×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

WordPress.org Hacked, Plugin Repository Compromised

CmdrTaco posted more than 2 years ago | from the ok-that's-kinda-scary dept.

Security 110

An anonymous reader writes "Back in April hackers gained access to the WordPress.com servers and exposed passwords/API keys for Twitter and Facebook accounts. Now, hackers gained access to Wordpress.org and the plugin repository. Malicious code was found in several commits including popular plugins such as AddThis, WPtouch, or W3 Total Cache. Matt Mullenweg decided to force-reset all passwords on WordPress.org. This is a great reminder for all users not use the same password for two different services."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

110 comments

Yay! (-1)

Anonymous Coward | more than 2 years ago | (#36527192)

Check me out.

Now is the time (0)

For a Free Internet (1594621) | more than 2 years ago | (#36527240)

Folks, I bet you are as fed up as I am with all this hacking going on. It's not American, it's not right, and its just plain anti-American. It's time for all of us to come together as Americans against these Italians who are destroying our way of life, laughing at out God, and using their islamo-communisyt hackers to kidnap our wives and daughters to their homosexual atheist re-education camps in Mexico. Firswt we ned to start dxrinking more milk and eating more eggs, American eggs that is, not those stinky Italian egges. If yoiu don't heed me now, soon it may be too late. Wear your socks! Down with Italy! USA! USA! USA!

Re:Now is the time (-1)

Anonymous Coward | more than 2 years ago | (#36527482)

Who actually chants "USA! USA! USA!" in America? Is that a southern thing, or is it a European stereotype incorrectly applied to Americans? Arrogance and stupidity, patriotism and jingoism are everywhere in the U.S., but extreme nationalism (relating to the fellow man) is actually quite rare.

Re:Now is the time (-1)

Anonymous Coward | more than 2 years ago | (#36527580)

Who actually chants "USA! USA! USA!" in America?

I worked with the wealthy snowbirds and the every day racism of Americans drove me back to Germany.
Genuine hate towards foreigners from people who's great grand parents stole the land they live on today.

All in the name of freedom, progress and the good old US of A, fuck that, fuck them.

Re:Now is the time (0)

gnapster (1401889) | more than 2 years ago | (#36527598)

Well, at least you're not racist.

Re:Now is the time (1)

ciderbrew (1860166) | more than 2 years ago | (#36527670)

America / American is not a race.

Re:Now is the time (0)

Anonymous Coward | more than 2 years ago | (#36527864)

They can be considered to be.

race2

[reys] Show IPA
–noun
1. a group of persons related by common descent or heredity.
2. a population so related.
3. Anthropology .
a. any of the traditional divisions of humankind, the commonest being the Caucasian, Mongoloid, and Negro, characterized by supposedly distinctive and universal physical characteristics: no longer in technical use.
b. an arbitrary classification of modern humans, sometimes, especially formerly, based on any or a combination of various physical characteristics, as skin color, facial form, or eye shape, and now frequently based on such genetic markers as blood groups.
c. a human population partially isolated reproductively from other populations, whose members share a greater degree of physical and genetic similarity with one another than with other humans.
4. a group of tribes or peoples forming an ethnic stock: the Slavic race.
5. any people united by common history, language, cultural traits, etc.: the Dutch race.

Re:Now is the time (1)

lostmongoose (1094523) | more than 2 years ago | (#36527972)

Who actually chants "USA! USA! USA!" in America?

I worked with the wealthy snowbirds and the every day racism of Americans drove me back to Germany. Genuine hate towards foreigners from people who's great grand parents stole the land they live on today.

All in the name of freedom, progress and the good old US of A, fuck that, fuck them.

Oh my. A German chiding the people of other nations over hate. That's absolutely hilarious. I needed that laugh today.

Re:Now is the time (1)

torgis (840592) | more than 2 years ago | (#36528996)

Oh my. A German chiding the people of other nations over hate. That's absolutely hilarious. I needed that laugh today.

Perhaps he feels qualified to comment; the Germans having had much experience in such matters.

