×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

154 comments

atleast (1)

Anonymous Coward | more than 3 years ago | (#34684486)

at least they told their users

Re:atleast (0)

Anonymous Coward | more than 3 years ago | (#34684914)

At least they say that they have told their users.

There fixed that for you, since I'm an affected user and I never got an e-mail about it (and I've checked my spam folders).

Re:atleast (3, Informative)

JackieBrown (987087) | more than 3 years ago | (#34684936)

I got one last night.

Mozilla Add-ons to davidbroome
show details 6:52 PM (11 hours ago)
Dear addons.mozilla.org user,

The purpose of this email is to notify you about a possible disclosure
of your information which occurred on December 17th. On this date, we
were informed by a 3rd party who discovered a file with individual user
records on a public portion of one of our servers. We immediately took
the file off the server and investigated all downloads. We have
identified all the downloads and with the exception of the 3rd party,
who reported this issue, the file has been download by only Mozilla
staff. This file was placed on this server by mistake and was a partial
representation of the users database from addons.mozilla.org. The file
included email addresses, first and last names, and an md5 hash
representation of your password. The reason we are disclosing this event
is because we have removed your existing password from the addons site
and are asking you to reset it by going back to the addons site and
clicking forgot password. We are also asking you to change your password
on other sites in which you use the same password. Since we have
effectively erased your password, you don't need to do anything if you
do not want to use your account. It is disabled until you perform the
password recovery.

We have identified the process which allowed this file to be posted
publicly and have taken steps to prevent this in the future. We are also
evaluating other processes to ensure your information is safe and secure.

Should you have any questions, please feel free to contact the
infrastructure security team directly at infrasec@mozilla.com. If you
are having issues resetting your account, please contact
amo-admins@mozilla.org.

We apologize for any inconvenience this has caused.

Chris Lyon
Director of Infrastructure Security

Re:atleast (1)

Golddess (1361003) | more than 3 years ago | (#34685826)

How do you know you're one of the affected users? Did you download the file and find your email address?

Re:atleast (1)

TheLink (130905) | more than 3 years ago | (#34687436)

How do you know you're one of the affected users? Did you download the file and find your email address?

Could be too busy trying to find other people's passwords ;).

Don't fret before reading TFA... (3, Informative)

ferongr (1929434) | more than 3 years ago | (#34684502)

TFA says that it was the user database of the AMO (addons.mozilla.com) website, nothing to so with the Sync server.

Re:Don't fret before reading TFA... (1)

Tukz (664339) | more than 3 years ago | (#34684512)

Which is exactly what I gathered from the resume.
Since Mozilla mailed the users on adons.mozilla.org, I assumed it was the database with users from adons.mozilla.org that was compromised.

Re:Don't fret before reading TFA... (4, Informative)

cheater512 (783349) | more than 3 years ago | (#34684602)

Nope no exploit. They just accidentally made a backup publicly accessible.

They went through the logs and no one actually downloaded it except the person who notified them of the problem.

Re:Don't fret before reading TFA... (0)

Anonymous Coward | more than 3 years ago | (#34684728)

No-one mentioned exploits before you... The database was compromised, even if by accident.

Re:Don't fret before reading TFA... (0)

Anonymous Coward | more than 3 years ago | (#34685432)

... and how many people did that person send it to?
Did that person keep it? Can that person be trusted? Has that person's computer been compromised?
There is a risk of the dump being available even if only that one person downloaded it.

Re:Don't fret before reading TFA... (4, Funny)

Anonymous Coward | more than 3 years ago | (#34686286)

I just checked with the RIAA and they said that it is likely that thousands of people downloaded it from that person's machine.

Re:Don't fret before reading TFA... (2)

ehrichweiss (706417) | more than 3 years ago | (#34686828)

I wish I had mod points and that you weren't logged in as A/C because *that* my friend is CLASSIC!

Mozilla's public disclosure (5, Informative)

Giorgio Maone (913745) | more than 3 years ago | (#34684514)

http://blog.mozilla.com/security/2010/12/27/addons-mozilla-org-disclosure/ [mozilla.com]
Active accounts have their password SHA-512 hashed with per-user salt, so they're safe (for a while). However those 44,000 holders of older (and now disabled) MD5 hashed accounts should rush changing their passwords elsewhere, if they have the bad habit of using the same password everywhere...

Re:Mozilla's public disclosure (1)

WillKemp (1338605) | more than 3 years ago | (#34684564)

However those 44,000 holders of older (and now disabled) MD5 hashed accounts should rush changing their passwords elsewhere, if they have the bad habit of using the same password everywhere...

If they can remember what password they used and where else they might have used it... I got the email, but i'm buggered if i know what password i used for that account. Chances are it was a disposable one that i use for accounts i don't care about, but i couldn't say for sure.

Re:Mozilla's public disclosure (1)

Giorgio Maone (913745) | more than 3 years ago | (#34684616)

If they can remember what password they used and where else they might have used it...

