Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Wine HQ Password Database Compromised

Unknown Lamer posted about 3 years ago | from the assailant-reportedly-doped-up-on-php dept.

Wine 124

With his first accepted submission, tyler.russell writes with a report that the WineHQ database systems were compromised. Quoting the official announcement: "We are sorry to report that recently our login database for the Wine HQ Application Database was compromised. We know that the entire contents of the login database was stolen by hackers. The password was encrypted, but with enough effort and depending on the quality of your old password, it could be cracked. We have closed the hole in our system that allowed read access to our database tables. To prevent further damage we have reset your password to what is shown below. We strongly suggest that if you shared your AppDB password on any other sites that you change that password as soon as possible.". He adds: "A new username and password were included with this email."

Sorry! There are no comments related to the filter you selected.

Ah Hell (1)

masternerdguy (2468142) | about 3 years ago | (#37684332)

Welp, there goes my information.

Re:Ah Hell (1)

Anonymous Coward | about 3 years ago | (#37684414)

Same here... I shudder to think of the consequences if I had the same password everywhere. Given what the stats says about people's habits on passwords, there are probably a lot of people that are at risk with other online accounts when this sort of thing occurs.
The really frightening thing is that for each of the break-in we hear about, there are probably countless others done successfully (IE, without detection) that we don't know about.

Re:Ah Hell (4, Funny)

Anonymous Coward | about 3 years ago | (#37684434)

entire contents of the login database was stolen by hackers

Dammit. They didn't steal it. They made a copy. Okay?!

Re:Ah Hell (1)

black3d (1648913) | about 3 years ago | (#37684498)

According to the dictionary, they stole it. Perhaps you have a personal, very narrow definition of Steal. The word means more than you think it does.

Re:Ah Hell (0)

Anonymous Coward | about 3 years ago | (#37684530)

Somebody didn't get the joke. well played, AC.

Re:Ah Hell (1)

black3d (1648913) | about 3 years ago | (#37684772)

Alas, it's a common feeling around these parts. If only they were all joking..

Re:Ah Hell (1)

TechLA (2482532) | about 3 years ago | (#37684548)

It's not stealing since they still have the original data left. Hackers only made a copy of that. No harm was done.

... that is, according to the Pirate Party and pirates on /.

Re:Ah Hell (1)

cheekyjohnson (1873388) | about 3 years ago | (#37684716)

Right. Every pirate claims that all things that involve copying in any way must be harmless. According to my straw man, at least.

Re:Ah Hell (1, Insightful)

black3d (1648913) | about 3 years ago | (#37684746)

Right, and I often hear them say that, except the problem is that no part of the definition of steal ever involves deprivation. Usually stealing leads to deprivation, but it's not required. Since the early 1900s, the definition of steal has included obtaining without permission, no deprivation involved whatsoever, especially in legal dictionaries which are what matters in this context.

Similarly, if you take control of a bus, but continue to drive all passengers to their destination and allow them to alight, you're still guilty of kidnapping (actually, the definition of this varies between States, however in my country there is one legal definition, and it includes conveyance without legal permission.)

I know the pirates want to hold onto a single, antiquidated definition of the word to try and force their views, but language changes - geeks are usually at the forefront of this adoption, and it's sad to see people so eager to give up societal advancement for personal gain. For all our pretence of social and moral superiority over our forebears, folks are as self-indulgent as ever - this hyporitical stance against the modern definition of "steal" is a great example.

Re:Ah Hell (2)

NoSig (1919688) | about 3 years ago | (#37685000)

The word steal invokes the mental image of taking away, while copyright infringement doesn't, so steal is an inaccurate label for copyright infringement since no taking away is involved. The same thing that makes it inaccurate is exactly what makes it a great rhetorical trick. It's like referring to a speeder as a "dangerous criminal" or someone who thinks that trains should run on time as someone who "holds certain views in common with Nazis". You can think and argue that copyright infringement is bad without reducing yourself to that level, so whether copyright infringement is good or bad is irrelevant to the topic.

Re:Ah Hell (1)

black3d (1648913) | about 3 years ago | (#37685270)

I'm not arguing about whether or not copyright infringement is good or bad. Sorry if my message came across that way. What I was criticising was the fact that geeks are at the forefront of every advancement in society, and embrace new ideas and modern movements, but they make a special case for the word "steal" (which has evolved with the language, and includes obtaining without permission), and pretend it doesn't have that meaning simply so they can keep saying that copyright infringement isn't "stealing". I wasn't commenting on the stealing itself whatsoever, or whether it's good or bad. Apologies for not being more clear. I do disagree with you that copyright infringement isn't stealing, but I agree it's not theft. :)

Re:Ah Hell (2)

julian67 (1022593) | about 3 years ago | (#37685140)

In the UK the definition of theft explicitly sets out several tests including:

"dishonestly acquire, with the intention to permanently deprive"

This is why we have other laws such as the offence of "Taking without consent" of a motor vehicle, which covers situations where the acquisition can be proven dishonest but no intent to permanently deprive can be proven i.e. the offender takes, uses and abandons a vehicle, maybe even at or near where the owner left it.

Most of the English speaking (officially/legally) world outside of the USA is likely to be the same.

