Slashdot Mirror
Timeline Of Events: Linux Mint Website Hack That Distributed Malicious ISOs (softpedia.com)
An anonymous reader writes: The Linux Mint website was hacked last night and was pointing to malicious ISOs that contained an IRC bot known as TSUNAMI, used as part of an IRC DDoSing botnet. While the Linux Mint team says they were hacked via their WordPress site, security experts have discovered that their phpBB forum database was put up for sale on the Dark Web at around the same time of the hack. Also, it seems that after the Linux Mint team cleaned their website, the hackers reinfected it, which caused the developers to take it down altogether.
The worst of the worst unless anyone can figure out that spaghetti called Drupal.
It is the IE 6 of CMS and people keep using it.
I swear we all should just give up and write our own cms.
http://saveie6.com/
They've got a serious breach with no idea how the attackers got in and continue to get in. They need to take EVERYTHING down including their name servers and verify that their registration with the root servers hasn't changed, until they have done a through post breach analysis. Only then can they bring up newly installed servers with whatever vulnerability fixed.
This should take several days. Possibly even weeks, depending on the extent of their infrastructure.
I mean, at least make the code available.
SJW: Someone who has run out of real oppression, and has to fake it.
Don't use it!
There is a system for subverting the system and you should use that system!
I now got an idea for a project to teach myself Erlang.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
1. Not isolating download servers from forum/blog servers.
2. Not auditing changes of all critical files with immediate reporting.
3. Not instructing all users to check signature from various well-reputed third party locations.
4. Using Wordpress when most people need sufficiently few features that they'd be better off rolling their own.
Anyone checked repositories ?
I now got an idea for a project to teach myself Erlang.
No man, all the cool kids use Outlaw Techno Pyschobitch as the real rockstar language.
http://saveie6.com/
>>Name a better CMS.
Notepad.
aaaaaaa
They were selling the database. The PMs aren't encrypted in most forums, I'm not sure about phpBB. The passwords are salted and hashed so they're not gonna be digging out rainbow tables and getting passwords. They'll have email addresses that tie in with usernames. They'll know a little about the person so spear phishing is a possibility as is just plain phishing.
I've got some data involved in this one. Nothing major, nothing important. I am not the least bit concerned. I did not download any of the torrents. I do have the legit versions of the .ISOs seeding - all current versions and some older versions - going back to at least v. 14. So, it sucks but it's not the end of the world - unless this damages their reputation so much that people bail on them.
I like Linux Mint. I call it Linux for Retards - which means that I can use it without even looking at the manual. They're well supported, give access to the Ubuntu ecosystem, a cautious and safe build, and not a horrible community. I have a laptop with me that has Cinnamon on it. They'll be okay.
But, there's a few things that make the database valuable. The emails and username combinations are a good start. They can then do some work and figure out more personal traits and then attempt some social engineering, phishing, and even targeted malware - if they want to invest enough energy.
"So long and thanks for all the fish."
The Banshee Content Management Framework.
It doesn't have to be like this. All we need to do is make sure we keep talking.
What makes you think if someone is incapable of securing wordpress that the outcome would be different with any other system?
Name a better CMS.
Offline. There is no way to secure WordPress for any length of time, so use it as a static site generator and post that. (Or Drupal, or anything else) More security and less resources needed.
It's not really WordPress that's so bad. Not really. They used to be pretty bad but they, themselves, have gotten their act together. The problem is that people don't keep things updated and will use extensions and add-ons and the likes from anywhere. They won't keep those updated either. If they're maintained well, if you pick the add-ons by activity and reputation and timely security fixes, and if you're a little attentive then you'll be okay.
There are a few add-ons (oddly enough) to help with this. There are ways to automate unattended updates. There are ways to lock down the permissions and make the suggested changes. Use a separate administrator name than user. Rename a couple of pages. After setup, remove the setup files, set the permissions to 555 when not in use, etc... You can do quite a bit, if you want. I've seen a few good guides - hell, there's a few people here who have done it enough that they can write you a guide in ten minutes and know which add-ons to use to secure it and which files to rename, all without opening a new tab.
(That's a hint, by the way. If, you know, someone's got some advice...)
"So long and thanks for all the fish."
Suffixes can also be modifiers. Examples: Windows NT, Mustang GT, Bud Light.