If you use Firefox's password manager you can ask it (Tools|Options|Security|Saved Passwords|Show passwords) and even search among its entries, by site, username or password.

Otherwise I'm afraid you will need to change them all :(

Re:Mozilla's public disclosure (1)

tukang (1209392) | more than 3 years ago | (#34685818)

why don't you md5 some of your guesses to see if the hash matches? this assumes they didn't salt the md5 hashes

Re:Mozilla's public disclosure (5, Interesting)

Rich0 (548339) | more than 3 years ago | (#34685450)

if they have the bad habit of using the same password everywhere

What alternative do you propose? I must have accounts on 100 different websites by now, including this one. I can't create and remember 100 distinct strong username/password combinations on all of those websites. Unless you're an autistic savant you can't either.

Passwords are false security - they are a way to CYA and blame the victim for causing the problem, while giving them no realistic solution. Sites that depend on their users choosing unique passwords for security are simply insecure, period.

Re:Mozilla's public disclosure (1)

Lincolnshire Poacher (1205798) | more than 3 years ago | (#34685638)

> I can't create and remember 100 distinct strong username/password combinations on all of those websites

Apparently "computers" can be "programmed" to perform information retrieval operations.

Perhaps some "software" such as PasswordSafe or MyPasswordsafe could be used for password creation, secure storage and on-demand retrieval.

Re:Mozilla's public disclosure (2)

Rich0 (548339) | more than 3 years ago | (#34686114)

That's great, and how do you propose keeping all those passwords secure and synchronized across multiple devices and operating systems, some of which I'm not permitted to install software on?

It isn't like I only access the web from one terminal...

Re:Mozilla's public disclosure (2)

gbjbaanb (229885) | more than 3 years ago | (#34686190)

That's great, and how do you propose keeping all those passwords secure and synchronized across multiple devices and operating systems, some of which I'm not permitted to install software on?

postit notes of course!

Ok, I use Keepass which is brilliant, and will work on your phone too, so you have no excuse to have a DB of passwords (randomly generated by Keepass itself if necessary). The db and app is tiny and will happily install onto other systems (by copying the keepass binary and the db file) so you only need to find a way to keep your db file updated... personally, I use a usb drive as my passwords don't change that often. If I have to copy it onto a computer that doesn't allow usb... I zip and email it to myself instead.

Its not an insurmountable problem, and the relatively minor inconvenience of being organised with 1 file is a lot less hassle than updating a hundred sites that you used a single compromised password on.

Xmarks is still kicking though, that lets you store passwords and you can encrypt them, not that I use it for passwords.

Re:Mozilla's public disclosure (1)

MobyDisk (75490) | more than 3 years ago | (#34685640)

I can't create and remember 100 distinct strong username/password combinations on all of those websites

You don't have to if you use a hash. Ex: My slashdot password = my base password + an easily computable hash of the word "slashdot." You know ASCII? Take the ASCII values for the first and last vowels of the site and sum them together. Something like that. Do the same for every site, then write down the user name + the word you used to hash it. (It is usually easy to guess, but with some sites you have to make rules like remove the spaces and punctuation or ignore the numbers)

Re:Mozilla's public disclosure (3, Insightful)

Rich0 (548339) | more than 3 years ago | (#34686280)

I think you're stretching "easily computable" - when I want to log into a website I don't want to spend 10 minutes with a calculator and an ascii table, or require access to the md5sum application.

Plus, this only works if it remains an uncommon way of generating passwords. If it becomes commonplace, then if a hacker can run through a bazillion md5 sums do you think that it will take them long to include variants of site names represented as ascii in their attacks? Once they figure out your algorithm through brute-force then it can be trivially applied to any other sites you have accounts on.

Re:Mozilla's public disclosure (1)

MosX (773406) | more than 3 years ago | (#34685654)

Why don't you just incorporate the first couple of letters of the site used into the password?

Re:Mozilla's public disclosure (2)

Rich0 (548339) | more than 3 years ago | (#34686184)

What would be the point?

Suppose the gizmodo password hashes are leaked, and somebody figures out that my username is rich0 and my password is gizmodo875.

Does it do me any good that my slashdot password is slashdot875?

This is why password aging is useless - if somebody finds the password of useless12 no longer works on a site that enforces aging they just have to log in using useless13 and that will work for 99% of accounts.

Re:Mozilla's public disclosure (1)

mgoff (40215) | more than 3 years ago | (#34685686)

What alternative do you propose?

LastPass [lastpass.com]

Re:Mozilla's public disclosure (1)

Rich0 (548339) | more than 3 years ago | (#34686256)

How do I use that on a work computer that I do not have admin rights to, and on which I'm forbidden by policy to install software on?

Also - the website is hazy on how it manages synchronization - I'd prefer not to have to give some random service provider cleartext passwords to all of my accounts.