Re:Now is the time (1)

pubwvj (1045960) | more than 2 years ago | (#36531424)

"people who's great grand parents stole the land they live on today."

You obviously have no concept of historic reality. Everyone stole the land they're on unless they bought it. In the past buying was rare. Instead people invaded, conquored, killed, raped, intermarried, enslaved and merged in time. It was the way. Stop being such a nationalist bigot.

Re:Now is the time (1)

Lumpy (12016) | more than 2 years ago | (#36527842)

"Who actually chants "USA! USA! USA!" in America?"

Alabama suicide bombers... Luckily they build the bombs themselves and end up exploding prematurely in a open field.

Re:Now is the time (0)

Anonymous Coward | more than 2 years ago | (#36529434)

Look at the footage just after Osama Bin Laden was killed. There seemed to be no shortage of people doing exactly that.

"USA" chanted in New York City (1)

perpenso (1613749) | more than 2 years ago | (#36531642)

Who actually chants "USA! USA! USA!" in America? Is that a southern thing, ...

Apparently you missed the coverage of Times Square the day Bin Laden was killed. There was no shortage of New York City residents chanting for the TV cameras.

Re:Now is the time (2)

Stenchwarrior (1335051) | more than 2 years ago | (#36527666)

Please say you were joking.

On behalf of the rest of us Americans, please understand that only less than half of the people in our country actually talk and act like this guy; It's not everyone, I assure you.

A great remainder... (2)

hammarlund (568027) | more than 2 years ago | (#36527260)

and a great reminder as well.

Re:A great remainder... (0)

denis-The-menace (471988) | more than 2 years ago | (#36527922)

5/2=2
1 is the remainder.

Idiocracy here we come!

Re:A great remainder... (2)

pushing-robot (1037830) | more than 2 years ago | (#36527968)

Can we stop with the obligatory "OMG typo" posts on every thread? We all know the common denominator among editors here is a low proofreading quotient, but let's not allow it to cause division.

Re:A great remainder... (1)

BarryJacobsen (526926) | more than 2 years ago | (#36528168)

Can we stop with the obligatory "OMG typo" posts on every thread? We all know the common denominator among editors here is a low proofreading quotient, but let's not allow it to cause division.

But the typos are a subtraction.

Re:A great remainder... (1)

Tetsujin (103070) | more than 2 years ago | (#36530638)

Can we stop with the obligatory "OMG typo" posts on every thread? We all know the common denominator among editors here is a low proofreading quotient, but let's not allow it to cause division.

Please excuse my dear aunt Sally. She's very pedantic about these sorts of issues.

Does that mean... (0)

ArsenneLupin (766289) | more than 2 years ago | (#36527262)

... that Wordpress will now stop replacing quotes and doublequotes in users' contributions with bird droppings?

If so, yay!

Year of the Hacker (2)

wjousts (1529427) | more than 2 years ago | (#36527268)

It's looking increasingly like this year is going to be the year of the hacker. It's a new security breach every week (often several per week). It's getting to be quite dizzying.

Gonna be a tough year for IT security "professionals".

Re:Year of the Hacker (5, Insightful)

SatanClauz (741416) | more than 2 years ago | (#36527348)

Tough year? How about the year people finally realize security "professionals" are actually NEEDED!

Re:Year of the Hacker (1)

wjousts (1529427) | more than 2 years ago | (#36528156)

That was kinda my point. It's going to be the year when the "professionals" get separated from the Professionals.

Re:Year of the Hacker (1)

SatanClauz (741416) | more than 2 years ago | (#36528264)

Ah, yes. Good point! You mean the custodian's brother that knows how to turn on windows firewall shouldn't be doing my security? =cO

Re:Year of the Hacker (1)

S.O.B. (136083) | more than 2 years ago | (#36528222)

I think it's more basic than that, business units in big corps need to realize that they have to stop squeezing IT budgets. I've personally had to to fight for security and stability fixes/patches because if they can't see it then they won't pay for it. Of course there's always plenty of money for a new feature or a new pretty graphic.

They have security professionals but any actions they recommend that actually cost money are ignored or deferred until they have an actual problem.

