Slashdot Mirror
Mozilla Dumps Info of 76,000 Developers To Public Web Server
wiredmikey writes Mozilla warned on Friday that it had mistakenly exposed information on almost 80,000 members of its Mozilla Developer Network (MDN) as a result of a botched data sanitization process. The discovery was made around June 22 by one of Mozilla's Web developers, Stormy Peters, Director of Developer Relations at Mozilla, said in a security advisory posted to the Mozilla Security Blog on Friday. "Starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server," Peters wrote. According to Peters, the encrypted passwords were salted hashes and they by themselves cannot currently be used to authenticate with the MDN. However, Peters warned that MDN users may be at risk if they reused their original MDN passwords on other non-Mozilla websites or authentication systems.
"Committed to you, your privacy and an open Web"
This is the one thing we didn't want to happen
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
At least they had enough sense to salt the hashes. It's gotta be annoying to have your email address floating around out there though.
Au Contraire! Per the summary, she found the problem on June 22nd - one day before it even started! That's amazing work! She should be commended for finding it so early. On the other hand, why she let it go on for 30 days when she found it before it started is anyone's guess. Maybe someone should learn to write a summary (one massively long run on there). Perhaps someone should fact check said summary too.
All this personal data? It's your email address... that's it. Because your email is used to log you in.
They also leaked a hashed and salted password.
I keep hearing your argument, but I always ask myself... if you car that much, why did you surrender personal information in the first place??!? I've never been to any site other than facebook that actually required any personal information. Even then you can just put in bullshit.
Mozilla did everything right here... other than the breach itself of course. Mistakes happen, and with properly Hashed/Salted passwords and quick and full disclosure those mistakes don't have to be serious.
By personal data, they mean 76,000 email addressed and 4000 salted password hashes.
As for how many times it was accessed, RTFA
"We traced back as much as we could. Access logs, netflow data, etc.," the user wrote. "We found that the tar.gz containing the DB dump had been downloaded only a small number of times. Mostly by known contributors. But we can't rule out that someone with malicious intentions got access to it."
Or... you could throw your toys out of your cot and post a rant condemning Mozilla.
You're obviously not effected by this either or you would already know the answers to your questions because they emailed everyone effected about it already.
I find it rather laughable that mostly everyone in the comments has taken a "forgive and forget" attitude in regards to this post. I love Mozilla...as a developer who uses their mdn site actively, I applaud their active involvement in creating awareness of their mistake so people like me can take measures in protecting their accounts, however, if it was another company, most of these comments would be lambasting this breach of security and protocol on their part. That being said, I'm confident that Mozilla has taken every action they can to prevent this from happening in the future. And, I'm looking forward to looking up a reference section on mdn this week!
The name "Mozilla" used to be among the most respected names in computing. It represented integrity, honesty, innovation, and quality software.
Bugzilla was one of their first successes. It was widely used during the early 2000s, and some development teams still use it to this day. It's the kind of tool that helped make a lot of software development teams a lot more efficient, and it helped users do what they could to get a better experience out of the software they were using. People's lives were made better.
And then when Phoenix/Firebird/Firefox first came on the scene, it was revolutionary. Mozilla was graciously providing us with a high-quality open source web browser that was far more secure and usable than its competitors. This new browser offered a better browsing experience for pros and new users alike. A large number of people immediately found it to be useful, and it saw widespread adoption. People's lives were made better.
Then they released Thunderbird. Again, it was a great piece of software that many people rapidly found to be very useful. People's lives were made better.
But then something happened. I don't know exactly what it was, but around 2010 or so things really started to slide downhill for Mozilla. Maybe it was the rise of Google Chrome, which provided some serious competition for Firefox. Maybe it was how they reacted to this competition from Chrome, by throwing away everything that made Firefox good and usable in their rush to imitate Chrome to the very last detail. Maybe it was a change in culture, with more hipsters getting involved, and taking away influence from the sensible old guard who had founded Mozilla and achieved its early success. Maybe it was the rise of mobile computing.