Sure, password vault programs are a band-aid to a fundamental problem, but they are not a good solution.

Re:Mozilla's public disclosure (1)

Xtense (1075847) | more than 3 years ago | (#34686164)

If you don't trust automated password keeper software and don't want to clutter your brain too much, just tier your passwords. Seriously. Have a set of five, maybe six levels of passwords with different levels of length and complexity. Lev1 on throwaway accounts you won't miss, Lev2 for accounts you don't use often but return once in a while, Lev3 for untrusted websites you need to use regularly, Lev4 for trusted sites containing no specific data, Lev5 for trusted domains with your private information, Lev6 for the holy-fucking-shit-if-this-were-ever-hacked-i'd-lose-everything-and-kill-myself places. Obviously, it goes without saying that you shouldn't ever write these down anywhere - and I mean everywhere.

This is a pretty good compromise between different passwords on every site and using just one everywhere. It's not a security measure good enough for the 3l33t and/or paranoid, but it should be enough for the average internet-enabled Joe.

Bonus points if you change your passwords once in a while.

Re:Mozilla's public disclosure (1)

Xtense (1075847) | more than 3 years ago | (#34686198)

> Obviously, it goes without saying that you shouldn't ever write these down anywhere - and I mean everywhere.

And this, dear Slashdotters, is why you should drink coffee before posting. Or just think before posting. ;]

Re:Mozilla's public disclosure (2)

multipartmixed (163409) | more than 3 years ago | (#34686242)

> Bonus points if you change your passwords once in a while.

I change my "Lev6" passwords now and again, and those are the only ones I write down -- because they DON'T have password recovery mechanisms.

I write them down in my phone, which I keep on me at all times, and a trusted friend knows how to retrieve them in case I get killed.

The reason I change them now and again is because I occasionally lose my phone... :/

Re:Mozilla's public disclosure (1)

ghyspran (971653) | more than 3 years ago | (#34688064)

Everything I've read by someone who seems to know what he's doing says that writing down passwords is a good idea for most people, and I tend to agree. Writing down passwords and keeping them safe, say in your wallet, gives you a backup in case you forget and lets you be less afraid to pick a long, tough password for fear of forgetting.

Re:Mozilla's public disclosure (1)

Xtense (1075847) | more than 3 years ago | (#34688478)

It's just me then probably ;) . I'd rather trust my memory jello than a scrap of paper or an electronic device to keep my most important information both accessible to me and private. Sometimes there are situations where you must leave your phone or wallet somewhere and I'd rather part with them and their contents than my most secure passwords. Of course, given a drug-and-five-dollar-wrench situation, i'm screwed either way, but up until now, I could always remember every one of my passes - and some of them are very long and very random. If i change a high-security password, i perform a series of test logins from a secure and trusted terminal until I can log in correctly ten times in succession without any delays on my part. I've been doing this for up to six years now, so I suppose it comes with practice, but it makes some pretty big assumptions on the security of the password. This method, for instance, surely wouldn't work in an office high-security environment, where passwords are changed pretty often.

Re:Mozilla's public disclosure (1)

JeffAMcGee (950264) | more than 3 years ago | (#34686254)

One technique is to use a password that is a function of the website domain name. For example, all of your passwords could be the number of characters in the second level of the domain, a random string, and the first letter of the domain. For slashdot, the password would be "8RANDOMs". This won't protect against a person who knows your password, but it will stop a script that knows 44,000 username/password pairs and blindly submits them to websites.

Re:Mozilla's public disclosure (0)

Anonymous Coward | more than 3 years ago | (#34686338)

Using KeePass

Re: What alternative do you propose? (0)

Anonymous Coward | more than 3 years ago | (#34687426)

I use an algorithm to incorporate some letters from website name into password, thus for each website my password is different. You can shift the letters by one to make them less obvious.
Over the time my algorithm changed a few times to make it less obvious. Also, I use different level of complexity depending on how secure it should be. This created a mess, and I started storing them on my smartphone. However, I only store info what algorithm I used, not the password itself. So, should I lose my smartphone, the passwords are still relatively safe.

Hope this helps and I don't get hacked after giving it all away :)

Keepass (1)

SuperBanana (662181) | more than 3 years ago | (#34688016)

What alternative do you propose? I must have accounts on 100 different websites by now, including this one. I can't create and remember 100 distinct strong username/password combinations on all of those websites. Unless you're an autistic savant you can't either.

Keepass. Clients are available for all major platforms, desktop and mobile. Combined with Dropbox, I can add/change passwords to the database on any system and my other systems are updated. This includes my Android mobile phone. One could implement something similar with rsync or something, I imagine...