No, WordPress is still insecure as shit on FreeBSD.
How is that relevant? I've never built a car either but I have still owned some really shit ones and have said as much. WordPress is messy, insecure and is tightly coupled to one DBMS. It's quick to set up but awkward to do it right.
I read the article and man are these guys full of themselves.
They were disappointed at being a "top shelf Linux distro" and getting hacked by amateurs, for a lowly IRC bot.
"They hacked php-this and we thought they hacked php-that, they should have waited longer and really had us."
The whole article could have been reposted from 1998 with a hashtag thrown in.
You were burgled by amateurs, and your sysadmins should be embarrassed.
This is one reason why GPG signed would be a much better idea than posting sha512sums. The sums are marginally useful to verify a mirror or whatever, but a gpg signed would allow you to verify new content going forward.
XML is like violence. If it doesn't solve the problem, use more.
Remember that such exploit is merely a way to create zombies, and a huge botnet of thousands and thousands of active zombies can be rented for a few dollars per hour. It's not a very lucrative market when you consider the labor and risk involved.
That explains why those hackers who got caught by the FBI a few years ago were immensely thrilled when they made $7,000 in bitcoins.
lucm, indeed.
y'know... there's a reason why debian sticks with old-school mailing lists and why the mirrors keep it as utterly simple as possible. but the other question is, were users verifying the md5/sha1 checksums on the ISO images? how would they do that (when usually they will be downloading a check-program from the same website)? would they *know* to verify the checksums?
I'm a mint user and I wasn't affected by it either. What do you think is going to happen, if your a mint user the page is going to reach out and grab your machine? It only affected one ISO and you would have had to down load it on the 20th. Then, you would have had to install the image. Simply being a mint user is meaningless.
Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
Probably not. You know they like Linux, you've got a known working (verified) email address, you've got a username, you might be able to make some sort of personal profile based on forum comments. You can check locations with IP addresses but that's not always a certainty. You can probably narrow down which is their preferred Mint. Depending on what they've said in public (and maybe in private) then there's some potential to assign that profile to a person. If they've used the email and/or username elsewhere, they can put some more data together.
It really depends on what they're willing to put into it for effort. $85 is pretty cheap but they're probably not selling it as an exclusive so others will be targeting the users. They'll probably be coming through the data. It's a relational database so they may even automate some of this away (I would) and then simply start running reports. They might even have a way to weigh the data and find the more prominent posters and "mash up" what data they've shared. They'll potentially have some of the site's maintainers, admins, and even the dev team interacting with each other via PM. They might have even been dumb enough to PM passwords to each other.
But no, really that's not much. Not as far as data spillage goes, it's not much at all.
"So long and thanks for all the fish."
mirrors; just search on "mint iso", and check the date and md5 hash.
Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
First, if the default out of the box is highly insecure, the product's insecure. If it has a plugin framework that is insecure, the product is insecure.
Just because you can make it secure (you think) doesn't mean the product is secure. Take windows for example, you can run it standalone with only vetted code in a vault and it'll be pretty "secure", but that doesn't make windows secure. You can also run a very stripped down version with lots of unnecessary crap removed and that will make it more secure than the default, but the system itself, in this case, is still not secure. And I'd posit that securing WordPress is the same game of security whackamole played by those attempting to secure windows. When you start building on sand, your task never ends.
The cesspool just got a check and balance.
When I pressed the update icon in my toolbar (linux mint 17) I got a strange alert saying "cannot verify that the software is what it is supposed to be" (can't recall the exact wording, but everything I have read here and elsewhere said to me "don't install stuff you don't trust and can't verify"
So, I clicked cancel. The updates were fishy, even though they were through a legitimate source, but who knows when that source could get hacked?
Thanks slashdot for all the paranoia over security for the past 15 years, it's paid off, just last night. :) Cheers!
To all the jerks that say I have a tinfoil hat, have fun with your viruses!
It's not highly insecure out of the box. It used to be pretty bad but it has improved greatly. The plugin framework isn't insecure, in and of itself.
Nothing is secure, they're all varied degrees. I get far more security updates on a stock Linux distro install than I ever did on a stock Windows install. Yet, I'd still say that Linux is secure - because I know that nothing is completely secure, so the definition is reduced to "reasonably secure."