Re:Ah Hell (1)

black3d (1648913) | about 3 years ago | (#37685240)

I concur, good sir. But we were talking about the word "steal" not "theft". Contrary to my comments about "steal", "theft" almost universally does involve the removing of products, and deprivation. To recap, GP made a common /, rail against the word "stole", to describe the actions of people who made a copy of the database. I pointed out that "steal" doesn't necessarily involve deprivation, and the legal definition includes taking without permission - even if no deprivation occurs. Talking about a verb here, not the crime itself.

Completely agreed - the crime of theft almost always involves deprivation of property in legal definition.

Re:Ah Hell (2)

julian67 (1022593) | about 3 years ago | (#37685408)

In English Law "steal" refers to "theft". It's the same.

From the Theft Act 1968 (current English Law):

"A person is guilty of theft, if he dishonestly appropriates property belonging to another with the intention of permanently depriving the other of it; and "thief" and "steal" shall be construed accordingly."

Dishonestly appropriating the contents of another person's database wouldn't be theft in England, though it would be a very serious offence under the Computer Misuse Act. The penalty could be as high as 5 years imprisonment.

Re:Ah Hell (0)

EdIII (1114411) | about 3 years ago | (#37686084)

Sorry, but that definition still is, and always will be, complete and utter bullshit.

All of your points involved the physical world. The act of theft, or stealing, can ONLY occur in the physical world . It blows my mind that anyone can come to a different conclusion once all things are considered. You cannot steal an idea, thoughts, etc. All you can do is share in them.

Regardless of how one feels about intellectual property, we should be able to not treat each other like idiots and stop using the word theft or steal.

It is copyright infringement. In cyberspace, stealing/theft can not ever occur. Only copying or destruction. Unlike space/time where energy can be neither created nor destroyed, which apparently has been extended to include "information" by scientists, cyberspace does allow for the destruction of information. It occurs all the time, either through intent or malice.

The attempts to attribute the word steal, theft, etc. to the copying of information are all part of a disingenuous tactic to apply a reality distortion field.

What is actually happening is quite important to understand, in fact critically important. These acts of copying and distributing data, which are called "piracy" so often, are just acts of copyright infringement.

Copyright infringement, when done the way it is being done on the Internet, is considered by law to be civil disputes by most countries. This is quite inarguable actually. If it was stealing or theft, district attorneys would be involved (in the US) and the plaintiff would be the United States and the defendant would be John Smith. This is not true is it? Nope. Only time it is ever true is in criminal cases that involve physical distribution and profiting at fairly large scales. What we have in reality is large legal firms starting thousands, or hundreds of thousands of civil lawsuits.

For the record, a copyright is a set of legal entitlements granted by society to the creators. We do this, according to the appropriate philosophies, to encourage innovation by rewarding those who do it, and to provide a valuable wealth of art and knowledge that all of society, and all societies as well, can use to create ever more new works of art and technologies.

One cannot steal a set of legal entitlements, but infringe upon them. Totally different concept.

And also for the record.... I support reasonable and sane copyrights and their interpretations. Not the reality distorted views and representations by groups of companies, people, legislators, etc. that outright lie and warp the facts to harm society with their actions. Taking away our rights, privacy, and anonymity to protect some legal entitlements is insanity. Sometimes poison can be used to cure, but this is not one of those cases.

Copyright infringement DOES NOT HAVE ANYTHING TO DO WITH THIS ARTICLE EITHER! :)

This is actual hacking. The malicious intent by a person to disrupt a system, copy information, for whatever purposes they want without the authorization by the people who own it.

It will not be copyright laws that are ultimately brought to bear upon the person responsible for this, but laws expressly written to punish people who cause harm to companies and systems through their actions.

The poster who brought this point up was not being pedantic, but only pointing out what you immediately attacked as untrue. No actual theft occurred here. However, yes, there were crimes committed.

Re:Ah Hell (1)

black3d (1648913) | about 3 years ago | (#37686358)

I never brought up copyright infringement? I wasn't arguing for or against copyright infringement at any point in time. I was purely talking about the word "steal".

You seem to be confusing the verb as a word, as I'm talking about it, and the criminal act. You're setting out with the notion that to "steal" only involves the physical world. May I ask where you got this notion? Not from the dictionary (although I'm certain you can find a dictionary with physical removal as the only definition of the word "steal", there are plenty also available which don't), The entire point I was trying to make is that this act IS covered under the modern definition of steal.

I was only *ever* talking about the word, and how some geeks prefer to keep a singular definition for the word and excise all others that don't happen to suit their point of view or their argument.

Here are some definitions for Steal from various dictionaries:
  - "to commit or practice theft."
  - "to obtain surreptitiously"
  - "to appropriate (ideas, etc) without acknowledgment, as in plagiarism"
  - "to take or appropriate without right or consent and with intent to keep or make use of"

What I was commenting on, in reply to GP, was that many folks around here choose to ignore the latter three and make the argument that "stealing" is only ever the first definition there, and that all other definitions are false, and therefore, plagiarism (to use the example in the definition) isn't stealing. The truth of the matter, is if plagiarism is a definition of stealing, then plagiarism is stealing. Words have multiple definitions, and /.ers and pirates like to pretend this particular word only has one.

It was just a comment on GPs attempt to dismiss the matter of "stealing" having occurred, when, if you accept the latter three definitions above, it did. If you choose to dismiss any dictionary which defines "steal" as also involving non-physical objects, that's your choice - but that doesn't resolve a dispute on the topic. Geeks need to man up about this and accept that words change. It's like folks are treating "steal" as a dirty word, and something they like to pretend they're not involved with; Denying any modern meaning of the word is how they go about setting themselves apart, and feel better about what they do.