Also, consider a common password, but one modified through some easily-remembered scheme. For example, use two words with a number inbetween. Add a letter after the number; make it the second letter in the site's domain name (ie dropbox would be r). Whoever steals thousands or hundreds of thousands of passwords is interested in getting into sites with identical passwords; your password scheme is safe unless they get the passwords to more than one site...even then, you're still a little due to safety in numbers; attackers are still only interested in the easy targets, just like the people who go down the street testing car door handles until they find the unlocked car.

Re:Mozilla's public disclosure (0)

Anonymous Coward | more than 3 years ago | (#34688292)

What alternative do you propose? I must have accounts on 100 different websites by now, including this one. I can't create and remember 100 distinct strong username/password combinations on all of those websites. Unless you're an autistic savant you can't either.

Actually, I have a unique password for each site I visit, and I'm far from a savant of any kind. It's quite easy and simple really. Instead of memorising 100 different passwords, memorise one single method of generating a password. I use the URL and other info as input into a single algorithm that generates a unique password for each site. In practice, it takes me around 30 seconds to work through it in my head and come up with my password. On sites that I use frequently, the proper password becomes second nature very quickly, so I don't actually have to work through the algorithm any more. You'd be surprised how many passwords you actually can end up remembering this way.

Re:Mozilla's public disclosure (1)

noidentity (188756) | more than 3 years ago | (#34685502)

if they have the bad habit of using the same password everywhere...

That's the problem. A server operator should ideally only have to manage access to his server. If he somehow leaks username-password pairs, then he should simply have to ensure that nobody gains unauthorized access to those accounts. Putting passwords used ELSEWHERE is just asking for trouble. For some reason I think about published interfaces to modules, and people using them in ways not documented, then having their code break when this undocumented behavior changes. Here the undocumented behavior is that your password won't get leaked. All the server operator should have to guarantee is that your ACCOUNT doesn't have unauthorized access. So even if your password is leaked, he can ensure that. But if you used your password for information that compromises accounts on other machines, you made the error. Just my thought on this matter.

Re:Mozilla's public disclosure (1)

xenapan (1012909) | more than 3 years ago | (#34687480)

If you FINISHED reading the article...you would know
a) only Mozilla staff and the ONE 3rd party person who informed them ever downloaded the file
b) it was a PARTIAL representation. All accounts were inactive
c) all the passwords were wiped and the file pulled.

this is non-news really.
1) The only 3rd party download informed mozilla so they obviously have no malicious intent.
2) unused accounts.
3) no way to use those passwords since they were wiped... the one person who downloaded the passwords COULD try and login to other sites with the same email and combo and thats about it. (see 1)

Kudos to Mozilla (5, Interesting)

duvel (173522) | more than 3 years ago | (#34684524)

This is really well played by Mozilla. We are witnessing a prime example of crisis-communication. The basic rules are:
  - Communicate early (even if you don't have all the facts yet)
  - Communicate honestly (even if you're to blame)
  - Promise follow-up (as needed)
Performing their crisis-communication this well will probably improve public perception of Mozilla. It will certainly raise the bar for other companies.

Re:Kudos to Mozilla (2)

partyguerrilla (1597357) | more than 3 years ago | (#34684672)

I disagree, mistakes like this should not happen at all.

Re:Kudos to Mozilla (3, Funny)

kestasjk (933987) | more than 3 years ago | (#34684702)

Here at slashdot we try to be supportive when tech companies make mistakes; we never kick people when they're down or make fun.

Mozilla may not be our favorite tech company and we may not agree with their software development methodology; but damn it we're not going to treat them any differently, and will give them our support just like we would any down-on-their-luck company which made a silly one-off mistake!

BULLSHIT. That is not the right attitude. (-1)

Anonymous Coward | more than 3 years ago | (#34685004)

What you say is bullshit. Absolute and total bullshit.

This sort of a fuck-up should never happen. Never. There is no excuse, and there should be no forgiveness. We should not stand for it, regardless of what company or organization is involved.

Then again, these are also people who think it's sensible to write complex applications like web browsers and email clients using a mix of JavaScript and XML.

Re:BULLSHIT. That is not the right attitude. (1)

GameboyRMH (1153867) | more than 3 years ago | (#34685662)

I've been using an AJAX email client for the last few years and plan to use (a different) one in the future, seems like a great idea.

Re:Kudos to Mozilla (4, Insightful)

higuita (129722) | more than 3 years ago | (#34684718)

it should not happen, but we are all humans (i think!!) and human people do mistakes (and scripts/robots break and fail by the way)

all of us that administer servers have done some mistake in the past and probably will make more in the future. We can try to put enough road blocks to reduce the severity of the mistake, but they happen.

so as "sh*t happens", the openness and honesty of mozilla is to praise, most close source companies would try to hide and ignore things like this.

Re:Kudos to Mozilla (1, Insightful)

cbope (130292) | more than 3 years ago | (#34684724)

So, are you proposing that the offenders be drawn and quartered? Where are the torches and pitchforks?

I mean come on, we are human after all and humans make mistakes. They have owned up to this mistake and you seem to want to make an example of them.