Speaking of Windows, you can use Windows normally and just fine - without any active resident anti-malware application. Just keep your browser locked down, get apps from their source, and keep things up to date. I did it for years just to prove it can be done. I'd check and do the various scans with updated definitions here and there and never *noticed* any signs of intrusion or malware and was actively looking for such.
You don't *have* to rename pages, change permissions, or even use a separate admin - so long as you're willing to use a long/complex password. The security issues come with people being people. If you don't follow the directions, you get insecure products. If you leave the setup.php behind (after having been instructed to remove it - when the server's not configured to allow it to do it on its own) then you get an insecure product. If you're using add-ons that are insecure, you have an insecure result. That's not the fault of WordPress. That's the fault of people being people and trying to do things they're not qualified to do thus have no business doing.
So, I gotta disagree. Security is a process, not an application. The converse is quite frequently true. If you're not going to be attentive and keep things up to date, that's hardly the fault of the software. The framework's not bad (so far as I know) by itself. The script isn't even bad - by itself. You can make it a bit more secure but, by itself, it's not bad. It's when they don't update it or the add-ons that they get insecure. In fact, I have a couple of WordPress installs that are just fine. They don't have any third party extensions at all and the password's a long and complicated affair - and I've got a different username but that username's probably easily guessed.
"So long and thanks for all the fish."
Disclaimer, I like WordPress.
While the culprit turned out to be something else, I think it speaks volumes that the folks at Mint jumped straight to the conclusion that it was a WordPress hack. WordPress must be among the must frequently targeted and compromised systems on the web. To a large degree, you can pin this on market share. But over the years, the many cries pointing out the insecurities in WordPress have not been entirely without merit. Hence the first conclusion. The great thing of course about Wordpress is that you can slap together a kick ass site with modern features pretty quick and with very little skill. Updating and maintaining is even simpler. I think this is best for people that really are helpless when it comes to web design. Personally, I would like to see a fork or similar that puts a strong and immediate focus on tight site security, with hardening, logging, and alarm measures all throughout, with an entire security control panel that would be above the heads of most. I am speaking of an implementation that would be impossible for the tech illiterate, but fresh air those of us who would understand what we would be looking at and configuring. I can hammer out my own HTML/CSS/Javascript, etc... But unfortunately building a CMS is in fact out of my league. But it seems to me that when I setup a WordPress site, I spend more time auditing, documenting, manually altering and trying to hack it than I do building the site.
Brought to you by Carl's Junior.
The passwords are salted and hashed so they're not gonna be digging out rainbow tables and getting passwords.
They can brute force their way to at least some of the passwords. And given that there's likely an overlap between the group of people who choose insecure passwords and people who reuse passwords on other sites, it doesn't take a lot of hits before the yield is valuable.
When I pressed the update icon in my toolbar (linux mint 17) I got a strange alert saying "cannot verify that the software is what it is supposed to be" (can't recall the exact wording, but everything I have read here and elsewhere said to me "don't install stuff you don't trust and can't verify"
So, I clicked cancel. The updates were fishy, even though they were through a legitimate source, but who knows when that source could get hacked?
Thanks slashdot for all the paranoia over security for the past 15 years, it's paid off, just last night. :) Cheers!
To all the jerks that say I have a tinfoil hat, have fun with your viruses!
That's exactly what you were supposed to do! And its properly called precaution, not paranoia.
Now WP and PHP are going to get tons of flak, once again.
To put things into perspective: WordPress has north of 100 Million aktive installs. It powers more than a fourth of the entire web. That's orders of magnitude more than any other system on the planet ever has. For that, WP has an excellent security track record with the last new exploit infecting roughly 8000 websites. Once again of that type that weren''t following basic security procedures.
Using WP for a high-profile, high traffic website such as Linux Mint may be questionable due to load issues alone, but it is doable if you follow just the simplest security principles - such as disabling the login page, using non-standard garbled logins, de-coupling login and username and using a non-standard table prefix.
All this is SOP on any non-development WP installation and mitigates 99.999% of the standard attacks on WordPress. That, and not showering your install with tons of plugin-bloat perhaps.