Re:Ah Hell (0)

EdIII (1114411) | about 3 years ago | (#37686732)

It was just a comment on GPs attempt to dismiss the matter of "stealing" having occurred, when, if you accept the latter three definitions above, it did. If you choose to dismiss any dictionary which defines "steal" as also involving non-physical objects, that's your choice - but that doesn't resolve a dispute on the topic. Geeks need to man up about this and accept that words change. It's like folks are treating "steal" as a dirty word, and something they like to pretend they're not involved with; Denying any modern meaning of the word is how they go about setting themselves apart, and feel better about what they do.

You're wrong, and on many levels.

Plagiarism is not a form of stealing. Just like copyright infringement, it is a separate act, that for exactly the same reasons, had the word steal misappropriated to benefit the copyright holders.

Geeks do not need to "man up". We need to bunker down and refuse to allow people like you to change the word. Saying that change is just part of life, and like oh well, just go with the flow is harmful bullshit.

I don't "pretend" anything. I have fully admitted, that on many occasions, both past and present, that I willfully perform acts of copyright infringement. I did so in my youth due to availability and in inability to pay, and as an adult because I choose to not respect any form of copyrights or patents that are older than 20 years. I find them to be harmful and detrimental to society and I will continue to treat them as if they were in the Public Domain. Because they should be. Period.

As for words changing meaning, yes that is inevitable. What I will always fight is WHY. IT IS THE WHY THAT I FIGHT.

The word steal is continually being misappropriated to the act of copyright infringement for a purpose.

Just as you say I am denying the word to make myself feel better about what I am doing, "they" are changing the word to better support their positions and what they are doing.

"They" are quite often referred to as Big Content, Big Media, etc. It is simply, a group of people and companies that represent large portfolios of copyrighted works that want to change the laws that govern our society to suit their interests. These interests are not in the best interests of The People, but rather themselves, which they conveniently and constantly spin to be "providing shareholder value".

No. NO. NO.

I will not participate with you in allowing the perversion of the word to suit a small group of people that want to apply a reality distortion field to a dispute and argument that affects all societies everywhere, and at an important and fundamental level.

So for the exact same reasons you outlined, I am not letting Big Content get away with it. There is no stealing in cyberspace. Period. Once you take that away, we can start seeing these acts for what they are. Civil disputes between two parties, wherein one party has had their legal entitlements infringed upon by the other and they seek restitution as provided for by law.

You allow that word to change and you are merely collaborating with a group of people that most certainly care nothing about your interests or freedoms, but whatever it takes, regardless of harm, to serve their own selfish interests.

Why I am so fanatical about this?

Big Content has done tremendous damage to our rights and privacy/anonymity to aid them in their civil disputes simply because they are unable to enforce their own legal entitlements. Use of the word steal is merely part of their propaganda and warped logic to erode our civil liberties, harm copyrights and the Public Domain, and to ultimately destroy the Public Domain.

It is killing innovation and doing the exact opposite that one might think.

No sir, I will not participate, I will not give up my rights, and I will fight to my last breath to protect the best interests of The People. That means copyright/patent reform and the realization that nothing is important enough to give up my Freedoms. That is not even logical. We fought to hard for our Freedoms to give it up to help criminalize even the smallest form of copyright infringement.

No.

Re:Ah Hell (1)

black3d (1648913) | about 3 years ago | (#37686898)

Whom do you suggest should decide on the definition of a word? Where do you think Oxford, et al, draw their current definitions from?

Aside from that, I agree with every aspect of your stance against the criminalisation of copyright infringement. I concur that copyright has been warped and distorted completely from its original purpose, and that copyright now almost serves the opposite purpose that it was intended to. It was intended to provide an author with a modest fee, to encourage the author to continue and produce more works, knowing that it can provide an income - and the need for that income would cease once the author died. In fact, the terms used to be short enough as to encourage the author/artist to continue producing for the rest of their life.

Thesedays, consideration for the author/artist is the smallest piece of the copyright pie. It's almost entirely about protecting corporate profit, and extending these profits from a single work for as long as possible after the death of the original author. It in fact stifles further originality, as a single IP (eg, LOTR) can be milked indefinitely without the need for new works.

I'm just not hung up on the word. Perhaps it's because I don't fall victim to propaganda wars by big media. Probably it's because I speak multiple languages and I'm just not concerned about the colloquial definition of a single word - if it changes, so be it. I don't care if downloading movies adopts the name "murder". As long as people doing so aren't being charged with the crime which shares the same name, the adaptation of the word doesn't have a lot of meaning to me. In fact, it would actually weaken the seriousness attached to the word "murder".

Likewise, if every civil dispute is to be known as "stealing", it weakens people's reactions to "stealing" - if it were an agenda by Big Media to attach the label, it would have the reverse effect to what they desire. It wouldn't make "copying movies" more serious, it'd make "stealing" less serious. Don't get me wrong, I do recognise that they want to fool people into believing this (the ads on DVDs/in cinemas comparing downloading a movie to robbery). I just don't think the term being used is the thing to get upset about.

Re:Ah Hell (2)

bjourne (1034822) | about 3 years ago | (#37687928)

You may have heard the quote "Immature poets imitate; mature poets steal" which is from T.S Eliot in 1921. That plagiarism is a form of "stealing" is well established in the English language and you are the one who want to redefine the word so that you have to call it "copyright infringement" instead, not Big Content.

