Wine HQ Password Database Compromised 124
With his first accepted submission, tyler.russell writes with a report that the WineHQ database systems were compromised. Quoting the official announcement: "We are sorry to report that recently our login database for the Wine HQ Application Database was compromised. We know that the entire contents of the login database was stolen by hackers. The password was encrypted, but with enough effort and depending on the quality of your old password, it could be cracked. We have closed the hole in our system that allowed read access to our database tables. To prevent further damage we have reset your password to what is shown below. We strongly suggest that if you shared your AppDB password on any other sites that you change that password as soon as possible.". He adds: "A new username and password were included with this email."
Ah Hell (Score:1)
Re: (Score:1)
Same here... I shudder to think of the consequences if I had the same password everywhere. Given what the stats says about people's habits on passwords, there are probably a lot of people that are at risk with other online accounts when this sort of thing occurs.
The really frightening thing is that for each of the break-in we hear about, there are probably countless others done successfully (IE, without detection) that we don't know about.
Re:Ah Hell (Score:4, Funny)
entire contents of the login database was stolen by hackers
Dammit. They didn't steal it. They made a copy. Okay?!
Re: (Score:2)
According to the dictionary, they stole it. Perhaps you have a personal, very narrow definition of Steal. The word means more than you think it does.
Re: (Score:2)
Alas, it's a common feeling around these parts. If only they were all joking..
Re: (Score:1)
Re: (Score:2)
Right. Every pirate claims that all things that involve copying in any way must be harmless. According to my straw man, at least.
Re: (Score:2, Insightful)
Right, and I often hear them say that, except the problem is that no part of the definition of steal ever involves deprivation. Usually stealing leads to deprivation, but it's not required. Since the early 1900s, the definition of steal has included obtaining without permission, no deprivation involved whatsoever, especially in legal dictionaries which are what matters in this context.
Similarly, if you take control of a bus, but continue to drive all passengers to their destination and allow them to alight,
Re: (Score:3)
Re: (Score:2)
I'm not arguing about whether or not copyright infringement is good or bad. Sorry if my message came across that way. What I was criticising was the fact that geeks are at the forefront of every advancement in society, and embrace new ideas and modern movements, but they make a special case for the word "steal" (which has evolved with the language, and includes obtaining without permission), and pretend it doesn't have that meaning simply so they can keep saying that copyright infringement isn't "stealing".
Re: (Score:3)
In the UK the definition of theft explicitly sets out several tests including:
"dishonestly acquire, with the intention to permanently deprive"
This is why we have other laws such as the offence of "Taking without consent" of a motor vehicle, which covers situations where the acquisition can be proven dishonest but no intent to permanently deprive can be proven i.e. the offender takes, uses and abandons a vehicle, maybe even at or near where the owner left it.
Most of the English speaking (officially/legally)
Re: (Score:2)
I concur, good sir. But we were talking about the word "steal" not "theft". Contrary to my comments about "steal", "theft" almost universally does involve the removing of products, and deprivation. To recap, GP made a common /, rail against the word "stole", to describe the actions of people who made a copy of the database. I pointed out that "steal" doesn't necessarily involve deprivation, and the legal definition includes taking without permission - even if no deprivation occurs. Talking about a verb here
Re: (Score:3)
In English Law "steal" refers to "theft". It's the same.
From the Theft Act 1968 (current English Law):
"A person is guilty of theft, if he dishonestly appropriates property belonging to another with the intention of permanently depriving the other of it; and "thief" and "steal" shall be construed accordingly."
Dishonestly appropriating the contents of another person's database wouldn't be theft in England, though it would be a very serious offence under the Computer Misuse Act. The penalty could be as high
Re: (Score:2)
So what you are saying is that it is by definition impossible to steal someone else's idea for something.
Re: (Score:2)
In English law, yes. In common speech, no. In other legal systems, I don't know.
