×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Backdoor Discovered In Atlassian Crowd

timothy posted about 10 months ago | from the your-gate-is-up dept.

Security 133

An anonymous reader writes "Recently published on the Command Five website is a technically detailed threat advisory (PDF) in relation to a recurring vulnerability in Atlassian Crowd. Tucked away inconspicuously at the end of this document in a section entitled 'Unpatched Vulnerabilities' is the real security bombshell: Atlassian's turnkey solution for enterprise single sign-on and secure user authentication contains an unpatched backdoor. The backdoor allows anyone to remotely take full control of a Crowd server and, according to Command Five, successful exploitation 'invariably' results in compromise of all application and user credentials as well as accessible data storage, configured directories (for example Active Directory), and dependent systems."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

133 comments

Huh? (5, Interesting)

TubeSteak (669689) | about 10 months ago | (#44149877)

What is Atlassian Crowd, where is it used, how does this effect me, why should I care?
Did I miss any important questions?

Re:Huh? (3, Informative)

Anonymous Coward | about 10 months ago | (#44149933)

Here comes the aeroplane spoon... open up the hangar!

From the first page of the advisory:
"Atlassian Crowd is marketed as a secure single signon (SSO) product for the enterprise and is designed to be incorporated into third party applications and systems"

Re:Huh? (-1, Redundant)

Anonymous Coward | about 10 months ago | (#44149965)

To put it frankly, Bing is absolutely superior in every way to Google. I prefer using Bing over Google for all the web's top searches, and that is a sentiment you'd share with me if you tried Bing. There is nothing you cannot accomplish with Bing, and nothing you won't be able to find. Use Bing; I highly recommend it.

Don't believe me? Bing it on, you piece of trash! I'll drag you Luddites into the 21st century! [bingiton.com]

Re:Huh? (-1, Troll)

Anonymous Coward | about 10 months ago | (#44150069)

get some help, you lackey.

Re:Huh? (-1, Offtopic)

mad flyer (589291) | about 10 months ago | (#44151765)

Nope... unfortunately... Bing is really much better than google these days... And the image search don't filter out most pr0n...

Re:Huh? (0)

Anonymous Coward | about 10 months ago | (#44150965)

Here comes the aeroplane spoon... open up the hangar!

From the first page of the advisory:
"Atlassian Crowd is marketed as a secure single signon (SSO) product for the enterprise and is designed to be incorporated into third party applications and systems"

Your hand is empty, you are waving your hand around with an imaginary spoon. Note how your quote does not answer the questions. "3rd party applications and systems" is not an answer to where is it used, how does it affect me, why should I care?

there is no spoon (0)

Anonymous Coward | about 10 months ago | (#44151547)

there is no spoon
there is no spoon
shakes head YES THERE IS....

i dont live in da matrix

Re:Huh? (1)

jythie (914043) | about 10 months ago | (#44152271)

If no project you are working on is using it then it does not impact you directly, though projects you depend on might be.

Re:Huh? (0)

Anonymous Coward | about 10 months ago | (#44151565)

Got to admit their "single sign on" is really single sign on even if it's not secure ;).

Re:Huh? (0)

I'm New Around Here (1154723) | about 10 months ago | (#44149935)

No, you got the important ones. I was wondering the exact same thing myself. Even googled about it, but saw nothing informative outside of their website, which would only slightly answer the first part.

So, what are your plans for the upcoming holiday? We are going to have a cookout with friends. Hope you enjoy whatever you have planned. Bye.

(That part added to give this /. story some meaning in our lives.)

Re:Huh? (0)

Anonymous Coward | about 10 months ago | (#44150423)

> No, you got the important ones.

Neither of them were important. If you don't bother to google tools you don't know, why are you even here?

Re:Huh? (2)

I'm New Around Here (1154723) | about 10 months ago | (#44151045)

You must have missed this part

Even googled about it, but saw nothing informative

In addition to the original poster and myself, I see several others posting either similar queries, or responses dismissive of this product. So don't act like I have to sign up for tech courses for this software before I comment on it.