Re:Year of the Hacker (1)

Jawnn (445279) | more than 2 years ago | (#36528262)

Tough year? How about the year people finally realize security "professionals" are actually NEEDED!

Word. Maybe, just maybe, some suits will decide that, "Gee. Maybe we should spend some serious money on security..."
You know, like actually real actual security professionals and buy basic tools that would prevent many of hacks we've read about.
[pauses...] Naaaahh.

Re:Year of the Hacker (2)

Lumpy (12016) | more than 2 years ago | (#36529374)

They hire minimum wage lackeys for the physical security... what makes you think they will hire someone skilled for the IT security?

Re:Year of the Hacker (0)

CastrTroy (595695) | more than 2 years ago | (#36528336)

The problem is that there is no proper definition of "professionals" as far as computer security is concerned. Professional usually means somebody that is licensed by a state overseen organization to work in a specific field. This includes medical doctors, lawyers, engineers (some countries), and accountants among others. I don't believe that there exists any similar oversight for licensing of computer network security personnel. There are a lot of certifications put out by the likes of Cisco, Oracle, MS, and others, but often these certifications don't actually mean that the holder of the certificate really knows all that much. Not only that, it's not like you would lose your certification if it was found that you were actually incompetent, as would happen with other professions. Also worth noting is that some of the most knowledgeable computer security experts hold no kind of certification at all, save for a university degree, and even many don't have that (not saying it's needed). Setting up an accreditation board and getting laws requiring that companies use professionals when designing their systems will probably take decades, if it ever happens, even at the rate that these systems are currently being cracked. Not only that, but there's a big question of who has to employ professionals in the first place. Am I required to hire one if I run a web server in my house. What about if I run a game server for one of those facebook games? What about if I run a simple store, but only use paypal, thereby not getting any credit card information directly. At what level do we require that a network required accredited professionals? Basically the point is, we all know we need this at some level, but defining that level is quite difficult. And for any service that eventually requires accredited professionals, be prepared for the costs to skyrocket, just as has happened in every other industry that requires professionals.

Re:Year of the Hacker (1)

MrNemesis (587188) | more than 2 years ago | (#36529738)

people finally realize security "professionals" are actually NEEDED!

Or, if you know some of the people I've worked with, it'll be more a "as soon as the authorities have caught up with these LulzSec people, there won't be any more haXx0ring vectors, so what's the point in patching the servers? It's not like WE'D be a target anyway!". IME most companies won't give a shit about easily enforced and executed pre-emptive security until there's a thousand trojans running around the network and the entire company is fucked, and by then its too late.

If you're working for a company that doesn't think security is important enough to employ someone to be responsible for it, the actions of people like LulzSec aren't going to convince them otherwise. This coming from a sysadmin who's finally overcome a decade-old "don't patch ANYTHING once it enters production, not even the clients" mindset and now has the fun task of installing an average of 120 patches and three service packs on 300 servers. It took two branch offices getting their computers totalled by malware coming in on USB sticks before management got that particular message.

Re:Year of the Hacker (1)

Anonymous Coward | more than 2 years ago | (#36527518)

Tough? Lucrative is more the word I would use.Imagine all those CTO's messing themselves that they could be next, willing to pay over the odds to get a quick fix in.

Make hay while the sun shines!

Re:Year of the Hacker (1)

wiredog (43288) | more than 2 years ago | (#36527566)

That's been every year since, oh, sometime in the last quarter of the last century.

Re:Year of the Hacker (2)

ygbsm (158794) | more than 2 years ago | (#36527658)

You mean year of the criminal scum bag, right? Its time our community quit treating some of these guys like heros and freedom fighters - they're vandals, crooks, and theives, and need to be treated as such. There are no "grey hats" - you're either a white hat or a black hat, and you can't be both.

Re:Year of the Hacker (0)

ArhcAngel (247594) | more than 2 years ago | (#36527952)

That sounds eerily similar to what the king of England said a little over 200 years ago when tea [boston-tea-party.org] was dumped [wikipedia.org] in a harbor [eyewitnesstohistory.com] by some "criminals" [socialstudiesforkids.com].