WordPress is a system for quickly cobling together a high functionality website and for that it is excellent. But you have to know your basics about PHP and the LAMP stack, otherwise you have no business setting up a WP intallation and are way better of getting one at wordpress.com or some other apphoster for WP. Which, btw., is a perfectly viable option if you've got your hands full maintaining a Linux distro and couldn't
The Linux Mint people screwed up and prerhaps even compromised some boxes that have yesterdays fake ISOs installed on them. They didn't to their homework in terms of basic web-security and this is not the fault of WP or PHP.
I hope they learn their lesson.
We suffer more in our imagination than in reality. - Seneca
Doesn't phpBB use different salts for each user? If they do and if I am understanding properly then I'm not sure how far they'll get? Though, to be clear, I am not 100% certain that I'm understanding everything correctly. They really shouldn't be able to do much in the way of brute forcing?
"So long and thanks for all the fish."
And not be challenged?
"affected".
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
In that case, you might be looking for Zotonic, an Erlang web framework/CMS.
"No man's life, liberty, or property are safe while the legislature is in session." -- Judge Gideon J. Tucker
debian.org
Doesn't phpBB use different salts for each user? If they do and if I am understanding properly then I'm not sure how far they'll get? Though, to be clear, I am not 100% certain that I'm understanding everything correctly. They really shouldn't be able to do much in the way of brute forcing?
Doesn't matter.
Unique salt (which is the only way to do salt; there's zero reason to bother salting if the salts aren't unique), just means that each password has to be brute forced individually. But passwords can be tested so fast that a high percentage of passwords on most sites are found with only a few minutes effort, so brute forcing is well worth the effort.
Passwords suck, and they're getting worse all the time.
No one is capable of securing Wordpress. On the other hand, there are other CMSes out there that don't need special attention to make them secure.
It doesn't have to be like this. All we need to do is make sure we keep talking.
notepad++
rewriting history since 2109
How exactly are they brute forced? I guess that's what I'm not getting. If they'd be doing simple brute force, why bother with the hash at all and just not authenticate it on a server that they control? How would they brute force the hash - and wouldn't each one be unique? It seems to me that's just a waste of time when they can use phpMyAdmin (for example) import the DB, and just use a local version of phpBB with timeout or attempt limits nullified from the script?
I'm really positive that I'm missing something. Thanks for your patience. ;-) What am I missing? They're all unique so they'd have to be done individually. Why (or even how) would they be futzing with the hash instead of just attacking the login system and resolving it like that with dictionary and then brute force methods? Even if they "brute force" it that way then they're not really even dealing with the hash as that'd do them no good in figuring out the next one in line.
Give me 20 minutes and a good search function and I can probably find the limit checks in the script and comment them out. I don't have a brute force tool and dictionary built (currently) but I can find one in a few minutes via Google. I'd be brute forcing the password, however. I'd not really be brute forcing the salted hash. The end result is the same, of course. :/
"So long and thanks for all the fish."
> The passwords are salted and hashed so they're not gonna be digging out rainbow tables and getting passwords.
No, they can merely apply brute force guessing techniques to verify password guesses. I've seen no hint that the distributed work and very effective ruleset of Alec Moffett's old "crack" password guessing utility have ever yielded less than 10% of any DES or now 3DES based list of hashed passwords.
Git, hosted at Github.
If you mean a "web publishing system", then Wordpress has a reasonable history of being one. But that doesn't make it a CMS.
Brute forcing hash based passwords involves getting a program like John the Ripper or one of the versions that supports the bit coin mining hardware and just asking it to try a trillion of the most likely passwords in a few seconds.
I find it entertaining that many security experts are claiming sha-256 hashes are more secure than older weaker hashes yet I can spend less than $1,500 and buy hardware that will try more than 2 trillion sha-256 hashes a second yet the cost do the early md5 based passwords is now significantly higher.
I would like to see a mod of John the Ripper so it could be used as a PAM module to say "Your password would be found in round 4" using the rule 'substitute digits for letters'"
That is why you use PGP signatures. Unless they compromise the key before you got it, they are out of luck.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Indeed. Checksums are only good to check for transmission errors, unless the checksums are PGP-signed. Checking for transmission errors is a good idea with these sizes, but not any protection against attacks.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Verify the ISO against the SHA512 hashes and the PGP signature of the hash-file. Unlike re-downloading that actually gives you security.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
How exactly are they brute forced? I guess that's what I'm not getting. If they'd be doing simple brute force, why bother with the hash at all and just not authenticate it on a server that they control? How would they brute force the hash - and wouldn't each one be unique? It seems to me that's just a waste of time when they can use phpMyAdmin (for example) import the DB, and just use a local version of phpBB with timeout or attempt limits nullified from the script?