Re: Huh? (0, Troll)

madprof (4723) | about 10 months ago | (#44151425)

Just because there is more than one lazy person does not make it OK to be lazy.

Re: Huh? (2)

I'm New Around Here (1154723) | about 10 months ago | (#44151563)

You must have missed this part

Even googled about it, but saw nothing informative

Having just googled again, I still see nothing that is actually informative from the top 10 results. Most point to Atlassian's site. They have the uaual marketing blurb:

Identity Management for Web Apps

Finally, a single sign-on and user identity tool that's easy to use, administer, and integrate.

Users can come from anywhere – Active Directory, LDAP, Crowd itself, or any mix thereof. Control permissions to all your applications in one place – Atlassian, Subversion, Google Apps, your own apps.

Great! It's a way to sign into webapps. How enlightening. I have gotten a better description of it from the complaint posts below, than from searching for it in your approved way. But thank you for your concern of my inertial-challanged state.

Re:Huh? (2, Informative)

Anonymous Coward | about 10 months ago | (#44149937)

Atlassian's turnkey solution for enterprise single sign-on and secure user authentication. Atlassian is a software vendor of modest relevance, producing Jira issue tracking and Confluence wiki software. I assume this would only be relevant if you run are rely on a system that uses Crowd for authentication. Where is it used? Where is any software package used?

Re:Huh? (-1, Redundant)

camperdave (969942) | about 10 months ago | (#44150281)

Atlassian is a software vendor of modest relevance, producing Jira issue tracking and Confluence wiki software.

You're not helping.

Re:Huh? (2, Informative)

Anonymous Coward | about 10 months ago | (#44151483)

It's some Java bug tracker software which whenever someone uses for their project you get frustrated with (and some open source does use it since it's monetarily free for them but fairly expensive normally), and a wiki that nobody but big business uses and is very slow. The SSO lets people in the java world integrate standard technologies for federated identity (so that the apps don't need to store or know the username/password of the people using them).

Re:Huh? (1)

RabidReindeer (2625839) | about 10 months ago | (#44152293)

Atlassian's turnkey solution for enterprise single sign-on and secure user authentication. Atlassian is a software vendor of modest relevance, producing Jira issue tracking and Confluence wiki software. I assume this would only be relevant if you run are rely on a system that uses Crowd for authentication. Where is it used? Where is any software package used?

Atlassian's most famous product is Jira, which is pretty commonly used in large-scale businesses. Large-scale businesses are also more likely to use SSO, since it's less trouble than maintaining dozens of app-specific login subsystems.

So the net result is effectively that the login ID is "sa" and the password is blank and everyone from the NSA to the Brothers of the Islamic Revolution of Upper West Turdistan, the New Reform Church of Neo-Communist Mao-fu-tze, the haXors Anymous 7EEt, the 57th-Street Beagle Boys gang and so forth could all waltz in and make themselves at home.

Re:Huh? (3, Informative)

Luckyo (1726890) | about 10 months ago | (#44149961)

It appears to be some sort of software managing logins to sites. Their site cites their clientele to be a lot of major companies, such as facebook, twitter, hulu and netflix.

I imagine if you have a backdoor into software that manages facebook's login systems, that's pretty damn major.

Re: Huh? (1)

jaminJay (1198469) | about 10 months ago | (#44150393)

Also Red Hat JBoss, Apache and Jenkins CI, etc. Quite a few pies, but I haven't noted many installations that use Crowd.

Re: Huh? (1)

jythie (914043) | about 10 months ago | (#44152289)

Most of the places that use it are closed source, it is not really designed to appeal to the OSS community. However big companies that need to appease non-technical people (like the DoD, major ISPs, utilities) will often use it. It is pretty low profile because they mostly talk with big players directly. Not really a small developer/end user product.