Re:Year of the Hacker (0)

Anonymous Coward | more than 2 years ago | (#36528696)

Yeah, because all rebellious people that perform destructive acts are equally justified.
Back to school with ye!

Re:Year of the Hacker (0)

billcopc (196330) | more than 2 years ago | (#36528036)

Don't delude yourself. Without these high-profile vandals, we'd all be running around with "1-2-3-4-5" as our password, ripe for the real bad guys to plunder. At least these pranksters are raising awareness while causing relatively small damage.

I'm still amazed at the frequency of these high-profile breaches, mostly because developers and business owners should know better by now, but that's largely because I easily forget the fact that most people are terminally stupid. I distinctly recall one morning when I walked into the office around 11 a.m., all the guys were huddled over the boss' desk, staring at the results of a SQL injection attack. By the crack of noon, the vandalism was cleaned up, and I had written a 10-line script to prevent future SQL attacks across our entire cluster of web servers, hosting hundreds of sites. It really is that easy in 99.9% of all cases, I mean we're dealing with web sites here. You're either GETting a page or POSTing data. If a developer can't be bothered to sanitize their numbers and escape their strings before passing them to the database, that person deserves to get hacked and then sued for quackery. You can literally automate the whole process. Sure it "wastes" a few CPU cycles, much like deadbolts "waste" an inch of door jamb space.

If 2011 is the year of the digital vandal, I say bring it on. These days it takes a disaster to shake people out of their catatonic mental state anyway.

Re:Year of the Hacker (1)

wjousts (1529427) | more than 2 years ago | (#36528138)

Yes. I don't consider them heroes either. At best they are an angry mob, and mob rule isn't a desirable thing either.

Re:Year of the Hacker (0)

Anonymous Coward | more than 2 years ago | (#36531472)

One mans Terrorist is another's Freedom Fighter. I know which side you're on.

Re:Year of the Hacker (0)

lthorne (2265946) | more than 2 years ago | (#36528444)

Just stop using wordpress on old versions of apache. It's really quite simple. www.infaCORE.com is a far better solution and it cannot get SQL injected. Ever! Go ahead and try.

Re:Year of the Hacker (3, Interesting)

X.25 (255792) | more than 2 years ago | (#36528760)

It's looking increasingly like this year is going to be the year of the hacker. It's a new security breach every week (often several per week). It's getting to be quite dizzying.

Gonna be a tough year for IT security "professionals".

Professionals left that world and went onto other things when suits concluded that security products are enough.

So now, it'll be hackers vs security products and trained monkeys. Fun all around.

Re:Year of the Hacker (1)

sqldr (838964) | more than 2 years ago | (#36529404)

I can't wait for this year's version of this:

http://pwnies.com/
We all had a good laugh at microsoft's CSS "protection" code, but compared to this year, microsoft are starting to look quite good..

store hash instead of password (1)

Anonymous Coward | more than 2 years ago | (#36527308)

Is it too difficult to, instead of storing the actual passwords, store a hash and during authorization just compare the hashes?

Re:store hash instead of password (2)

Otto (17870) | more than 2 years ago | (#36527494)

WordPress does only store password hashes, using the PHPass hashing library.

Re:store hash instead of password (-1)

lthorne (2265946) | more than 2 years ago | (#36528558)

WordPress does only store password hashes, using the PHPass hashing library.

There are entire databases for sale that contain hash translations to passwords. Without salting the hash, you may as well store password in plain txt. OR you can use your own mhash algorithm like we've done with our www.infaCORE.com product that is unique to each user and is regenerated each time the password is changed. These vulnerabilities that allow hackers to gain access have been around for years and are very easy to block. It's also a good idea to lock users out after 3 failed attempts.

Re:store hash instead of password (0)

Anonymous Coward | more than 2 years ago | (#36529806)

This is your second advertisement in this thread, attempting to capitalize on a hack that isn't part of the wordpress software, and I'm only halfway through. And yes, every single person here knows about salting and rainbow tables.