Re:Ah Hell (1)

black3d (1648913) | about 3 years ago | (#37686402)

TL;DR version:

You cannot steal an idea, thoughts, etc

Dictionary definition:
Steal
"to appropriate (ideas, etc) without acknowledgment, as in plagiarism"

My point was only ever that geeks are trying to ignore any definition of the word steal which doesn't suit them - I'm not arguing the merits of or against any act.

Re:Ah Hell (1)

cheekyjohnson (1873388) | about 3 years ago | (#37684724)

I think that's true.

Re:Ah Hell (1)

DanTheStone (1212500) | about 3 years ago | (#37684956)

They did steal it, because now the original owners are deprived of their old username and password. Did you not even read TFS?

Re:Ah Hell (0)

Anonymous Coward | about 3 years ago | (#37686572)

That's why we have crimes related to IP and computers.

Re:Ah Hell (0)

Anonymous Coward | about 3 years ago | (#37684630)

tyler.russell is a name that means nothing to me, and never will.
I further don't care that this is his first accepted submission.
I am annoyed that screen real-estate was wasted on the suggestion that this trivia is important.
Slashdot continues its downhill slide.

Linsux hacked again.. (0)

Anonymous Coward | about 3 years ago | (#37687512)

Linsux hacked again..

Re:Linsux hacked again.. (1)

V!NCENT (1105021) | about 3 years ago | (#37687806)

I feel for this troll... He can't even make the difference between and OS kernel and a database application...

A smear campaign (-1, Troll)

Anonymous Coward | about 3 years ago | (#37684366)

First kernel.org, now WineHQ. This is clearly a campaign orchestrated by the likes of M$ to cause FOSS to be associated with insecurity.

Re:A smear campaign (0, Troll)

masternerdguy (2468142) | about 3 years ago | (#37684456)

Don't worry. M$ has been allowing people to control other people's computers over the internet for years with innovative technologies like ActiveX and Internet Explorer.

Re:A smear campaign (0, Troll)

bonch (38532) | about 3 years ago | (#37684700)

Looks like you forgot to check "Post Anonymously" when replying to yourself.

Re:A smear campaign (0)

masternerdguy (2468142) | about 3 years ago | (#37684732)

keep telling yourself that.

Re:A smear campaign (0)

V!NCENT (1105021) | about 3 years ago | (#37687816)

Don't worry:
Microsoft crashed stock exchanges twice and they had some source code stolen from them during the hack.

The score is still Linux-Windows: 3-2 :P

Oh that's secure (4, Interesting)

theswade (2020510) | about 3 years ago | (#37684396)

So their solution to a security breach is to send out everyone's logins via clear text?

Re:Oh that's secure (1)

Amouth (879122) | about 3 years ago | (#37684440)

that was my thoughts exactly.. i figured it would be a forced reset on long-on and an e-mail with a unique id to use during that (think of it as a second factor token)..

but to just reset the password and send it.. that is just ...........

Re:Oh that's secure (0)

Anonymous Coward | about 3 years ago | (#37685536)

that was my thoughts exactly.. i figured it would be a forced reset on long-on and an e-mail with a unique id to use during that (think of it as a second factor token)..

but to just reset the password and send it.. that is just ...........

So instead of sending a new password and recommend changing it, you suggest sending a one-use link so the user can change their password...

Don't really see the advantage in this instance; if someone can get into your email, either way they're into your account.

Re:Oh that's secure (0)

Anonymous Coward | about 3 years ago | (#37687282)

Because they aren't targeting a single account. Yeah, they can get the password reset links if they can intercept the emails, but with the links then they also need to act on those links which will be far more difficult than just passively collecting the new passwords.

I think what's being missed by the OP is that no one gives a crap about the new passwords as they won't be linked to any of those user's existing accounts elsewhere. The value in the passwords is that they might also be the passwords those people use at their bank.

Re:Oh that's secure (2, Insightful)

Anonymous Coward | about 3 years ago | (#37684466)

Do you have another, better solution?

Re:Oh that's secure (1)

Jello B. (950817) | about 3 years ago | (#37684656)

Let's mod this parent up, I'd like to hear some suggestions.

Re:Oh that's secure (1)

NoobixCube (1133473) | about 3 years ago | (#37685862)

Password reset confirmations sent to your recorded email when you try to log in again.

Re:Oh that's secure (1)

Unreal One (21453) | about 3 years ago | (#37684488)

They wanted to see who would wine about it.

Re:Oh that's secure (2)

Carnildo (712617) | about 3 years ago | (#37684826)

So their solution to a security breach is to send out everyone's logins via clear text?

It's much harder to intercept email than it is to decrypt an encrypted password: assuming that WineHQ users are typical in their password habits, about 75% of the passwords in the database are vulnerable to a dictionary attack and thus should be considered known to the attackers. By giving everyone a new password and emailing them in the clear to the users, they ensure that only those users who also have their email intercepted by the attackers are compromised.

What the WineHQ admins have done is reduce the number of compromised users from approximately 75% to approximately 0%.

Re:Oh that's secure (0)

Anonymous Coward | about 3 years ago | (#37687434)

Hmmm. Assuming, of course, that those users don't use the same (old) password for WineHQ and their e-mail. (I'm aware that the audience of WineHQ might be more technically minded than your average BFU, but it still strikes me as a very charitable assumption.)