But then, I suppose *you* have never made any mistakes. It must be great to live in a world that is so black & white.

Re:Kudos to Mozilla (5, Insightful)

Opportunist (166417) | more than 3 years ago | (#34684754)

No, they should not. But mistakes happen where humans are at work. The question is, how do these human then deal with the problems they caused?

The usual is to hush-hush and hope nobody notices. Mozilla could have done just that, and with far better conscience than other companies who followed that practice. According to the logs, the file was downloaded once, and that's by the person that informed them about the mistake. Essentially, one could assume that this is as "safe" as it gets considering the blunder. If they just decided to shut up about it, probably nobody would have noticed.

But is that the right way to deal with a problem that can potentially affect your customers?

I quite strongly recommend NOT chewing them out for making a mistake but actually applauding their very considerate approach to dealing with it. Consider the "learning effect": Chew them out and the learning effect is that it's better to just hush up when you lose customer data, especially if the chance of it getting into the wrong hands is slim. That's pretty much what most other companies do, and even if it gets out it rarely causes more than a bit of a tempest in a teapot on /.

Outside the security concerned tech community, nobody even notices.

So yes, mistakes like that should not happen. But they do. They happened, they happen and they will happen as long as humans are somehow involved in the process. Hence I welcome how they dealt with it.

Re:Kudos to Mozilla (2)

jamesh (87723) | more than 3 years ago | (#34684768)

I disagree, mistakes like this should not happen at all.

That's a given, but mistakes will happen, and did happen, and they did the right thing in response. Once the crisis is over i'm sure they'll look at what went wrong and how to stop it happening in the future, so stepping up onto a soapbox and saying "this should not happen" doesn't actually help. I think they already know that, and your attitude makes it _worse_ because potential hostility from people who don't understand this stuff might make companies think twice about reporting, and then we all lose.

The only thing worse than making a mistake is making a mistake and then making another mistake by not handling the crisis correctly. I'd rather know before the bad guys (or as soon as possible after) that my password was leaked in a relatively insecure form vs only finding out when the company is forced into admitting it. And in fact this leak appears to be relatively benign unless you use the same password in multiple places or are dumb enough to be under the illusion that your email address and full name isn't already in someone's inbox or address book somewhere for malware to find.

Re:Kudos to Mozilla (1)

Urkki (668283) | more than 3 years ago | (#34684786)

I disagree, mistakes like this should not happen at all.

If you believe there are companies who haven't and/or will not do mistakes as bad as this, you're naive.

So, when it's a given that mistakes like this happen, basically to every large organization, every once in a while, do you rather trust an organization that communicates about it, and you can be reasonably certain you know their screw up rate, or the one who tries to hide the mistake, and you don't know how many mistakes they've managed to hide already?

Re:Kudos to Mozilla (2)

mwvdlee (775178) | more than 3 years ago | (#34685316)

Wow, why didn't we all just think of that?
All we need to do is be perfect; it's so simple!

Re:Kudos to Mozilla (1)

partyguerrilla (1597357) | more than 3 years ago | (#34685702)

I can't help but wonder if you people would be so forgiving and even apologetic if there was any sensitive information, like billing data, exposed by this mistake. I still don't see how they handled it well, or how they could have possibly handled it worse after the incident.

Re:Kudos to Mozilla (1)

McDee (105077) | more than 3 years ago | (#34684684)

No, the basic rules are:
      - Don't post sensitive user data on public sites

The rest is damage limitation.

Re:Kudos to Mozilla (-1)

Anonymous Coward | more than 3 years ago | (#34684712)

I agree, nice crisis handling. Very few are honest when they are to blame... Bancuri noi [amuzant.eu]

Re:Kudos to Mozilla (-1)

Anonymous Coward | more than 3 years ago | (#34684860)

Mod here. I modded this down because it's obviously spam. (Testing to see if my moderation disappears when commenting anonymously...)

Re:Kudos to Mozilla (1)

LordBullGod (1602191) | more than 3 years ago | (#34684818)

This is really well played by Mozilla. We are witnessing a prime example of crisis-communication. The basic rules are: - Communicate early (even if you don't have all the facts yet) - Communicate honestly (even if you're to blame) - Promise follow-up (as needed) Performing their crisis-communication this well will probably improve public perception of Mozilla. It will certainly raise the bar for other companies.

Are you frekin serious? Mozilla posts some user data, says sorry, and it is ok? Fanboyz have no limits.... If this was MS that posted user data, you would want them to burn like in th eSalem witch trials. Gezzch....amazing

Re:Kudos to Mozilla (1)

MosX (773406) | more than 3 years ago | (#34685690)

They didn't just say sorry. They informed users and tried to fix the problem. That's more than a lot of companies would bother doing in this case.

Re:Kudos to Mozilla (1)

yoshi_mon (172895) | more than 3 years ago | (#34686464)

If this was MS that posted user data...