Re: Huh? (0)

Anonymous Coward | about 10 months ago | (#44152385)

We're a subcontractor working with a corp. that does a lot of business with NOAA, they have Atlassian, Jira, Confluence, all those things. As others have mentioned, it's slow, a pain in the neck to use, and doesn't really bring much to the table. The only thing I really get out of it is that we have a wiki page set up (or maybe it's a bug tracker - it sure isn't editable, searchable, or anything else I would expect from a wikipedia clone) that has a giant list of 'gotchas' for new developers working in our test environment, plus a walkthrough of how to deal with Rational and other "Enterprise" systems.

You're dead on about talking with big players directly, and there's a reason. I don't think anyone involved with the purchase of the damn thing has ever tried to use it for anything relevant.

Re:Huh? (0)

Anonymous Coward | about 10 months ago | (#44150493)

So... Big security flaw in fancy but completely meaningless cloud services. Who would have guessed.

Re:Huh? (2)

LordLucless (582312) | about 10 months ago | (#44151879)

Facebook, twitter, hulu, etc probably use their ticketing system, Jira, which is what they're most well-known for. I doubt they use Crowd, which is one of their lesser-known offerings.

Re:Huh? (3, Informative)

DMUTPeregrine (612791) | about 10 months ago | (#44149971)

Well, let's read the summary:
"Atlassian's turnkey solution for enterprise single sign-on and secure user authentication"
So Atlassian is some company, and it's a single sign-on/authentication system used in businesses.
And it lets a remote attacker take control of the servers it runs on, and possibly other computers in the business (via Active Directory, which is Microsoft's system administration/management package.)

Re:Huh? (4, Informative)

Charliemopps (1157495) | about 10 months ago | (#44150071)

They make Jira and Confluence... 2 applications that are widely used by some IS departments to manage their work. Jira for example, is an application for tracking software development, deployment and bugs. It's basically a ticketing system for programmers. You can track who created what, which bugs showed up in it later, who fixed them, how long all that took, etc...

I'm not sure how many people are using their LDAP/SSO stuff though though. There are lot bigger (and clearly more trustworthy) providers in town.

Re:Huh? (3, Informative)

Drakonblayde (871676) | about 10 months ago | (#44150849)

All of the individual apps can be tied to AD (or another directory) directly. Crowd is pretty much what you use when you want single sign-on/centralized auth, but you don't want to deploy AD or go through the pain in the ass of setting up and maintaining your own LDAP server.

I've also seen it used in large enterprises which have multiple authentication sources, the kind where systems just kind of creep, but no one wants to take the time (or risk the downtime) for consolidation. In that scenario, it's alot easier to tie the apps to Crowd for authentication, and then you just need to manage authentication sources in Crowd, instead of individually on the apps.

Atlassian actually makes some pretty good software, and their prices are reasonable for their starter kits to get used to it. My only gripe is that it's all pretty much Tomcat based

Re:Huh? (0)

Anonymous Coward | about 10 months ago | (#44151663)

By "good" I assume you mean easy to use. Most things are much easier to use when they're not secure.

If you took away all the security from the underlying directory systems they'd probably be quite "good" too.

Re:Huh? (3, Insightful)

Drakonblayde (871676) | about 10 months ago | (#44152303)

There's not a single major piece of software that hasn't had security flaws at one point or another. Remember when OpenBSD's web page bragged about no remote security holes in the default install? Even they've had two, and those boys are the epitome of paranoid security freaks.

So I can forgive Atlassian to a degree, as long as they fix the damn thing, and fix it in a hurry. If your standard of 'good' software is no security holes at all, then I'm afraid you're going to have to log off and go back to playing with Lego's.

Some of Atlassian's software is easy to use, and some of it can overwhelm a user. I've ran into a few coworkers who hated Confluence, and it was because they couldn't figure out how to do what they wanted. After I showed them, the gripes mysteriously disappeared. Confluence and JIRA are good pieces of software. Not perfect, but they serve their purpose.

Re:Huh? (1)

RabidReindeer (2625839) | about 10 months ago | (#44152305)

My only gripe is that it's all pretty much Tomcat based

There are worse things a J2EE-based applications to run under. Since Tomcat supports the essentials without the overhead of supporting the full stack, it has very modest resource requirements compared to, for example, WebSphere or JBoss.