Common useage is often very different to strict or technical useage or even dictionary definition, and not just in law, so 'yes', 'no' and 'maybe, it depends' are all valid answers to your question (challenge?).
Re: (Score:2)
I concur, good sir. But we were talking about the word "steal" not "theft".
Take a look at this in New Zealand law
http://www.legislation.govt.nz/act/public/1961/0043/latest/DLM329897.html#DLM329897 [legislation.govt.nz]
I do not know what the codified definition of theft or steal is your jurisdiction or if its even the same as in New Zealand. The point is depending on what is written in the law chances are your definition does matter.
Re: (Score:1)
Sorry, but that definition still is, and always will be, complete and utter bullshit.
All of your points involved the physical world. The act of theft, or stealing, can ONLY occur in the physical world . It blows my mind that anyone can come to a different conclusion once all things are considered. You cannot steal an idea, thoughts, etc. All you can do is share in them.
Regardless of how one feels about intellectual property, we should be able to not treat each other like idiots and stop using the word t
Re: (Score:2)
I never brought up copyright infringement? I wasn't arguing for or against copyright infringement at any point in time. I was purely talking about the word "steal".
You seem to be confusing the verb as a word, as I'm talking about it, and the criminal act. You're setting out with the notion that to "steal" only involves the physical world. May I ask where you got this notion? Not from the dictionary (although I'm certain you can find a dictionary with physical removal as the only definition of the word "stea
Re: (Score:1)
It was just a comment on GPs attempt to dismiss the matter of "stealing" having occurred, when, if you accept the latter three definitions above, it did. If you choose to dismiss any dictionary which defines "steal" as also involving non-physical objects, that's your choice - but that doesn't resolve a dispute on the topic. Geeks need to man up about this and accept that words change. It's like folks are treating "steal" as a dirty word, and something they like to pretend they're not involved with; Denying any modern meaning of the word is how they go about setting themselves apart, and feel better about what they do.
You're wrong, and on many levels.
Plagiarism is not a form of stealing. Just like copyright infringement, it is a separate act, that for exactly the same reasons, had the word steal misappropriated to benefit the copyright holders.
Geeks do not need to "man up". We need to bunker down and refuse to allow people like you to change the word. Saying that change is just part of life, and like oh well, just go with the flow is harmful bullshit.
I don't "pretend" anything. I have fully admitted, that on many occ
Re: (Score:2)
Whom do you suggest should decide on the definition of a word? Where do you think Oxford, et al, draw their current definitions from?
Aside from that, I agree with every aspect of your stance against the criminalisation of copyright infringement. I concur that copyright has been warped and distorted completely from its original purpose, and that copyright now almost serves the opposite purpose that it was intended to. It was intended to provide an author with a modest fee, to encourage the author to continue
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
TL;DR version:
You cannot steal an idea, thoughts, etc
Dictionary definition:
Steal
"to appropriate (ideas, etc) without acknowledgment, as in plagiarism"
My point was only ever that geeks are trying to ignore any definition of the word steal which doesn't suit them - I'm not arguing the merits of or against any act.
Re: (Score:1)
So you think the only think that can do harm is stealing? So I guess it's OK if someone burns your house down, because after all, it's not stealing.
Re: (Score:2)
I think that's true.
Re: (Score:2)
Re: (Score:2)
I feel for this troll... He can't even make the difference between and OS kernel and a database application...
Re: (Score:2)
Touché (sort of)...
Oh that's secure (Score:4, Interesting)
Re: (Score:2)
that was my thoughts exactly.. i figured it would be a forced reset on long-on and an e-mail with a unique id to use during that (think of it as a second factor token)..
but to just reset the password and send it.. that is just ...........
Re: (Score:1)
With sending a new username/password combination, someone who can read your mail but doesn't have the old password can get into your account. While with a personalized link, you'd hopefully still have to authenticate with your old password, so only someone who has both access to your mail and your old password can get into your account.