You clearly miss the point. If this was MS they would be in full spin mode to a) deny that they did anything, it had to be someone else's fault, b) that what happened was not bad anyway, and c) some 3rd totally irrelevant, yet made out to be A REALLY BIG DEAL, point designed to distract people away from the real issue.

However I seriously doubt, given what I can tell from your post here, that you will ever really 'get it'.

Re:Kudos to Mozilla (1)

mcgrew (92797) | more than 3 years ago | (#34687282)

If MS had posted user data you'd never have heard about it, which is why Mozilla is being praised.

Re:Kudos to Mozilla (1)

wisnoskij (1206448) | more than 3 years ago | (#34684874)

It is nice to hear them being honest, it is so annoying how most companies do not do this.

I know of many examples from friends, family, and myself where we have irrefutable proof that a company has screwed up and what do we get every-time? Either the company does not respond or they say nothing is wrong.

I wonder if some study has been done and it is actually better for companies to deny fault even when they know they are wrong.

Re:Kudos to Mozilla (1)

DJRumpy (1345787) | more than 3 years ago | (#34685150)

Aren't they required by law to disclose any breach of private information, at least in the US? I don't know that this is as altruistic as it sounds.

Good thing I used the same password on Gawker (0)

Anonymous Coward | more than 3 years ago | (#34684582)

I mean, why make it difficult for identity thieves?

They handled it well (1)

Mouldy (1322581) | more than 3 years ago | (#34684646)

But that doesn't excuse the fact they messed up in the first place. What mozilla have done is plain careless. I know, 'accidents happen' - but I'd rather they didn't and I don't trust companies not to keep making mistakes with user data.

Re:They handled it well (3, Insightful)

Opportunist (166417) | more than 3 years ago | (#34684790)

Consider the consequences if it doesn't "excuse" it.

Essentially, a company making a mistake has two choices: Hush it up or come forwards. Now, obviously the latter does not have any immediate benefit for them. It becomes known that they fucked up. Not good.

Trying to cover it up has the nice effect that maybe nobody notices. And in this case, the chance of this happening was actually pretty high.

If the net effect is the same, whether they cover it up or admit it, the choice is obvious. If I get accused of a crime and whether I plead not guilty (and hence force a lot of witnesses to testify and clog down the legal system) or guilty (and spare the witnesses to face me again, as well as running the whole process with far less waste of resources) has no effect on the verdict, nobody will plead guilty and confess anymore. Why should they? There's nothing to gain with it, is there?

If you condemn a company making a mistake no matter whether they admit it or try to hide it, nobody will admit it anymore. And that can cause quite a bit more harm if that info gets into the wrong hands and hence your passwords get known by people who might abuse them, all because a company decided to play possum and you not knowing that your credentials have been compromised.

Re:They handled it well (0)

Anonymous Coward | more than 3 years ago | (#34685408)

If you condemn a company making a mistake no matter whether they admit it or try to hide it, nobody will admit it anymore.

And if you completely exonerate a company that admits a mistake, nobody will bother with preventative measures.

Ideally, they still deserve some condemnation but not as harshly as if they had covered it up.

One more illustration (0)

Anonymous Coward | more than 3 years ago | (#34684652)

why you shouldn't give anyone personally identifyable data in the first place. Because personally sensitive data is like the genie in the bottle: Once it's out, there's no putting it back. No, I don't know what "anonymous registrations" would look like. Let's find out.

fake names and password vaults (1)

Inigo Montoya (31674) | more than 3 years ago | (#34684688)

One more reason to (a) use fake names everywhere except your bank accounts and, (b) use a password safe application like KeePassX or LastPass to save unique passwords for every site you visit.
This will minimize your exposure when something like this happens again at another site.

Re:fake names and password vaults (1)

koxkoxkox (879667) | more than 3 years ago | (#34685554)

But, but, you mean you are not Inigo Montoya ? At least someone did kill your father, right ?

What's next? (1)

Demonoid-Penguin (1669014) | more than 3 years ago | (#34684694)

I applaud the timely and transparent response - and I admit I'm heavily biased in favour of (F)OSS.

I've looked (quickly) but been unable to find details on how this was able to occur - do any Slashdot readers know? Could you post or point to the information please.

This is all I could find out:-

We have identified the process which allowed this file to be posted publicly and have taken steps to prevent this in the future. We are also evaluating other processes to ensure your information is safe and secure.

Also - what, if any, steps are being taken to prevent it happening again?

Re:What's next? (1)

Opportunist (166417) | more than 3 years ago | (#34684804)

I can see a few ways how this could happen. E.g. run the wrong copy batch, the "public" one instead of the "private" one. Maybe a careless drag and drop copying process (your finger never slipped from the mouse button?). There's so many ways to have a file end up where it should not be...