Please stop.

Re:store hash instead of password (1)

Phreakiture (547094) | more than 2 years ago | (#36527944)

That's fine until someone comes along with a rainbow table . . .

Re:store hash instead of password (0)

Anonymous Coward | more than 2 years ago | (#36528502)

That's a typical bullshit comment. Instead of generalizing your stance, back it up with empirical proof, kiddie.

A great reminder? (5, Insightful)

iateyourcookies (1522473) | more than 2 years ago | (#36527356)

"This is a great remainder [sic] for all users not use the same password for two different services."

Not it's not. Not even slightly.

The amount of mental effort required by users to memorise a different password for every internet site is at best unreasonable, if not a completely insane idea. While using the same password for Hotmail and internet banking is really not a good idea, using the same password for wordpress.com and wordpress.org is just common sense for people who don't have a photographic memory.

Blaming the user here is unreasonable.

Re:A great reminder? (1)

madhatter256 (443326) | more than 2 years ago | (#36527508)

It is good practice to use multiple passwords for different services.

I do it and I have A LOT of passwords to memorize. Luckily, I wrote them down on a piece of paper and have that kept in a safe place as I do tend to forget those that I hardly visit from time to time.

Now I know writing passwords in a text document and saving it on your PC is stupid, but writing it down on a peice of paper isn't. It's about how it's written, if you write passwords and leave it in your jewelry box or personal safe or with your files, then the burglar steals that stuff and your PC, then they have easy access to all your accounts. But it you put it inside places like as a bookmark for a novel or tape it under your desk, then that's stuff a burglar wouldn't really take if they were in a hurry.

So it is ok to write them down, but put that in a place a would-be burglar wouldn't look... unless the FBI raid your house, they look everywhere for stuff.

Re:A great reminder? (0)

Anonymous Coward | more than 2 years ago | (#36527630)

Based on recent events I would have to say the FBI don't raid your house and look everywhere, they'd just take your entire house.

Re:A great reminder? (1)

ccguy (1116865) | more than 2 years ago | (#36527860)

It is good practice to use multiple passwords for different services.

What good is that when you can reset/recover all passwords using the same email account?

Re:A great reminder? (1)

Grauwyler (861821) | more than 2 years ago | (#36531316)

It is good practice to use multiple passwords for different services.

What good is that when you can reset/recover all passwords using the same email account?

Then you just need a unique email account for each service that you sign up for.

Re:A great reminder? (1)

heypete (60671) | more than 2 years ago | (#36532528)

Google Mail, as an example, supports two-factor authentication (either with a smartphone app, a pre-printed list of one-time codes, or SMS messages to mobile phones). Enabling this feature makes it much more difficult for bad guys to compromise an account.

Re:A great reminder? (1)

Otto (17870) | more than 2 years ago | (#36527510)

Use an encrypted password storage system like 1Password or LastPass. Yes, it's not perfect, but what is? Passwords that don't look like line noise are vulnerable nowadays.

Re:A great reminder? (0)

Anonymous Coward | more than 2 years ago | (#36527644)

Untrue. A password such as "Abc123...Abc123...Abc123...Abc123..." is actually much harder to brute-force than "5@f!Kl$agR$-=s2".

Re:A great reminder? (1)

jank1887 (815982) | more than 2 years ago | (#36529696)

got it. will only ever log in from a single PC/mobile device. no need to remember more than 1 password evar.

Re:A great reminder? (1)

somersault (912633) | more than 2 years ago | (#36527528)

The user could just put the name of the website into the email. That will make it easy for someone to figure out their password scheme if they always use the same format of websitename-mypassword, but if they use it only for sites which store hashes, then it's going to be extremely unlikely that anyone will crack their passwords through pure brute force..

Re:A great reminder? (0)

Anonymous Coward | more than 2 years ago | (#36527554)

"This is a great remainder [sic] for all users not use the same password for two different services.

The amount of mental effort required by users to memorise a different password for every internet site is at best unreasonable, if not a completely insane idea. While using the same password for Hotmail and internet banking is really not a good idea, using the same password for wordpress.com and wordpress.org is just common sense for people who don't have a photographic memory.