Linsux hacked again.. (0)

Anonymous Coward | about 3 years ago | (#37687538)

Linsux hacked again.. lol

Re:Linsux hacked again.. (1)

V!NCENT (1105021) | about 3 years ago | (#37687792)

They hacked a database, not Linux :)

If you troll, then at least get your facts straight. This is just lame.

Automatic Resets? (0)

Anonymous Coward | about 3 years ago | (#37684422)

Did they have to automatically reset my password? No I have no fucking idea which password I need to change elsewhere!

Re:Automatic Resets? (0)

Anonymous Coward | about 3 years ago | (#37684474)

They wouldn't know what your password was to send to you. All the passwords in the database were hashed.

Re:Automatic Resets? (2)

bell.colin (1720616) | about 3 years ago | (#37684752)

"but with enough effort and depending on the quality of your old password, it could be cracked."

So just wait for the torrent to come out and check the list then.

Re:Automatic Resets? (1)

scrib (1277042) | about 3 years ago | (#37685082)

So, you don't remember what your password was on the site?
Check your browser saved passwords!

How secure... (1)

justdiver (2478536) | about 3 years ago | (#37684442)

is sending out passwords via mass email in plain text? No wonder they had their system compromised.

Re:How secure... (1)

DarwinSurvivor (1752106) | about 3 years ago | (#37684834)

Well I guess they could have just left the old one in there. Or do you have any better ideas that you are for some reason keeping to yourself...?

Re:How secure... (1)

justdiver (2478536) | about 3 years ago | (#37685018)

Better ideas? No. I don't. But then again, I'm not a network administrator in charge of a system that just had a massive security breach. I would've thought that having procedures in place for something like this would be part of a system / network administrators job. If even a lowly, green-behind-the-ears tech can see that your "email passwords in plain text" idea is lacking thorough planning, then something is wrong. My first reaction to this would have been to disable all accounts until a better idea is formed instead of going with a response to a security breach that has obvious security flaws of its own. Yes it would be inconvenient for the userbase, but it'd be better than half-assing it, which is likely how they got into this situation in the first place.

Re:How secure... (1)

CastrTroy (595695) | about 3 years ago | (#37685376)

They should just have reset everybody's password to some really long (20 character?) random string (different string for each user) and not recorded the result. Any user who wanted to log in would have to use the "lost password" feature.

Re:How secure... (3, Insightful)

Carnildo (712617) | about 3 years ago | (#37684890)

How secure...is sending out passwords via mass email in plain text?

Sending passwords in clear-text emails is only a minor security risk: in general, only network providers, system administrators, and three-letter agencies are in a position where they can intercept or read a user's email. If the people who attacked the WineHQ database don't fall into one of those categories, resetting passwords and sending the new ones in clear-text emails represents a dramatic reduction in the impact of the database compromise. If the attackers *do* fall into one of those categories, sending the emails does not increase the impact.

Re:How secure... (1)

Dunbal (464142) | about 3 years ago | (#37685202)

Unless you are sending the new login and password to an email account which the hacker already controls because, you see, he already grabbed your password and you probably use the same password for your email, and your email (if not also stolen) is probably login@yahoo/hot/gmail.com. In fact if he was smart he would just make note of the new login and password and delete the email, and you would be stuck wondering why you can't log in to a website in a couple months' time, while he's had a couple months of reading all your mail and possibly even contacting people on your behalf through your email. Dad could you email me your login/password for that website again? I forgot it...

Re:How secure... (0)

Anonymous Coward | about 3 years ago | (#37686998)

Sending out the password plain text shows they still have not implemented one way hashing and usually means there is no encryption in the database.

I'm always scared when I see my password plaintext in an email.

Kj

Re:How secure... (1)

motd2k (1675286) | about 3 years ago | (#37687500)

No it doesn't, it indicates that they sent you the password during the hashing process.

Re:How secure... (1)

Anonymous Coward | about 3 years ago | (#37685262)

just as secure as resetting your password via email by clicking on the "I forgot my password link", If someone can intercept your email they can easily change your passwords.

I just read about this (1)

Maquis196 (535256) | about 3 years ago | (#37684464)

And went to my email and sure enough it's in my spam filter. So check there if you have missed it.

PHP software apparently at fault YET AGAIN. (0)

Anonymous Coward | about 3 years ago | (#37684484)

The email in the mailing list archives clearly mentions that phpmyadmin was involved with this breach.

When will people learn that software written in PHP is generally among the worst there possibly is? PHP is a language that attracts the most stupid developers out there, and they in turn create some of the most insecure software around. They are too ignorant to even realize how badly they're screwing up.

Sure, there are a small number of large sites who have used PHP successfully, but if you look at their code they basically use PHP as little as possible. They might as well be using a real language like Perl or Python, given how much core PHP functionality they end up having to rewrite themselves.

Re:PHP software apparently at fault YET AGAIN. (1)

GioMac (862536) | about 3 years ago | (#37684690)

YET AGAIN?
And when it was problematic before?
Come oon... I'm pretty sure PHP itself is not the problem. The problem is how do you secure your system so it can't access all the information. You can just store passwords on the system, which will never give you complete list of hashes of all accounts at once (dumb, but simple solution that works) and will send alert to admin.
Grenade in the hands of the monkey is dangerous and may kill you, but not in the hands of Rambo.