MD5-hashing passwords... (-1)

Anonymous Coward | more than 3 years ago | (#34684886)

...oh boy! If you even remotely care about your users' passwords, encrypt them instead. This lack of security practice really dots the i's in "Failzilla".

Encrypting passwords is less secure (3, Insightful)

Dr_Barnowl (709838) | more than 3 years ago | (#34685212)

Urrgh.

Please, don't encrypt passwords. Encryption implies that you can retrieve them if you have the keys, which could have made this much worse.

MD5 hashing is probably still a secure practice, done right, for a given degree of "secure". Like any kind of data security, it's all about raising the cost of obtaining the data beyond the amount that a given person is will to pay to do so. While MD5 costs less to crack these days, the cost to obtain each Mozilla user account password is probably still higher than most are willing to pay (although stealing the resources to do this via a botnet probably reduces this cost considerably).

Given equally sound methodology, encrypting passwords is always less secure than hashing them, because encryption implies that you can retrieve the plaintext, which leaves it open to all sorts of additional attacks, like stealing the encryption keys along with the data, "persuading" the sysadmin to decrypt them with either a rubber hose or a wad of cash, etc, etc.

On the other hand, hashing means that you genuinely cannot retrieve the password without expending a large amount of CPU time, and persuasion isn't going to help.

Any site that will emails you your password as plaintext is doing it wrong - there is no reason that any authentication system should be able to retrieve your plaintext password. It's acceptable to offer a means to force a password change, it is NOT acceptable to send my password to me via a medium that any intervening server could read, and it's not acceptable to be storing passwords as plaintext or even encrypted when it is demonstrably less secure than hashing and there is no benefit to retaining them.

In fact, you should mail the sysadmin of any such system and let him know that his system is doing it wrong, and why.

Re:Encrypting passwords is less secure (3, Informative)

mysidia (191772) | more than 3 years ago | (#34685392)

Please, don't encrypt passwords. Encryption implies that you can retrieve them if you have the keys, which could have made this much worse.

Only if the keys are compromised.

The correct thing to do is to encrypt each password and protect the key by storing it in a different place; for example, by storing it in a different database, and having a separate application that performs authentications, so no single application has access to both databases.

That way, if the user file / user database is leaked someone cannot simply use a MD5 brute force attempt with some rainbow tables and a dictionary to get everyone's password.

This is most useful when the plaintext version of the password is required for authentication processes such as CHAP or CRAM-MD5 authentication.

When it is not required, you are best off taking a secure crypto hash of the password with a secret salt, and then encrypt the list of SHA1/SHA256 hashes.

If the password file is leaked with the list of SHA256 hashes, they will be useless without the ability to find or guess the salt that was used to compute each password.

Re:Encrypting passwords is less secure (4, Informative)

carlhaagen (1021273) | more than 3 years ago | (#34685438)

No, you're actually wrong - in the context of password protection, encrypting passwords means using a one-way encryption scheme. The method is in some ways similar to hashing, but the common process used is actually that of a modified version of the Blowfish crypto cipher resulting in a non-reversible output. The process is very time-consuming compared to generic hashing such as MD5, SHAx etc., and is practically impossible to create rainbow tables for, practically impossible to bruteforce. You can educate yourself further on the topic here: http://codahale.com/how-to-safely-store-a-password/ [codahale.com]

Re:Encrypting passwords is less secure (1)

Anonymous Coward | more than 3 years ago | (#34687180)

Upvote parent for codahale link.

Also, grandparent is forbidden from ever writing any code related to crypto.

Re:Encrypting passwords is less secure (1)

TheSpoom (715771) | more than 3 years ago | (#34686732)

Any site that will emails you your password as plaintext is doing it wrong - there is no reason that any authentication system should be able to retrieve your plaintext password.

Not necessarily, if the email was sent as part of the registration system (wherein the password may still be in memory from the user entering it). Of course, it's bad practice to send a password in plaintext at all to a persistent medium like email or a database.

Government-Issued ID Needed (0)

Anonymous Coward | more than 3 years ago | (#34684938)

This is another example of why we need the government (at least here in the U.S.) to provide a single (biometric, if possible) ID and GUID for each user of the internet.

Problems like this one (and Gizmodo's) would simply disappear. You'd never need to memorize a password again, or worry about it getting lost in the wild and causing all kinds of havoc.

As an added benefit, it would eliminate "internet anonymity" so the Internet would become a much safer place. It's obvious we'd be much better off, even identity theft would vanish.

We already have the foolproof technology in place, so why is everyone avoiding it?

You sir, are a troll, but I'll bite anyway. (1)

Anonymous Coward | more than 3 years ago | (#34685152)

It's really convenient to ignore details like australian schoolkids faking fingerprints for the absentee system with gummi bears. Yes, that's right, gummi bears. The basic problem with biometrics is that it is always easier to fake than replace the "identity", meaning that once that data is compromised (replay attack, anyone?) the prudent thing and indeed the only recourse left for the government is to kill you. Is that what you want?