Blaming the user here is unreasonable.

Could not agree more. I have several hundred site registrations, and I'm just a normal guy. Yeah....let's all use a different password on every site we visit. That'll work, no problem. How 'bout this? How 'bout WordPress.org (et. al.) gets their crap together and secures their site?

Re:A great reminder? (1)

ZaMoose (24734) | more than 2 years ago | (#36529924)

Their site wasn't compromised AFAICT. Three plugin developers' accounts were compromised (passwords guessed?) and SVN checkins containing backdoors were pushed into their respective (fairly popular) plugins. This was intended to push malware out to individual WordPress installs.

Re:A great reminder? (1)

pongo000 (97357) | more than 2 years ago | (#36527618)

While using the same password for Hotmail and internet banking is really not a good idea, using the same password for wordpress.com and wordpress.org is just common sense for people who don't have a photographic memory.

I was going to mod this up, but thought it might be a good time for my annual suggestion of using passphrases [diceware.com] instead of random sequences of characters. Much easier to remember, and a short 3-word passphrase (maybe with a random character to increase entropy) usually satisfies the moronic "password strength" checks.

Re:A great reminder? (0)

Anonymous Coward | more than 2 years ago | (#36527698)

My password uses characters from the businesses name/URL somewhere in it. Each password is then unique and I only have to memorize the part of the password that doesn't change.

Re:A great reminder? (0)

Anonymous Coward | more than 2 years ago | (#36527816)

Who the fuck is "blaming the user" here, Mr. Strawmanbuilder?

Re:A great reminder? (1)

robmclarty (2211220) | more than 2 years ago | (#36527906)

Totally agree. Seriously, what have we got? Facebook, Google, Twitter, Github, Slashdot, Personal Sites, Banking, OmniAuth.... If I had a different, unique, strong password for each of these services my head would explode. Obviously you wouldn't want to use the same password for banking as you would for Twitter, but grouping things into manageable chunks is a must (e.g., all-social-networks-password, banking-password, all-personal-sites-password). But don't get me started on banks' online "security" with their forced 8-character-or-less-alphanumeric password systems (at least where I live in Canada... seriously, I make authentication systems all the time for clients; is it really that hard to allow users to determine the length and complexity of their own passwords?)

Re:A great reminder? (1)

tlhIngan (30335) | more than 2 years ago | (#36529566)

Also, there's also the level of importance of the site to the user.

Some random blogger's website? My NYTimes login? Minor forums I visit? I'll just use the same damn password. Who cares if it's hacked? So someone could post as me. If that site becomes more important, then I can always change the password later.

My online banking/paypal/ebay/amazon/windows live/google password? nice secure and different (all linked to valuable accounts and services). My twitter/blog/NYTimes/slashdot/gawker/etc password? simple ones because if they're hacked, well that's just an inconvenience that I'll have to make a new account.

Re:A great reminder? (2)

Tsar (536185) | more than 2 years ago | (#36527908)

"This is a great remainder [sic] for all users not use the same password for two different services."

Not [sic] it's not. Not even slightly.

Respectfully, I beg to differ. I'm running a password manager to keep track of all my passwords, online and otherwise. I'll never go back, and neither should you.

Except for my password to the app itself (which is absurdly long but memorized and periodically changed), all my passwords are unique, cryptographically secure random printable-character strings of the maximum length allowed by each system or 255 characters, whichever is shorter. I keep three deeply-encrypted copies stored remotely, so unless we lose North America, I'll never have a problem getting back into my Slashdot account.

Once I've entered my master password I only have to hit a system key combo to enter my credentials into any site, so after initial setup it's much more convenient than even using the same password everywhere. Yes, there are always potential security holes, but I believe that I'm managing them quite well, thank you.