Going through a login interface is orders of magnitude slower than brute forcing the passwords from extracted hashes in specialized cracking programs. You load in the hashes and salts and run a fast loop with the hashing algorithm over millions of guesses in the same time it takes to do just a handful of guesses against a login interface.
And even though it's brute force, it's not dumb brute force. First, dictionary attacks including passwords found on other sites, permutations of words, letter substitutions and simple appending of digits are tried. A lot of passwords fall within a few seconds from that. Then an actual exhaustive search taking into account letter frequency distributions and adjacent letters more often found in passwords. Given a list of thousands of passwords, that will knock down some of them fairly quickly, no matter how secure the hashing algorithm is.
Alright. I'm kind of getting it. Needless to say, I've not gone password cracking in a very, very long time. Err... I'm a bit more responsible these days. I'd also like to avoid felonies. We used to have some neat ways to just hammer on the regular user/password combos in a dictionary attack and get plenty of hits. If you can refine that to specific usernames, you're way ahead and there are a lot more cheap compute cycles kicking around now. I think I'm going to just continue to observe and pay attention as opposed to trying my hand at what's happening today. The landscape is much different and the penalties for doing so are much higher - as well as the likelihood of being caught.
"So long and thanks for all the fish."
Yeah, that'd probably be faster than punching through the phpBB script's login function. I'd have just built a local phpBB instance and pounded on it after removing the timeout security checks and capcha if applicable. I've not done anything of the sort in a very long time. I'm not going to start up now. But, that's how I'd have gone at it. Start with dictionary then brute-force. It should be fast enough as it's being run locally. Anyone without a complex password is gonna be found pretty quickly. Unless I'm missing something. As I mentioned in my other reply, the landscape has changed and it's a felony to go out poking at stuff like that. Screw that.
I guess I could build one out and just populate it with a little data and see what happens. That's not a crime. Then again, they might say I have hacking tools. I don't think that's illegal, yet. It's too bad, I'd have liked to have kept up on it in detail. There were times when it was rewarding - not financially or anything. Just a success is fun. Err... PHP was still pretty new the last time I really even played with it.
"So long and thanks for all the fish."
I don't know how to do the latter. If I were to try this, I'd strip out the time checks and security from the phpBB script, run it locally, and hammer that with a dictionary and then a brute force attack. It'd work and I'm gonna get results. Anyone with a short and easy password will be gone quick. I've already got a list of usernames to check, I might split them and assign them some priority based on what I can glean from the site and see who's an admin and whatnot. I might even load it on a few boxes and do different priorities. Why not?
It should be clear that I'm not gonna do that. I have no interest in doing that - but I do have curiosity. In other words, I'm not interesting in breaking into their property. That's how you go to jail. I wouldn't mind a phpBB DB to play against. I haven't done anything like that since the mid-1990s. A lot has changed since then and I'm sure the tools are really nice. I'd probably just use CURL and check the resulting page for welcome text and build my own. :/ Err... I'm pretty sure your way would be much faster. (Consider, I've never actually looked at phpBB's security but I'm sure I could find it and comment it out.)
You newfangled kids and your fancy and effective (and cheaper and faster) methods! Get off my lawn!
Oh, and I'm well behaved today. I have to be. You go right to prison for playing those sorts of games now. I could just build my own DB and poke at it. I'm not sure what the benefit would be.
"So long and thanks for all the fish."
Drupal is awesome but not that easy to figure out at first. 'Snot too bad once you get it figured out. Joomla kind of sucks. I've tried to theme Joomla and, well... Let's just say that I am not a graphics artist. Or a patient man... I can handle Drupal. I don't mind WordPress but it needs babysitting. At least it's generally pretty smooth to update.
"So long and thanks for all the fish."
Nope. WordPress is a catastrophically awesome choice if you want to get owned. As was mentioned, the only way to use WordPress securely is to use it to generate static HTML content.
You newfangled kids and your fancy and effective (and cheaper and faster) methods! Get off my lawn!