If you write code in a bad way, it can't be the fault of the language you use.

Python and perl itself works on the web server other way. You just can't isolate and limit it as it's possible with PHP.
"PHP is designed specifically to be a more secure language for writing CGI programs than Perl or C, and with _correct selection_ of _compile-time_ and _runtime configuration options_, and _proper coding practices_, it can give you exactly the combination of freedom and security you need."
http://php.net/manual/en/security.php [php.net]

You just can't simply isolate Python or Perl program from the paths it's serving with anything. Only possible solution is LSM like Apparmor or SELinux.

Re:PHP software apparently at fault YET AGAIN. (-1)

Anonymous Coward | about 3 years ago | (#37684944)

If you knew even just one language besides PHP (and I don't mean that steaming pile of shit called JavaScript!), you'd know just how incorrect you are with respect to everything you just wrote there.

Re:PHP software apparently at fault YET AGAIN. (2)

Carnildo (712617) | about 3 years ago | (#37684958)

It's not PHP that's the problem here, it's the specific software package phpMyAdmin [phpmyadmin.net] . It's software that should never be deployed on an Internet-facing computer because of its security problems: about a third of the malicious traffic on my webserver is people probing for phpMyAdmin installations.

Re:PHP software apparently at fault YET AGAIN. (1)

duguk (589689) | about 3 years ago | (#37685558)

It's not PHP that's the problem here, it's the specific software package phpMyAdmin [phpmyadmin.net] . It's software that should never be deployed on an Internet-facing computer because of its security problems: about a third of the malicious traffic on my webserver is people probing for phpMyAdmin installations.

This. phpMyAdmin has security problems. However, this was likely an authentication breach.

It doesn't matter that what software they use; the fact they have complete database management online, makes it a lot easier for user details to be taken.

Re:PHP software apparently at fault YET AGAIN. (1)

kassah (2392014) | about 3 years ago | (#37686394)

I remember the days when Perl was considered the language that attracted the crappy coders. Oh the security wonders I went through back with those CGI form mailers. I don't use Linux on my desktop because it attracts less idiots, I use Linux on my desktop because I like how it works. I use PHP in most websites because it's cheap to host, C or Python in desktop applications (C because I can code it extremely light on memory, Python because it has excellent support for gui libraries), and Java for certain enterprise pieces of my applications. Use a programming language because it's strengths fit your project and team, not because there are idiots who code with it. I hope you filter out the idiots long before you program it, or no matter the language, you'll have issues.

damn (0)

Anonymous Coward | about 3 years ago | (#37684490)

enough said...

At least they found out about it... (1)

iamachode (2482544) | about 3 years ago | (#37684500)

Most site admins are clueless about security, so the fact that they caught the intrusion at all is a very good sign.

I always wonder how many sites are actually compromised out there.

Remember, folks, it's always a good idea to USE A UNIQUE PASSWORD ON EVERY SITE! Of course, I'm probably preaching to the choir here.

Re:At least they found out about it... (1)

Baloroth (2370816) | about 3 years ago | (#37684564)

Unique passwords are hard to remember (at least, if they're any good). Password managers help (a lot) but if the main password gets keylogged, you're screwed. We really need a better system than ID + password.

Re:At least they found out about it... (1)

iamachode (2482544) | about 3 years ago | (#37684738)

Unique passwords are hard to remember (at least, if they're any good). Password managers help (a lot) but if the main password gets keylogged, you're screwed. We really need a better system than ID + password.

I have a algorithm I use in my head that's based on the site name. It's not perfect, and if someone *really* wanted to figure it out and they had one of my passwords, they could do it. But, the barrier has been raised at least so most hackers will just test it out on various major sites then ignore it if it doesn't work.

For instance, say your main password is "bur_rito" (too short, but it's an example), and the site here is slashdot.org. To create a unique password, you could do something like:
  * Take the 2nd and 4th letters of the website and insert them into a specific spots in your password, like:
    * buSr_rLito
  * Then, take the site extension and give it a numbering system in your head (i.e., 1 for .com, 2 for .org, 3 for .edu, 4 for .us, 5 for everything else), then insert it into specific spots like:
    * bu2r_rLit2o

If you want to change your passwords regularly, it gets a little trickier, but it's better than using a unique one everywhere. It's also annoying that every site has its own restrictions on non-alphanumerics and password lengths.

Re:At least they found out about it... (1)

J_Darnley (918721) | about 3 years ago | (#37687888)

It's also annoying that every site has its own restrictions on non-alphanumerics and password lengths.

This has got to be the worst thing about using a password manager, the fact that you have to remember which sites have what restrictions.

Re:At least they found out about it... (1)

h4rr4r (612664) | about 3 years ago | (#37684748)

No they are not. Come up with better passwords. Use phrases instead of total randomness. "This Is The Worst Password any 1 has ever |-|ad", is one such password that is easy to remember and very secure.

Re:At least they found out about it... (2)

Baloroth (2370816) | about 3 years ago | (#37684940)

And remembering which one you used on every single site you use regularly? Sure, for email and the like, but there are at least a dozen (probably more) sites I visit semi-regularly. Remembering such passwords for each site is quite a trick. You can vary the password based on the site name (as others have suggested) or some such scheme, but it gets tricky if you use even a fair number of internet sites.

