Chrome's, but at least Chrome is a faster browser (don't waste our time with the bullshit benchmarks that Mozilla tries to use to ineffectually refute this fact). I read an article linked to from another submission here at /. about how Firefox's usage share is under 13% now, and it is even below Safari's! With Safari, Chrome and even IE giving a better experience than Firefox, it's no wonder why people are switching away!
Then Mozilla gave Thunderbird to the community to maintain, which essentially means they killed it as a product. Then they wasted a bunch of effort on that failed authentication system (sorry, I can't even remember the name of it). And then they wasted even more on that failed mobile OS that nobody really wants. Do they seriously think they're going to compete with iOS and Android by offering a half-assed mobile OS (sorry, I can't remember its name, either) that doesn't support real native apps of any kind? Come on, every HTML5 and JS "app" I've ever seen has been total shit. And if a usable HTML5/JS app ever was created, it would probably run just fine on Android and iOS! There's no need for another mobile OS that'll be less used than even BlackBerry OS and whatever Microsoft's mobile OS is these days.
Although I think that Mozilla has a mobile version of Firefox out now, I don't know anyone who actually uses it. I rarely hear about it, and when I do it's never positive. I do hear positive things about the mobile Opera, Chrome and Safari browsers, though. So as far as I can tell, this mobile version of Firefox is pretty much irrelevant.
And then there were all those shenanigans recently about their former CEO who donated money to some cause that some people got offended about and whined a lot about, causing him to step down, or something like that.
Now we have this whole data leak debacle, which is totally stupid and probably should never have even happened in the fi
Makes it sound like Stormy Peters is both the Director of Developer Relations and the developer who discovered the error.
Neither of the two links in TFS mentioned what kind of hash was being used. Does anyone happen to know? If it was the old fashioned DES hash as commonly used in .htpasswd, it may well be plaintext. If it was crypt('$5$xxxxxxxxxxxx' SHA, it's only a concern for people who chose very bad passwords.
but meeting the bare minimum requirements doesn't earn somebody commendation from me.
How often do hear news stories about leaks with encrypted passwords that are properly salted? :)
How often does anybody admit a possible leak, when there is no evidence anybody downloaded the database dump...?
Really, how often do you hear about things like this, if discovered internally?
I agree, it's the decent thing to do, but I don't think you can expect this level of detail, openness and honesty from commercial players.
I can't imagine any organization that wouldn't sweep this under the rug, after all it was discovered internally.
It makes me wonder why the hell they aren't doing any better.
Avoiding a leak would certainly have been preferred. But mistakes happens, processes fails.
DES is the encryption standard which is the basis of what for many years was the most common type of hash. .htpasswd files, the least significant bits of the first eight characters are used as a 56-bit key. This key (the users password) is used to encrypt a null bytes, 25 times. crypt(3) accepts a two-character salt, but uses only the lowest six bits of each character, so it's a 12 bit salt and a 56 bit password (maximum).
For DES-based hashing, as used in
crypt(3) can also support better hash algorthims by passing salt values such as $1$xxxxxxxx$ or $5$xxxxxxxxxxxx$
Probably backlash from the 80% disapproval rate for that shitty new interface they dreamed up. I'm using Palemoon now.
Only the State obtains its revenue by coercion. - Murray Rothbard
Obviously at Mozilla, the effort to be 100% Politically Correct means security takes a back-seat in terms of effort.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
We shouldn't. They fucked up. We should call them out for fucking up.
What the GP said was not "we should commend them", but "in their defense".
It's a valid defense: they fucked up, they noticed, they cleaned up what they could, and they admitted their mistake and advised people appropriately. That doesn't make their mistake go away, but it changes it from Badness Level 50 (eBay) to Badness Level 30 (Target).
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
So, is your face alright??
...that would think it was okay to screw over users with a new UI and not continue to provide security and stability updates for a few years to those who didn't want a new broken UI (something few successful commercial enterprise companies have managed to do). Or, thought it was okay to, a few days ago, push an update which either broke the UI further or broke a popular add-on that many of us were using to work around their earlier mistake.
If you can't get UIs right or understand that UI stability is important, there's no hope that you can get security or hard problems right.
Finally, after using Firefox since shortly after it was first released, I'm evaluating Chrome, Safari, and (ugh, but MS does understand users) IE. As much as it pains me, IE is looking better and better because I don't really want to spend time worrying about drive-by updates that break my world any more than I look forward to spending my time worrying about drive-by updates to my porch light or microwave oven intended to give me "better" (NOT) functionality. Sad, but my job isn't to work around broken UIs in utilities and spend hours figuring out how to restore behavior similar to prior behavior in order to get security updates to previous sloppy code at unexpected moments. This reminds me of the mid/late 90's when you couldn't trust Microsoft updates not to break your system.
It's unwise to trust amateurs with any of your information. Therefore, none of this is newsworthy. Just abandon Mozilla and don't waste your time contributing (obviously, though, spend a few minutes closing your accounts @ Mozilla). I'm sad to have been driven to this conclusion as I like Open Source and Free (not as in Beer) Software, but also it's not worth my time to try each harebrained alpha product and search for workarounds in hopes of getting security updates. Sometimes it just makes more sense to go with professionals.
Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading
Back in the day you'd count yourself lucky be be dumped onto a server to play a serious of deadly games on an electric matrix in the hopes of finally having a face off with the Overseer of Games, who looks just like your dick-head suspender wearing boss who always asking you to "ummmm yeah, come in on Saturday mmmm'kay?" like a question, as if you could actually say no, in heated one on one combat, only to ultimately prevail when you send a blazing disk straight through his face and watch in rapt glee as he disintegrates before your eyes.
Stop opening up private data online
We do not need to see this
If you are trying to compete with the australian dhs you have lost
But open source. Derp.
Maybe I'm missing something here, but if the data is a salted hash, they cannot recover it in any reasonable time, especially if they don't know the hashing algorithm used. Even if they do know the hashing scheme it is likely that any password that isn't a dictionary word won't be recovered in this decade, so why would it matter if they used the same password on another website?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I said:
> A DES-based hash would still be fine, just by allowing more bits.
I should clarify that DES itself specifies a key length of 56 bits. To get more bits, you do DES three times*, which is called Triple DES or 3DES. If you use three different 56-bit keys, that's effectively a 112 bit key due to meet-in-the-middle, and that's strong for an another fifteen years.
* encrypt(key1,decrypt(key2,encrypt(key3,plaintext)))
why they feel the need to public data requiring sanitation in the first place?
If the failure a result of a code change, why was there no unit test to catch it?
And if there was no code change, why would you set up such a publish process to silently continue if such a critical step failed?