Oh, and I'm well behaved today. I have to be. You go right to prison for playing those sorts of games now. I could just build my own DB and poke at it. I'm not sure what the benefit would be.
I'm not as young as you might think.
As a sysadmin, I periodically run crackers against the password hash databases for apps I admin, and send users notifications to change the password if it falls quickly to fairly standard cracking programs, or if it falls and the same password turns out to be used for more than one service. Either is bad, and scanning for and correcting this is a good thing, if we ever get hacked.
Also, for servers in attacked positions, "haystacking" them, injecting tens of thousands of fake users with random hashes, which slows down any attack. By having 90% fake users, the amount of time to crack any password increases 10-fold too. A difference between it taking 3 days for a cracker or 30 days can be significant enough to make this worthwhile.
Azure and AWS aren't that expensive, either.....a single core VM on Azure is $0.09/hr. Not quite as cheap as some sliver of thousands of machines, but not as shady.
I'd strip out the time checks and security from the phpBB script, run it locally, and hammer that with a dictionary and then a brute force attack. It'd work and I'm gonna get results
Sure, but a few orders of magnitude slower than doing the hashing locally on dedicated hardware.
The best way to do this is to run the hashing on a set of GPUs, each of which has dozens to hundreds of cores. With your method you'll be lucky to test a thousand passwords per second. With dedicated hardware -- and assuming a computationally cheap hash like SHA-256 or MD-5, you can build a system that will test a billion passwords per second for a few thousand dollars -- or rent one on AWS or similar for a few hundred dollars (AWS has systems with GPUs for computation). If the target database used a proper password hashing algorithm like PBKDF2, scrypt, bcrypt, Argon2, etc., then it's slower on a given amount of hardware, but you can always speed it up by throwing more hardware at it.
Unless the fake users have data associated that mirrors other users, I'm gonna filter that out. Well, maybe not, compute cycles are cheap today. But, I'd filter admins, active users, and things like that. I'd just then pop several instances up in DB and my own LAMP stack and hammer on 'em until I got them. I'm gonna be pretty slow anyhow. I might as well filter out the more active users, admins, and the likes. Then I'd work my way backwards, starting with the newest, that's likely to be the most "fresh" data. So, if you inserted your "haystack" all at once, it's a relational database, I'll filter those out fairly well by that means too.
It does kind of pique my interest. I do sort of miss that type of thing. If I had done something like that then I'd have not really done much of anything with 'em before. If I would have done so in the past then I'd mostly just have dumped 'em to a newsgroup and they were usually porn passwords. You know, if I had... I can't really admit to having done anything of the sort. But, I have been known to be curious before.
"So long and thanks for all the fish."
Yeah, I can do the former and I don't even need dedicated hardware. I don't know how to do the latter. I could probably find it on Google and with some work but I've never done it. I'd have to whack at it my way - or I would because it'd be easier for me to do it that way than it would be to actually go through and figure it out the faster way. That and, well, I'd not actually be in any great hurry.
I do use the same password there as I use anywhere else. In fact, I know what that password is and it's safe and sound. They can have that password. The next time I visit, I'll change it. It's a sacrifice fly and I don't consider it a great loss. They could probably use that password to... Well... Nothing? They can't even figure out a system from it and the email password's not the same. In fact, none of my accounts are the same.
So, I'll be okay. Hopefully others are smart enough to know not to reuse passwords. Or at least to let 'em have only a small chunk at a time.
At any rate, I'll have to read about the other ways. I'd only know how to do it like I described. I could bang out a pretty quick and dirty script and then find me some dictionaries. I don't keep those sort of things on hand. I've got a few PERL skills left in me! Err... No, really, I'd probably write something quick and in PERL. I'm sure there are tools out there to do it but I don't know who made 'em, where to go to find something that can be trusted, nor have I maintained a relationship with any who kept up with it. I could probably ask around...
I am tempted to install phpBB and populate it with some data, extract the database, and then throw stuff at it until it breaks. I'm just not sure it would be all that rewarding and what the benefit (for me) would be. It might amuse me for a few days, there's that. It is interesting trying to keep up with all the changes. I mentioned elsewhere, it's probably been since 1995 when I was last interested in this sort of thing - interested enough to poke at it and learn a wee bit. I'm not even sure where I'd go looking for large, reliable, proxy lists.