Re: (Score:2)
So basically your saying that assuming these hackers have gone in, recovered your password, AND you used the same password for your email, it's safe to assume they didn't change your password to lock you out?
Although no answer is perfect, in your solution you are requiring that the original WineHQ accounts are still uncompromised which is an unsafe assumption. Assuming the email is still safe is generally the safer of the two options. Using the email the only people that MIGHT get burned are those that us
Re: (Score:1)
That's absolutely not what I said. Here's a relevant portion of my post: "someone who can read your mail but doesn't have the old password can get into your account" (the emphasis was even there in the original). That is, you are not only vulnerable against the original hackers, but in addition to other
Re: (Score:2, Insightful)
Re: (Score:1)
Re: (Score:2)
Password reset confirmations sent to your recorded email when you try to log in again.
Re: (Score:1)
They wanted to see who would wine about it.
Re: (Score:3)
It's much harder to intercept email than it is to decrypt an encrypted password: assuming that WineHQ users are typical in their password habits, about 75% of the passwords in the database are vulnerable to a dictionary attack and thus should be considered known to the attackers. By giving everyone a new password and emailing them in the clear to the users, they ensure that only those users who also have their email inte
Re: (Score:2)
They should have done it with white text on a white background, so that you couldn't see it through the e-nvelope. Only once you open the email and highlight or copy/paste the details will it become readable.
That's how I send all my private messages anyway
Re: (Score:2)
They were being sent in clear text all along anyway. The login isn't done over SSL.
Re: (Score:2)
They hacked a database, not Linux :)
If you troll, then at least get your facts straight. This is just lame.
Re: (Score:2)
"but with enough effort and depending on the quality of your old password, it could be cracked."
So just wait for the torrent to come out and check the list then.
Re: (Score:2)
So, you don't remember what your password was on the site?
Check your browser saved passwords!
How secure... (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
But then you run into the whole issue of the resets being sent in cleartext anyways, so not much improvement there...
The big problem with this method is when the website uses one those absolutely asinine recovery systems that asks you for the answer to a secret question. Most security-wise people fill that field full of gibbe
Re:How secure... (Score:4, Insightful)
Sending passwords in clear-text emails is only a minor security risk: in general, only network providers, system administrators, and three-letter agencies are in a position where they can intercept or read a user's email. If the people who attacked the WineHQ database don't fall into one of those categories, resetting passwords and sending the new ones in clear-text emails represents a dramatic reduction in the impact of the database compromise. If the attackers *do* fall into one of those categories, sending the emails does not increase the impact.
Re: (Score:2)
Re: (Score:1)
More likely, using the password reset feature of many sites which works by sending out an email.
Re: (Score:1)
Re: (Score:1)
just as secure as resetting your password via email by clicking on the "I forgot my password link", If someone can intercept your email they can easily change your passwords.
I just read about this (Score:1)
And went to my email and sure enough it's in my spam filter. So check there if you have missed it.
Re: (Score:1)
YET AGAIN?
And when it was problematic before?
Come oon... I'm pretty sure PHP itself is not the problem. The problem is how do you secure your system so it can't access all the information. You can just store passwords on the system, which will never give you complete list of hashes of all accounts at once (dumb, but simple solution that works) and will send alert to admin.
Grenade in the hands of the monkey is dangerous and may kill you, but not in the hands of Rambo.
If you write code in a bad way, it can't
Re: (Score:3)
It's not PHP that's the problem here, it's the specific software package phpMyAdmin [phpmyadmin.net]. It's software that should never be deployed on an Internet-facing computer because of its security problems: about a third of the malicious traffic on my webserver is people probing for phpMyAdmin installations.
Re: (Score:2)
It's not PHP that's the problem here, it's the specific software package phpMyAdmin [phpmyadmin.net]. It's software that should never be deployed on an Internet-facing computer because of its security problems: about a third of the malicious traffic on my webserver is people probing for phpMyAdmin installations.