I only remember the passwords for 3-4 sites I visit (which I might want to access from random computers), and use random ones stored in Lastpass for the rest. Works for me.

Re:At least they found out about it... (1)

Carnildo (712617) | about 3 years ago | (#37685022)

My password database just passed the 300-entry mark. How on Earth am I supposed to remember that many unique passphrases, especially for sites I might not visit for years at a time?

Re:At least they found out about it... (1)

c++0xFF (1758032) | about 3 years ago | (#37685090)

In addition to the other replies, I'll add that some (most?) sites implement passwords poorly. The worst offender is a length limit, which I've seen capped at 20 or less. I still have to use some old Unix systems that won't recognize anything beyond 8 (and "This Is " isn't exactly a good password).

Until sites do things right, passphrases won't work.

Re:At least they found out about it... (1, Insightful)

c++0xFF (1758032) | about 3 years ago | (#37685002)

Good, unique passwords are fine until you have more than a handful of accounts. Even using a base password with something unique per site will only get you so far.

Password managers are the next step, but they have to be available wherever you happen to be. That either means a smartphone (but typing in the password from my phone defeats the purpose and is a pain with truly strong passwords, a lost/stolen phone becomes a nightmare, and I don't have a smartphone anyway) or a website I can log into and copy/paste from (which then puts all my eggs in one basket, and brings up a whole mess of other issues, especially with public terminals), or a USB drive (which hopefully isn't locked out on the system you need to use, and has the potential for spreading viruses to every computer it touches).

Oh, and then there's password resets ... which effectively turn your password into your mother's maiden name. Stored in the clear, of course.

I agree. Passwords are a mess. The problem is, I have no clue how to replace them. Do you?

And remember, the biggest problem isn't the major sites you visit every day ... it's the 100 small sites you visit less often (such as Wine HQ). Having a SecurID token for each site won't work, for example.

Re:At least they found out about it... (1)

Terrasque (796014) | about 3 years ago | (#37687950)

We really need a better system than ID + password.

I've changed to Google's account for as many sites as I can (Google support OpenID), and I use two factor auth for my google account.

Some things I like with openid:
1. you don't need to have any special agreement or API key to services to add support for it to your site.
2. If you don't trust provider A, then use provider B instead.. Or set up your own OpenID server.
3. Since it's only one place you need to log in (and log out of), you can affort to have extra security there, which would otherwise be too annoying or expensive (SMS notification of login, SSL client certs, two factor auth and so on).

but.... but... but... (0)

Anonymous Coward | about 3 years ago | (#37684508)

It's teh Linux!!!!onehundredeleven!!!!

Good thing I drink beer instead (1)

dkleinsc (563838) | about 3 years ago | (#37684562)

But really, the important lesson from this is that you shouldn't share passwords between different sites. Use a variety of auth manager and a lot of the risk goes away.

Dropbox+KeePassX (3, Interesting)

Maquis196 (535256) | about 3 years ago | (#37684604)

If you accept that the internet will spit out your details at some point do this;

1. Sign up to dropbox (it's free and works on all platforms - including mobiles)
2. Get a copy of Keepassx, mac/windows version might have different name, never used them.
3. Store database of keepassx on dropbox so you've always got access to it.
4. Each website gets own generated password, short passwords for things you might need to type in on phone but still random.

This way, 1 bad event like this keeps you safe. I have both on my Android as well so it's with me always. /Maq

Re:Dropbox+KeePassX (1)

Bios_Hakr (68586) | about 3 years ago | (#37685180)

I have been using LastPass for a while now. And the more I use it, the more skittish I get.

It's not that I'm really worried about losing access to the 500 or so sites in my database. Most of those I could reset via email.

And my email password has to be rememberable because of my android phone and such.

I just feel really skittish about relying on something that, in-effect, is an absolute book of knowledge about me. I used to keep that book inside my head. Now, it's out there. And it keeps me up some nights...

Re:Dropbox+KeePassX (1)

lakeland (218447) | about 3 years ago | (#37685498)

I don't know if LastPass is the same but I use 1Password and the data in that is encrypted with a password which is not stored in the database. By the sounds of the product name I'm guessing yours is similar.

So even if someone does manage to get your password file they'd still have to crack your master password which I'd hope is exceedingly secure.

LastPass and Yubikey, and client security (1)

Cato (8296) | about 3 years ago | (#37687328)

LastPass (cloud service with browser plugins) supports Yubikey, a low-cost token for two-factor authentication - so someone would have to both install a keylogger on my system and physically steal the Yubikey token to get the LastPass passwords. http://www.yubico.com/ [yubico.com]

This makes it actually more secure to always use LastPass even if you remember the site password, because the LastPass login is Yubikey protected while the site password isn't (and the way LastPass sends the password to the site doesn't involve the keyboard.)

As with KeePass or 1Password, which are non-cloud services that would be used with Dropbox etc, you must still be very careful with security of the client system - non-keylogger trojans that attack the LastPass plugin or the KeePass/1Password client software could still steal passwords while the password database is open.

Everyone on Windows should be running the free Secunia PSI, which scans all third party and Microsoft apps every week for vulnerability, providing a link to easily update them, and even auto updates some of the most common ones. If everyone did this, drive-by download attacks would be virtually a thing of the past.