I didn't realize how many sites I had login credentials for (well into the triple digits) until I set up this app. Most of them used one of a very small handful of passwords. What's worse, I sometimes tried several of those passwords before I got logged into a site, so a malicious site could easily keep track of those attempts and have the passwords for many of my other sites. Not any more. Changing a password isn't a chore anymore, because I don't have to re-memorize anything. I simply generate a password of the maximum allowed length and complexity, swap it out and move on. Finally, I don't have a photographic memory either, so it's good that I don't have to remember all the sites where I used the same password as I did on the current Hacked Site of the Day.

Re:A great reminder? (0)

Anonymous Coward | more than 2 years ago | (#36528020)

As if that was hard to do if planned properly:

http://blown-to-bits.blogspot.com/2011/05/passwords-part-two-of-two.html

Re:A great reminder? (0)

Anonymous Coward | more than 2 years ago | (#36528460)

Yeah, this _is_ a great reminder. Just use KeePassX (http://www.keepassx.org/) or something similar...

Slayers episode 17: A great reminder? (1)

Tetsujin (103070) | more than 2 years ago | (#36530730)

Yeah, this _is_ a great reminder. Just use KeePassX (http://www.keepassx.org/) or something similar...

I can't recommend this product highly enough. I've used Keep Ass X on my website for years, and I would certainly say it lived up to its promise of covering my ass!

Re:A great reminder? (1)

not-my-real-name (193518) | more than 2 years ago | (#36529270)

While it wouldn't be a good idea to write your password on a post-it stuck to your monitor at work, it might not be a bad idea to write your personal passwords for on-line services in a notebook that you keep at home. This way you can use multiple secure passwords for your on-line services.

UZ OHND MUTHAFUCKAZ!!! (-1)

Anonymous Coward | more than 2 years ago | (#36527418)

An Mista Rahjurz Huhd guna git uz sukaz!!!

Wrong as usual (5, Informative)

gaspyy (514539) | more than 2 years ago | (#36527474)

The summary is incorrect as usual.

Some contributors' accounts were compromised, resulting in updates containing backdoors appearing from those contributors. The blog entry mentions AddThis, WPtouch and W3 Total Cache. The WordPress.org plugin repository was not hacked.

Details on the malicious code? (0)

Anonymous Coward | more than 2 years ago | (#36527712)

Other than "backdoors", are there any details on what the malicious code in each of the plugins did? A simple back door isn't nearly as worrying if your exposure is limited to the time when you had the compromised plugin running but if the code made other more permanent changes or extracted information that would be a much bigger concern (and leave TONS of people with a huge cleanup effort to re-secure their sites).

Re:Details on the malicious code? (1)

Hatta (162192) | more than 2 years ago | (#36528782)

If you've been hacked, you have to assume there's a root kit. Unless you have checksums for every file on the machine, and scan it from a system on read only media, there's no way to prove there's not a back door you haven't discovered yet.

AddThis (1)

Megane (129182) | more than 2 years ago | (#36527772)

...and nothing of value was lost. (Thank you AdBlock Plus for letting me banish that piece of rollover crap.)

Seems like black ops to me now. (0)

unity100 (970058) | more than 2 years ago | (#36527854)

there is WAY too many hacking going on. and for some twist of fate, this just predates the pending internet censorship/control scheme vote in american senate. and, american sources are attacked. way too many 'coincidence'.

either this is some shady operation, or there is no course called 'statistics' on this planet.

Re:Seems like black ops to me now. (0)

Anonymous Coward | more than 2 years ago | (#36528238)

And we all know from 'statistics' that correlation does not imply causation.

Re:Seems like black ops to me now. (1)

stderr_dk (902007) | more than 2 years ago | (#36528522)

And we all know from 'statistics' that correlation does not imply causation.

...but it does waggle its eyebrows suggestively and gesture furtively while mouthing 'look over there' [xkcd.com].

Re:Seems like black ops to me now. (1)

unity100 (970058) | more than 2 years ago | (#36529074)

when the correlation goes statistically improbably congruent, it implies causation - direct or indirect.

Completely irrelevant (1)

Dunbal (464142) | more than 2 years ago | (#36527900)

This is a great remainder for all users not use the same password for two different services.