This. phpMyAdmin has security problems. However, this was likely an authentication breach.
It doesn't matter that what software they use; the fact they have complete database management online, makes it a lot easier for user details to be taken.
Re: (Score:1)
At least they found out about it... (Score:1)
Most site admins are clueless about security, so the fact that they caught the intrusion at all is a very good sign.
I always wonder how many sites are actually compromised out there.
Remember, folks, it's always a good idea to USE A UNIQUE PASSWORD ON EVERY SITE! Of course, I'm probably preaching to the choir here.
Re: (Score:2)
Re: (Score:1)
Unique passwords are hard to remember (at least, if they're any good). Password managers help (a lot) but if the main password gets keylogged, you're screwed. We really need a better system than ID + password.
I have a algorithm I use in my head that's based on the site name. It's not perfect, and if someone *really* wanted to figure it out and they had one of my passwords, they could do it. But, the barrier has been raised at least so most hackers will just test it out on various major sites then ignore it if it doesn't work.
For instance, say your main password is "bur_rito" (too short, but it's an example), and the site here is slashdot.org. To create a unique password, you could do something like:
* Tak
Re: (Score:1)
This has got to be the worst thing about using a password manager, the fact that you have to remember which sites have what restrictions.
Re: (Score:2)
No they are not. Come up with better passwords. Use phrases instead of total randomness. "This Is The Worst Password any 1 has ever |-|ad", is one such password that is easy to remember and very secure.
Re: (Score:3)
And remembering which one you used on every single site you use regularly? Sure, for email and the like, but there are at least a dozen (probably more) sites I visit semi-regularly. Remembering such passwords for each site is quite a trick. You can vary the password based on the site name (as others have suggested) or some such scheme, but it gets tricky if you use even a fair number of internet sites.
I only remember the passwords for 3-4 sites I visit (which I might want to access from random computers), a
Re: (Score:2)
My password database just passed the 300-entry mark. How on Earth am I supposed to remember that many unique passphrases, especially for sites I might not visit for years at a time?
Re: (Score:2)
In addition to the other replies, I'll add that some (most?) sites implement passwords poorly. The worst offender is a length limit, which I've seen capped at 20 or less. I still have to use some old Unix systems that won't recognize anything beyond 8 (and "This Is " isn't exactly a good password).
Until sites do things right, passphrases won't work.
Re: (Score:2, Insightful)
Good, unique passwords are fine until you have more than a handful of accounts. Even using a base password with something unique per site will only get you so far.
Password managers are the next step, but they have to be available wherever you happen to be. That either means a smartphone (but typing in the password from my phone defeats the purpose and is a pain with truly strong passwords, a lost/stolen phone becomes a nightmare, and I don't have a smartphone anyway) or a website I can log into and copy/p
Re: (Score:2)
We really need a better system than ID + password.
I've changed to Google's account for as many sites as I can (Google support OpenID), and I use two factor auth for my google account.
Some things I like with openid:
1. you don't need to have any special agreement or API key to services to add support for it to your site.
2. If you don't trust provider A, then use provider B instead.. Or set up your own OpenID server.
3. Since it's only one place you need to log in (and log out of), you can affort to have extra security there, which would otherwise be too annoy
Good thing I drink beer instead (Score:2)
But really, the important lesson from this is that you shouldn't share passwords between different sites. Use a variety of auth manager and a lot of the risk goes away.
Dropbox+KeePassX (Score:3, Interesting)
If you accept that the internet will spit out your details at some point do this;
1. Sign up to dropbox (it's free and works on all platforms - including mobiles)
2. Get a copy of Keepassx, mac/windows version might have different name, never used them.
3. Store database of keepassx on dropbox so you've always got access to it.
4. Each website gets own generated password, short passwords for things you might need to type in on phone but still random.