Problems like this and gizmodo won't go away at all, the data in their database will just change. Your needing to memorize a password hinges on availability of biometric- and card readers and supporting infrastructure, software, and such. And of course, anonymity is the source of all evil, despite the fact that the founding fathers made heavy use of it to discuss giving form to the USA. Maybe we should burn all whistleblowers on the stake too, just to be sure. So you admit that you are living in sin in a provably evil country too? Report yourself to the nearest extermination station, citizen. Friend computer knows best.

I think my Gmail was hacked because of this (4, Informative)

kbg (241421) | more than 3 years ago | (#34685036)

The day before this was noticed my Gmail account was hacked by Chinese spammers and I know I used the same password there. So I am skeptical about the claims that no one had downloaded this file. The email only says when they noticed the problem, but doesn't specify how long the file was available before that. It could have been available for a long time.

Re:I think my Gmail was hacked because of this (0)

Anonymous Coward | more than 3 years ago | (#34685084)

Since it was hacked and the password is now worthless, would you say what the password was? No hunter2 :(

Re:I think my Gmail was hacked because of this (0)

Anonymous Coward | more than 3 years ago | (#34685276)

May I give you an advice? Don't you ever, EVER used the same password in both your email and any other account. The same goes for any other important site (home banking, etc). At most you'll have to manage 3 or 4 passwords at the same time, but at least you'll minimize any damages for such leaks.

Re:I think my Gmail was hacked because of this (1)

mwvdlee (775178) | more than 3 years ago | (#34685474)

How do you know is was hacked by _CHINESE_ spammers?

Re:I think my Gmail was hacked because of this (1)

kbg (241421) | more than 3 years ago | (#34685512)

Because the IP used for the hack originated from China and the spam was advertising some chinese scam site where the bank account for the payments was a chinese bank.

Re:I think my Gmail was hacked because of this (1)

mwvdlee (775178) | more than 3 years ago | (#34686018)

I didn't know you could see the server logs from gmail.
Any chance this might have been ordinary, random spam?

Re:I think my Gmail was hacked because of this (1)

kbg (241421) | more than 3 years ago | (#34686320)

No the spam was being sent from my account to all contacts in my address book. You can see Last account activity [google.com] in Gmail which reveals which IP addresses has accessed your account recently.

Re:I think my Gmail was hacked because of this (1)

multipartmixed (163409) | more than 3 years ago | (#34686306)

How old is your AMO account database entry? If it's newer than 2009, it's really unlikely they managed to crack the SHA-256.

It's much more likely that your gmail account got cracked because Chinese hackers spend A LOT of effort in mass-cracking gmail accounts.

Re:I think my Gmail was hacked because of this (1)

kbg (241421) | more than 3 years ago | (#34686664)

It's older than 2009, so it was only MD5 which is easy to crack. The password was composed of random letters so I don't think it could have been mass cracked by brute forcing Gmail.

Please tag article "firefail" (0)

Anonymous Coward | more than 3 years ago | (#34685102)

Seriously, these are the people who are writing a browser, and they don't even know how to create a secure infrastructure. Perhaps they should stop squandering their money on stupid projects and eye candy, and take care of their own house first?

Gee, will you look at that. (0)

Anonymous Coward | more than 3 years ago | (#34685148)

Gawker has its private information stolen, whereas Mozilla just hands it out for us.

Time to change your password (1)

mysidia (191772) | more than 3 years ago | (#34685280)

including email addresses, first and last names, and an md5 hash representation of user passwords."

How long before we see a file on bittorrent?

With plaintext passwords derived from crack MD5 hash representations.

Time to change your password, if you have an account on Mozilla's website. Repeat with any other online resources (such as e-mail accounts or accounts with other websites) you used a similar password on.

Re:Time to change your password (0)

Anonymous Coward | more than 3 years ago | (#34686038)

Knock yourself out. Me, I'm less inclined to be that paranoid / want to work that damn hard. I have a a full time job + family + enough responsibilities to occupy my time.

While I can understand your point of view, I just have a hard time getting my give-a-shit level up enough to do what you suggest. Instead, I think I'll treat this like the trivial event that it is and continue on with my day.

Get it out of the users table (1)

Twillerror (536681) | more than 3 years ago | (#34686204)

This was likely someone doing a classic "select*fromusers" query. Hopefully this doesn't trip the sql injection filters :)

If the hash had been in another table and that table had very restrictive permissions on it then this probably could have been avoided.

The same problem is likely going to occur with databases that are being hit by Ajax calls or through some kind of proxy. If you don't want a column to make it's way out put it in a seperate table/db and restrict everyone but the key DBAs and web servers from it.

AWESOME 7p (-1)

Anonymous Coward | more than 3 years ago | (#34686686)

standpoint, I don't file was opened What we've known di8ect orders, or core team. They 3 simple steps!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...