I am guessing some time with Google and on the .onion domains (maybe a few invite only forums - I can probably score an invite out of my contacts list) would be a good start. I'm way too lazy for that and it's not nearly rewarding enough with low-enough risks. It would be lots of neat stuff to learn.
"So long and thanks for all the fish."
No one is capable of securing Wordpress.
Most of the internet would disagree with you.
Of course. Ignorance is bliss.
It doesn't have to be like this. All we need to do is make sure we keep talking.
Also, they can try every username to find the ones whose password is '123456' or the like.
Linux is for people who don't mind RTFM.
I don't see how what you know how to do or are interested in learning to do are at all relevant to the impact of the breach or why the attackers might be interested in selling the database.
I've got a big problem with that idea. If WordPress is only secure today because you had to install a critical update a week to keep it that way, that means WordPress is NOT secure. It doesn't matter if at 10:07 EDT as I write this, a fully updated WP install is free of known security issues. The fact that there were a dozen issues that I had to patch for previously means there were inevitably stretches of time when there *were* known issues. Even if I script it so every update is installed the instant they drop it, there's still time between reporting and fixing, and zero-days are a thing...
WordPress is not a secure platform. Even just core, with no add-ons. It happens to be one of the most usable and featureful platforms, but it's not secure. Just adding an add-on to auto-update isn't the same thing as having secure code to run.
Security update treadmills aren't a valid security posture. It's better than not updating, and you're practicing risk mitigation at that point, but I don't think it's the least bit valid to say, "You got hacked because you didn't update." You got hacked because WP can't manage to release secure code. The longer you run unpatched, the greater your chances of actually getting hit, but "you didn't update" is plain old victim blaming.
And then of course you add add-ons (because WP as a platform is a huge part of why it's useful), and you might as well just give up at that point...
Yeah. My concern wouldn't be about the ISO's at this point but the repositories. If an attacker is able to get at those and say, provide a modified version of glibc, it would run rampant in short order.
Then by your standards nothing is secure. Alright. We can agree to that. Stop using software that needs security updates. That includes every operating system out there.
"So long and thanks for all the fish."
Well, it's things that they may opt to do - and if I can think of a way to get the data then anyone can figure it out, so it's likely that it won't be long before they're able to use that data. You can do some pretty targeted spear phishing and social engineering with this data, making the most out of it is pertinent, yes? It's why the data might be of value and was what the subject was before the tangent into hash values.
The data, in aggregate, is worth more than just passwords but the passwords are a start and a part of that data. The users include admins, actual Mint maintainers, and things of that nature. My thinking is that if I can figure out ways to make use of it, and to access it, then there are people who are far more adept than I. On top of that, I figure broaching the subject may get helpful and educational replies - and it typically does. It even did this time.
"So long and thanks for all the fish."
I don't think you're understanding where I'm coming from. Let's take a current iPhone. Out of the box, it's encrypted and set to lock and wipe via firmware. That's relatively secure. I believe the Galaxy Android phones are also shipping in a similar configuration now, but a whole host of Android phones are not. If you're running a macbook pro, out of the box, file-vault is not enabled, so it's significantly less secure by default. That requires 1 step to greatly enhance the system. All Apple's laptops should arguably be shipped with this default given their expected use cases.
WordPress out of the box is insecure as hell. It requires a litany of changes to become hardened. After that, it requires constant monitoring and babying to be sure you're not subject to some new found exploit, for it's sole intended purpose. That's not secure by any stretch of the imagination. Yes, I'm aware of the similarities to running an OS, but the amount of work to lock down a server for a single purpose like running a webserver is hugely dependent upon your OS choice. While it still requires monitoring, you can be relatively assured that you won't need to update even monthly to keep your system secure. Word Press isn't like that, unless you lock out much of its functionality to the average user.
The cesspool just got a check and balance.
For anyone who's seen the original Erlang "movie", it's well worth watching the parent's OTP video. I pity the foo' who doesn't guffaw.
And one more: Unlike re-downloading, that gives you actual security.
And what about: Unlike re-downloading, this gives you actual security.
Language relies on the listener having a clue and interpret in the right way. Otherwise it does not work at all.
As the first sentence is an imperative, there really is no potential for misunderstanding here.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.