This way, 1 bad event like this keeps you safe. I have both on my Android as well so it's with me always. /Maq
Re: (Score:2)
I have been using LastPass for a while now. And the more I use it, the more skittish I get.
It's not that I'm really worried about losing access to the 500 or so sites in my database. Most of those I could reset via email.
And my email password has to be rememberable because of my android phone and such.
I just feel really skittish about relying on something that, in-effect, is an absolute book of knowledge about me. I used to keep that book inside my head. Now, it's out there. And it keeps me up some nig
Re: (Score:2)
I don't know if LastPass is the same but I use 1Password and the data in that is encrypted with a password which is not stored in the database. By the sounds of the product name I'm guessing yours is similar.
So even if someone does manage to get your password file they'd still have to crack your master password which I'd hope is exceedingly secure.
LastPass and Yubikey, and client security (Score:2)
LastPass (cloud service with browser plugins) supports Yubikey, a low-cost token for two-factor authentication - so someone would have to both install a keylogger on my system and physically steal the Yubikey token to get the LastPass passwords. http://www.yubico.com/ [yubico.com]
This makes it actually more secure to always use LastPass even if you remember the site password, because the LastPass login is Yubikey protected while the site password isn't (and the way LastPass sends the password to the site doesn't involv
Re: (Score:1)
Re: (Score:2)
I use 1password with this setup.
It works really well though it was a bit expensive to set up - I had to buy 1password for mac, windows and phone, so I think it cost about $60.
Still, it got me onto dropbox which I now use for quite a few things :)
Re: (Score:2)
Encryption- either the Advanced Encryption Standard (AES) or the Twofish algorithm are used - encryption of the database in 256 bit sized increments
Reminder to Manage Your Passwords (Score:2, Informative)
Use a password manager like LastPass [lastpass.com] or KeePass [keepass.info], or, as I do, keep an encrypted file of your sites+logins+passwords.
You really need to manage your passwords. Reusing the same pass in multiple places is just a problem waiting to happen.
... is not an emulator (Score:3)
First kernel.org and now this? (Score:1)
should have used apache (Score:2, Informative)
those showoffs were running IIS on WINE.
Good thing (Score:2)
They recently deleted my account. After not having used it for a few years, I started getting several messages about old comments and reports I'd made being deleted, then I got a message saying my account would be deleted as well.
They kind of lost a lot of credibility with me when they insisted I make good on my pledge to buy a copy of the program when some random person claimed to have gotten my requested app to run. Except you couldn't open, work with, or save any files, and no one verified the report. Bu
Wait a frigging second, what's going on here? (Score:2)
They recently deleted my account. After not having used it for a few years, I started getting several messages about old comments and reports I'd made being deleted, then I got a message saying my account would be deleted as well.
They deleted my account as well - didn't mess with the pledge stuff and no malice on my part, just the fact that I got game consoles and Linux gaming didn't really keep me on grip. =)
But the weird thing is this: they just now sent me a new password. Did you get this notice as well? I tried to log in with the new password, and it said the account didn't exist. I re-registered, boom, there I was again, so it was not like it was somehow closed for all the eternity.
Did they keep my email and hashed password on
Re: (Score:2)
I got no such e-mail from them.
Re: (Score:2)
They kind of lost a lot of credibility with me when they insisted I make good on my pledge to buy a copy of the program
You can't buy Wine, it's community-supported FOSS. Are you confusing them with CodeWeavers (CrossOver etc), by chance?
Re: (Score:2)
Re: (Score:2)
Right, I was thinking of Crossover. it's been a few years.
my account from the appdb was deleted though.
Bug databases should not require passwords (Score:1)
Re: (Score:1, Troll)
Looks like you forgot to check "Post Anonymously" when replying to yourself.
Re: (Score:1)
Don't worry:
Microsoft crashed stock exchanges twice and they had some source code stolen from them during the hack.
The score is still Linux-Windows: 3-2 :P
Re: (Score:2)