Sadly, Mac and Linux don't have this for any apps not handled by the standard MacOS updater or the Linux distro's package repository, but at least with Linux you can limit your use of non-repository apps to those with excellent auto-updating (Firefox, and Chrome as long as your distro doesn't go out of date making Chrome refuse to update!)

Re:Dropbox+KeePassX (0)

Anonymous Coward | about 3 years ago | (#37687730)

Kepassx is available for android as well. Iphone too.

Re:Dropbox+KeePassX (1)

unchiujar (1030510) | about 3 years ago | (#37685194)

You sir are my hero.

Re:Dropbox+KeePassX (0)

Anonymous Coward | about 3 years ago | (#37685212)

So what happens if someone gains access to your dropbox and gets your password database file?
http://nakedsecurity.sophos.com/2011/06/21/dropbox-lets-anyone-log-in-as-anyone/ [sophos.com]

Re:Dropbox+KeePassX (2)

unchiujar (1030510) | about 3 years ago | (#37685342)

From the KeePassX site:
Encryption- either the Advanced Encryption Standard (AES) or the Twofish algorithm are used - encryption of the database in 256 bit sized increments

Re:Dropbox+KeePassX (1)

lakeland (218447) | about 3 years ago | (#37685490)

I use 1password with this setup.

It works really well though it was a bit expensive to set up - I had to buy 1password for mac, windows and phone, so I think it cost about $60.

Still, it got me onto dropbox which I now use for quite a few things :)

Does this also affect the Wine forum accounts? (0)

Anonymous Coward | about 3 years ago | (#37684616)

Anyone know? Are the Wine forums totally separate? I read the forum post about the AppDB compromise but it isn't mentioned whether this affects forum logins as well.

Reminder to Manage Your Passwords (1, Informative)

Onymous Coward (97719) | about 3 years ago | (#37684668)

Use a password manager like LastPass [lastpass.com] or KeePass [keepass.info] , or, as I do, keep an encrypted file of your sites+logins+passwords.

You really need to manage your passwords. Reusing the same pass in multiple places is just a problem waiting to happen.

... is not an emulator (2)

gmuslera (3436) | about 3 years ago | (#37684810)

but having security problems adds another layer of compatibility with windows.

Re:... is not an emulator (0)

Anonymous Coward | about 3 years ago | (#37685268)

Good show, old chap. Astute and true!

Most common password? (0)

Anonymous Coward | about 3 years ago | (#37685092)

Ilovecock

First kernel.org and now this? (1)

diego.viola (1104521) | about 3 years ago | (#37685144)

WTF is going on?

Re:First kernel.org and now this? (0)

Anonymous Coward | about 3 years ago | (#37687252)

Do we see a pattern here...

--> kernel.org
-->mysql.com
and now wineHQ

should have used apache (2, Informative)

Gravis Zero (934156) | about 3 years ago | (#37685166)

those showoffs were running IIS on WINE.

Re:should have used apache (-1)

Anonymous Coward | about 3 years ago | (#37685304)

No. The problem is that they're using Linsux in the first place. Don't fuck around, cunt. Linfux fails.

Good thing (1)

crossmr (957846) | about 3 years ago | (#37685172)

They recently deleted my account. After not having used it for a few years, I started getting several messages about old comments and reports I'd made being deleted, then I got a message saying my account would be deleted as well.

They kind of lost a lot of credibility with me when they insisted I make good on my pledge to buy a copy of the program when some random person claimed to have gotten my requested app to run. Except you couldn't open, work with, or save any files, and no one verified the report. But hey, give us your money now!

Wait a frigging second, what's going on here? (1)

WWWWolf (2428) | about 3 years ago | (#37685400)

They recently deleted my account. After not having used it for a few years, I started getting several messages about old comments and reports I'd made being deleted, then I got a message saying my account would be deleted as well.

They deleted my account as well - didn't mess with the pledge stuff and no malice on my part, just the fact that I got game consoles and Linux gaming didn't really keep me on grip. =)

But the weird thing is this: they just now sent me a new password. Did you get this notice as well? I tried to log in with the new password, and it said the account didn't exist. I re-registered, boom, there I was again, so it was not like it was somehow closed for all the eternity.

Did they keep my email and hashed password on file after they deleted my account? If so, why the hell did that happen? If they wanted consistency, couldn't they just change the email to "former_user_NNNN@dev.null.invalid" and blank the password? I don't think they really have a good grip on security over there...

Re:Wait a frigging second, what's going on here? (1)

crossmr (957846) | about 3 years ago | (#37685808)

I got no such e-mail from them.

Re:Good thing (0)

Anonymous Coward | about 3 years ago | (#37685684)

They kind of lost a lot of credibility with me when they insisted I make good on my pledge to buy a copy of the program when some random person claimed to have gotten my requested app to run.

Can you clarify this? The only pledge system I know of is on the CodeWeavers site, not WineHQ. Does Wine have a pledge system too? Link?

phpmyadmin (0)

Anonymous Coward | about 3 years ago | (#37685174)

Really? I guess the people at wine really like GUIs. If only they could do things via command line and no one would have been impacted.

wine security = wine code (0)

Anonymous Coward | about 3 years ago | (#37687676)

I guess the wine project (~=codeweavers) treats security the same way it treats its code.
For decades the project has sucked up all the developer energy that could have been invested into making a good compatibility layer. Microsoft should be thankful that the wine effort was so poorly managed, designed and executed.

Thankfully, the need for the wine project is declining steadily, as native alternatives get better.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?