And how is this going to result in a hacked website? Breaking into a user account should not give you administrator privileges. No, this is a great reminder to secure your fucking website against SQL injection, once again. Never trust your users just because they are "logged in". Now of course if the administrator of the website was using the same login/password as his gmail account or something then yes, he should be shot.

Updated AddThis on one of my sites on the 19th (1)

stephathome (1862868) | more than 2 years ago | (#36528062)

I think this may explain why, when I updated AddThis on some of my sites, it caused the white screen of death instead. So far the sites look ok, but now I need to go over them in more detail.

Summary is full of shit, as usual (2)

billcopc (196330) | more than 2 years ago | (#36528128)

Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back

Three popular plugins. Yes, they're popular, I've used all three on several sites.

THAT'S IT! That is the extent of the damage. Three plugin authors whose passwords were exposed. Nobody "gained access to [...] the plugin repository". Dear submitter, go back to kindergarten and learn to read. It's in the first two goddamned sentences.

This place has gone to the dogs... where the hell is a guy supposed to get his tech news anymore ?

Re:Summary is full of shit, as usual (0)

Anonymous Coward | more than 2 years ago | (#36531652)

where the hell is a guy supposed to get his tech news anymore ?

Try Ars Technica. The comments aren't threaded and therefore less easy to read, but their articles are a big step up from Slashdot. The only reason I still come here is to read comments.

Re:Summary is full of shit, as usual (1)

404 Clue Not Found (763556) | more than 2 years ago | (#36532442)

Three popular plugins. Yes, they're popular, I've used all three on several sites.

THAT'S IT! That is the extent of the damage. Three plugin authors whose passwords were exposed. Nobody "gained access to [...] the plugin repository". Dear submitter, go back to kindergarten and learn to read. It's in the first two goddamned sentences.

What? How is uploading backdoor code to the repo not gaining access?

Wordpress users who updated their plugins because Wordpress told them to now have backdoor code on their websites. If that's not a security breach, I don't know what is.

Re:Summary is full of shit, as usual (1)

nstlgc (945418) | more than 2 years ago | (#36532978)

So how did they get the passwords of those users in the first place? Why are you believing only those three were the only authors who's passwords were exposed?

And why I'm at it, why so butthurt? Do you have any personal stake in this?

Hackers get a life. (0)

Anonymous Coward | more than 2 years ago | (#36528258)

For 50-60% of the wordpress users are just that, normal people with a blog or a small business. Leave them alone your just hurting little people.

Arrogance from the IT Department (1)

TellarHK (159748) | more than 2 years ago | (#36531864)

As someone that's done a lot of end-user work, it annoys me to see the level of arrogance coming from posts like this one where the idea of using multiple passwords for different services is touted as the Only Responsible Way to do anything online.

It doesn't bother me because it's a bad idea, it bothers me because if it's so goddamned important - why haven't the companies that make our web browsers and operating systems put some fucking effort into building features for this into our infrastructure? I have accounts on dozens, if not _hundreds_ of sites, and the best I can manage for passwords is having a stable of a few passwords of increasing complexity dependent on how secure the site in question is. If it accesses my money in any way, it gets high-security. If it doesn't, it gets mid-security, if it's a hobbyist or community-run website it gets low security. On occasions, I need to change my low security password (such as the Gawker hit) but that's part of the game. When I needed to change it however, I needed to change it on dozens of websites.

Would a password management system be a good idea? Hell yes. Is it the best way to manage things? Sure, _as long as the repository is safe_. My problem with the arrogance noted above is due to the fact some people somehow magically expect normal users to do something that trained, knowledgeable IT people frequently consider too much of a pain in the ass to bother with.

If this is truly an important problem that needs to be tackled (protip: It is) then let's get some industry muscle put to work here. Get the HTML standard to include a password management and transmission feature, something robust enough to handle the hundreds of sites people may actually visit. Build the OSX Keychain into my web browser, instead of having to set up plugins like KeePass to do a job the browser should already be handling. Fucking do _something_ to improve this situation, on a wide-scale infrastructure level. It's not impossible. It just takes the right people to get it done.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...