Like I said, I don't know what it was. But since around 2010 we've seen nothing but total bullshit from Mozilla. All of the Firefox design changes have ruined it for a lot of users. The user experience is similar to or worse than Chrome's, but at least Chrome is a faster browser (don't waste our time with the bullshit benchmarks that Mozilla tries to use to ineffectually refute this fact). I read an article linked to from another submission here at /. about how Firefox's usage share is under 13% now, and it is even below Safari's! With Safari, Chrome and even IE giving a better experience than Firefox, it's no wonder why people are switching away!
Then Mozilla gave Thunderbird to the community to maintain, which essentially means they killed it as a product. Then they wasted a bunch of effort on that failed authentication system (sorry, I can't even remember the name of it). And then they wasted even more on that failed mobile OS that nobody really wants. Do they seriously think they're going to compete with iOS and Android by offering a half-assed mobile OS (sorry, I can't remember its name, either) that doesn't support real native apps of any kind? Come on, every HTML5 and JS "app" I've ever seen has been total shit. And if a usable HTML5/JS app ever was created, it would probably run just fine on Android and iOS! There's no need for another mobile OS that'll be less used than even BlackBerry OS and whatever Microsoft's mobile OS is these days.
Although I think that Mozilla has a mobile version of Firefox out now, I don't know anyone who actually uses it. I rarely hear about it, and when I do it's never positive. I do hear positive things about the mobile Opera, Chrome and Safari browsers, though. So as far as I can tell, this mobile version of Firefox is pretty much irrelevant.
And then there were all those shenanigans recently about their former CEO who donated money to some cause that some people got offended about and whined a lot about, causing him to step down, or something like that.
Now we have this whole data leak debacle, which is totally stupid and probably should never have even happened in the fi
Makes it sound like Stormy Peters is both the Director of Developer Relations and the developer who discovered the error.
Neither of the two links in TFS mentioned what kind of hash was being used. Does anyone happen to know? If it was the old fashioned DES hash as commonly used in .htpasswd, it may well be plaintext. If it was crypt('$5$xxxxxxxxxxxx' SHA, it's only a concern for people who chose very bad passwords.
but meeting the bare minimum requirements doesn't earn somebody commendation from me.
How often do hear news stories about leaks with encrypted passwords that are properly salted? :)
How often does anybody admit a possible leak, when there is no evidence anybody downloaded the database dump...?
Really, how often do you hear about things like this, if discovered internally?
I agree, it's the decent thing to do, but I don't think you can expect this level of detail, openness and honesty from commercial players.
I can't imagine any organization that wouldn't sweep this under the rug, after all it was discovered internally.
It makes me wonder why the hell they aren't doing any better.
Avoiding a leak would certainly have been preferred. But mistakes happens, processes fails.
DES is the encryption standard which is the basis of what for many years was the most common type of hash. .htpasswd files, the least significant bits of the first eight characters are used as a 56-bit key. This key (the users password) is used to encrypt a null bytes, 25 times. crypt(3) accepts a two-character salt, but uses only the lowest six bits of each character, so it's a 12 bit salt and a 56 bit password (maximum).
For DES-based hashing, as used in
crypt(3) can also support better hash algorthims by passing salt values such as $1$xxxxxxxx$ or $5$xxxxxxxxxxxx$
Probably backlash from the 80% disapproval rate for that shitty new interface they dreamed up. I'm using Palemoon now.
Only the State obtains its revenue by coercion. - Murray Rothbard
We shouldn't. They fucked up. We should call them out for fucking up.
What the GP said was not "we should commend them", but "in their defense".
It's a valid defense: they fucked up, they noticed, they cleaned up what they could, and they admitted their mistake and advised people appropriately. That doesn't make their mistake go away, but it changes it from Badness Level 50 (eBay) to Badness Level 30 (Target).
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
So, is your face alright??
...that would think it was okay to screw over users with a new UI and not continue to provide security and stability updates for a few years to those who didn't want a new broken UI (something few successful commercial enterprise companies have managed to do). Or, thought it was okay to, a few days ago, push an update which either broke the UI further or broke a popular add-on that many of us were using to work around their earlier mistake.
If you can't get UIs right or understand that UI stability is important, there's no hope that you can get security or hard problems right.