Of course, Jetty is also lightweight, but Jetty isn't as commonly used or supported these days.

Re:Huh? (1)

Anonymous Coward | about 10 months ago | (#44150091)

I wish there was a place i could get these answers.

LIKE THE FUCKING INTERNET.

Good news! (1)

Anonymous Coward | about 10 months ago | (#44150495)

This is the Internet, Waffletwat!

Re:Huh? (3, Funny)

Scarletdown (886459) | about 10 months ago | (#44150135)

Must be the heat playing tricks on my brain. I thought the headline said Atlassian Cloud. And that was going to be the excuse to post about a backdoor discovered in a real cloud. [photobucket.com]

Re:Huh? (1)

CrankyFool (680025) | about 10 months ago | (#44150353)

There's a pretty f'ing reasonable argument to be made that if you don't know, and can't be bothered to do any research, maybe you don't need to know. Certainly, I will tell you that as someone who actually uses Crowd, and has been known to configure and administer Crowd, I know what it is.

Come on.

Re:Huh? (0)

Anonymous Coward | about 10 months ago | (#44150455)

Let me guess, you're either at University or working on some open source project....

Re:Huh? (1)

Ol Olsoc (1175323) | about 10 months ago | (#44150533)

What is Atlassian Crowd, where is it used, how does this effect me, why should I care? Did I miss any important questions?

Im' particularly dyslexic tonight - I read that as "Assassin's Creed"

Re:Huh? (1)

Samantha Wright (1324923) | about 10 months ago | (#44150699)

Atlassian boasts [atlassian.com] that Crowd has more than a thousand corporate users, including the NYSE. Yes, kids, the New York Stock Exchange has internal applications that are affected by this backdoor—along with Sourceforge, Twitter, BMW, Panasonic, Netflix, Zynga...

Re:Huh? (1)

Frosty Piss (770223) | about 10 months ago | (#44151067)

...along with ... Zynga...

Well then, this is an appropriate product for them, the backdoor thing and all, since Zanga is a bunch of assholes...

Re:Huh? (1)

zullnero (833754) | about 10 months ago | (#44151575)

A lot of companies boast about their corporate users, but a whole lot of them are situations where some guy in a team downloaded an evaluation copy of a tool and had to fill out a form listing their affiliated company. Then they're perfectly in the clear if they take the best companies from their evaluation request forms and list them on a site. I wouldn't trust that marketing shpiel without verifying it with any of those companies, first...and fat chance that'll happen.

I know full well that I'm probably responsible myself for some of the larger companies I've worked for getting listed in some small software dev house's marketing junk because aforementioned reasons. I always had a long leash and my bosses confirmed that they didn't care one bit since I had to work within a locked down system anyway. Which kind of makes it tough to get to the point where you can exploit the backdoor unless there's an exploit in the locked down server we worked with.

Re:Huh? (1)

philip.paradis (2580427) | about 10 months ago | (#44151783)

In Atlassian's case, usage of their products is actually about as widespread as it appears. I say this from a lot of firsthand knowledge with installing, configuring, and managing their products in a lot of environments.

What exactly do you mean when you say "locked down server?" Unless you mean "disconnected from the Internet and/or sitting behind a NAT gateway that requires additional authentication via a VPN or other means to traverse," this sort of vulnerability doesn't depend on anything more than having the product(s) accessible to an attacker over a network connection.

Re:Huh? (0)

Anonymous Coward | about 10 months ago | (#44152259)

What exactly do you mean when you say "locked down server?" Unless you mean "disconnected from the Internet and/or sitting behind a NAT gateway that requires additional authentication via a VPN or other means to traverse," this sort of vulnerability doesn't depend on anything more than having the product(s) accessible to an attacker over a network connection.

I think OP meant production server (vs. development/sandbox workstation install). And why would you have Crowd exposed on the public side of your network anyway? All of our internal systems require additional authentication via a VPN or other means to access from outside the secured intranet.

space aliens in a group? (0)

Anonymous Coward | about 10 months ago | (#44151103)

space aliens in a group?