Finally, after using Firefox since shortly after it was first released, I'm evaluating Chrome, Safari, and (ugh, but MS does understand users) IE. As much as it pains me, IE is looking better and better because I don't really want to spend time worrying about drive-by updates that break my world any more than I look forward to spending my time worrying about drive-by updates to my porch light or microwave oven intended to give me "better" (NOT) functionality. Sad, but my job isn't to work around broken UIs in utilities and spend hours figuring out how to restore behavior similar to prior behavior in order to get security updates to previous sloppy code at unexpected moments. This reminds me of the mid/late 90's when you couldn't trust Microsoft updates not to break your system.
It's unwise to trust amateurs with any of your information. Therefore, none of this is newsworthy. Just abandon Mozilla and don't waste your time contributing (obviously, though, spend a few minutes closing your accounts @ Mozilla). I'm sad to have been driven to this conclusion as I like Open Source and Free (not as in Beer) Software, but also it's not worth my time to try each harebrained alpha product and search for workarounds in hopes of getting security updates. Sometimes it just makes more sense to go with professionals.
Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading
Back in the day you'd count yourself lucky be be dumped onto a server to play a serious of deadly games on an electric matrix in the hopes of finally having a face off with the Overseer of Games, who looks just like your dick-head suspender wearing boss who always asking you to "ummmm yeah, come in on Saturday mmmm'kay?" like a question, as if you could actually say no, in heated one on one combat, only to ultimately prevail when you send a blazing disk straight through his face and watch in rapt glee as he disintegrates before your eyes.
Maybe I'm missing something here, but if the data is a salted hash, they cannot recover it in any reasonable time, especially if they don't know the hashing algorithm used. Even if they do know the hashing scheme it is likely that any password that isn't a dictionary word won't be recovered in this decade, so why would it matter if they used the same password on another website?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I said:
> A DES-based hash would still be fine, just by allowing more bits.
I should clarify that DES itself specifies a key length of 56 bits. To get more bits, you do DES three times*, which is called Triple DES or 3DES. If you use three different 56-bit keys, that's effectively a 112 bit key due to meet-in-the-middle, and that's strong for an another fifteen years.
* encrypt(key1,decrypt(key2,encrypt(key3,plaintext)))
why they feel the need to public data requiring sanitation in the first place?
If the failure a result of a code change, why was there no unit test to catch it?
And if there was no code change, why would you set up such a publish process to silently continue if such a critical step failed?
when gender issues are poaching away resources from real work.
Your gender issues seem to be poaching away resources from real thinking. How is it related to web browsers what other people may or may not do with their nether appendages?
Btw I'm queer and I'm sad about how some marriage advocates made Brendan Eich quit. But I'm confident there's still "real work" going on at Mozilla.
Are you familiar with the debacle where the Gnome Foundation went broke because they blew all the money on their Outreach Program for Women?
Here's coverage if you're unfamiliar, although if you're a queer slashdot reader you probably aren't:
http://www.phoronix.com/scan.p...
The Eich issue showed the world that Mozilla is chock full of the same sentiment. And Mozilla's lost so much market share that they're only a bit player now. When push comes to shove, their "Real Work" is not cutting the mustard.
I've worked on technology projects with people who didn't agree with my views on the issues, and done volunteer work on community projects with people who didn't agree with my views, but everything worked because the projects were focused enough that they became something we could both agree on.
The reason gender issues are screwing up technology projects is because technology projects are extending their mission statements in political directions and it's removing the focus that made it possible for people who disagree on political issues to work together.
Expressed simply, if you stand for one thing, you get half the people agreeing with what you stand for and half of them not agreeing, and 50% of the people give you their support.
If you stand for two things, half the people who were supporting you will no longer feel comfortable supporting you, and they will leave. You shrink your support from 50% to 25%.
It's not that we disagree. It's that I can't actively support organizations that vocally espouse things that I think are nihilistic and therefore immoral, and logic dictates that if I was the only one, there would be no controversy, so therefore, I'm not the only one.
The ability to agree to disagree has been removed, and it's not going to do anything but harm.
-1 Uncomfortable Truth