Atlassian Crowd? (0)

Anonymous Coward | about 10 months ago | (#44151421)

I've been treated at my $company to some Atlassian products (Jira, Confluence).

From my POV, it's just your "enterprise level Java hairball" (in marketing talk a "stack", perhaps because it sounds a bit more orderly) rendering a sad and bureaucratic caricature of things which already are around, like wiki and issue tracker. Crowd seems to be some single-sign-on thingie (think Kerberos and Moonshot, but perhaps pounded into a buzzword compliant but barely usable minceball).

Re:Huh? (0)

Anonymous Coward | about 10 months ago | (#44151435)

Did I miss any important questions?

Yes you did.

"Why doesn't the summary give a short description of this, and possibly a link to more info ?"

Re:Huh? (1)

Buzer (809214) | about 10 months ago | (#44152179)

The terminology in article confused me as well. It's talking about "enterprise single sign-on" which actually means something different from what Crowd actually seems to provide. It's usually used to refer software that does SSO to desktop applications (well known software in that sector are like Oracle ESSO, NetIQ (formerly Novell) SecureLogin, IBM SAM ESSO (formerly IBM TAM ESSO)). Crowd, however, seems to be WebSSO+IDM [atlassian.com] solution.

Not surprising (5, Interesting)

_merlin (160982) | about 10 months ago | (#44149949)

Atlassian has absolute contempt for their paying customers. Each release of JIRA has functionality and flexibility that people actually want removed in the name of making it easier to use for new users. JIRA and Crucible use some monstrosity of JavaScript that causes lag when typing into intput fields, and certain versions clash with Ghostery in a way that causes certain characters (e.g. spaces) to be swallowed. It's sad, but it doesn't surprise me at all that they don't care about security in an authentication system.

Re:Not surprising (0)

Anonymous Coward | about 10 months ago | (#44150043)

>Each release of JIRA has functionality and flexibility that people actually want removed in the name of making it easier to use for new users

Are you sure you aren't accidentally using the Jira Jr. [youtube.com] version?

Re:Not surprising (1)

_merlin (160982) | about 10 months ago | (#44150081)

So that's where the licensing fees go - making professional-looking fluff videos. Well at least they have _something_ to show for it.

Re:Not surprising (1)

Anonymous Coward | about 10 months ago | (#44150087)

Atlassian has absolute contempt for their paying customers. Each release of JIRA has functionality and flexibility that people actually want removed in the name of making it easier to use for new users. JIRA and Crucible use some monstrosity of JavaScript that causes lag when typing into intput fields, and certain versions clash with Ghostery in a way that causes certain characters (e.g. spaces) to be swallowed. It's sad, but it doesn't surprise me at all that they don't care about security in an authentication system.

No shit. What's that old joke about shrink-wrapped stool samples?

And you are informative - I never bothered to learn what sphincter JIRA came out of. Heaven forbid someone makes a mistake calculating required disk storage for JIRA - if that SuperTurd fills up its disk storage it fails spectacularly and corrupts everything.

Now I know Atlassian is that sphincter.

Re:Not surprising (1)

beaverdownunder (1822050) | about 10 months ago | (#44150175)

> Heaven forbid someone makes a mistake calculating required disk storage for JIRA - if that SuperTurd fills up its disk storage it fails spectacularly and corrupts everything.

Sadly, I've experienced what the AC is talking about =( I mean WTF? The consequences of running out of disk space could / should be better disclosed. (I know, I know... anyone 'worth their salt' should already know better. But still...)

Otherwise, JIRA's not-too-shabby, especially if you're getting it for the really cheap license fee...

Re:Not surprising (2)

Anonymous Coward | about 10 months ago | (#44150417)

> Heaven forbid someone makes a mistake calculating required disk storage for JIRA - if that SuperTurd fills up its disk storage it fails spectacularly and corrupts everything.

Sadly, I've experienced what the AC is talking about =( I mean WTF? The consequences of running out of disk space could / should be better disclosed. (I know, I know... anyone 'worth their salt' should already know better. But still...)

Otherwise, JIRA's not-too-shabby, especially if you're getting it for the really cheap license fee...

No.

No product should ever respond to a failed IO operation by going batshit crazy and corrupting data willy-nilly. Because IO operations can fail for a lot of reasons.

JIRA's a turd, plain and simple.

Re:Not surprising (5, Informative)

BitZtream (692029) | about 10 months ago | (#44150453)

... So when they repeatedly state that the built in database is for evaluation purposes ONLY and that usage of it may result in data corruption or loss ... on EVERY PAGE ADMIN PAGE UNTIL YOU SWITCH OFF OF the built in database, that wasn't enough of a warning for you?

I'm not sure how much more warning you can get, short of them corrupting your database intentionally on a daily basis so you get the point sooner.

Re:Not surprising (-1, Flamebait)

Anonymous Coward | about 10 months ago | (#44150637)

... So when they repeatedly state that the built in database is for evaluation purposes ONLY and that usage of it may result in data corruption or loss ... on EVERY PAGE ADMIN PAGE UNTIL YOU SWITCH OFF OF the built in database, that wasn't enough of a warning for you?

I'm not sure how much more warning you can get, short of them corrupting your database intentionally on a daily basis so you get the point sooner.

They can't ship with an embedded database that doesn't suck?
Or none at all?

The customer is always right.
The customer is always right.
The customer is always right.

Re:Not surprising (2)

Nyder (754090) | about 10 months ago | (#44150097)

Atlassian has absolute contempt for their paying customers. Each release of JIRA has functionality and flexibility that people actually want removed in the name of making it easier to use for new users. JIRA and Crucible use some monstrosity of JavaScript that causes lag when typing into intput fields, and certain versions clash with Ghostery in a way that causes certain characters (e.g. spaces) to be swallowed. It's sad, but it doesn't surprise me at all that they don't care about security in an authentication system.

Actually you gave the answer why. Since they are focused on new customers, it's all about the money they can get. Fixing stuff cost money, so they don't.

Re:Not surprising (1)

viperidaenz (2515578) | about 10 months ago | (#44151801)

Perhaps if they had an issue tracking system they could manage those defects and get them fixed...

Re:Not surprising (2)

rvw (755107) | about 10 months ago | (#44152085)

Perhaps if they had an issue tracking system they could manage those defects and get them fixed...

Well it appears you can sign in yourself. So go ahead and file a bug report!

Re:Not surprising (1, Troll)

l0ungeb0y (442022) | about 10 months ago | (#44150103)

Each release of JIRA has functionality and flexibility that people actually want removed in the name of making it easier to use for new users

What are you talking about? I've been using JIRA for years and have worked with many companies who use JIRA and have heard no complaints about their features. They have many features and they work very well for me and others.

Personally, I enjoy the Atlassian stack, find it unrivaled in feature coverage and have migrated many clients to the Atlassian stack.
And I've ever seen any sort of lag when typing in any field in JIRA or Crucible, or Crowd or Greenhopper or Fisheye or Confluence.

But then again, I don't use ghostery, don't know what it is, never heard of it, don't use it and wonder why you expect Atlassian to craft their software stack against third party software.

From the tone of your post, you are just leaping at a chance for a cheap jab at Atlassian with trumped up nonsense.

Re:Not surprising (0)

Anonymous Coward | about 10 months ago | (#44150167)

Then you've never tried installing JIRA. Without significant server optimization for their application it runs like a dog. Our devs were reporting 30 second page loads on a dedicated Nginx server. We ended up dropping it.

Re:Not surprising (0)

l0ungeb0y (442022) | about 10 months ago | (#44150211)

I will admit their services are rather resource intensive. But I've installed the JIRA stack at least twice without major issue and the response time was just fine. I find it best not to put more than 2 or 3 services on a given machine. And have ran it on Mac Mini Servers to 1U rack servers.

And how did Nginx factor in? If I recall, the JIRA apps provide their own HTTP services via Tomcat and Apache.
So it's likely you fucked up your own custom install and are holding Atlassian responsible for your own mess.

For small teams and those who just want to get up and running without the additional overhead, JIRA has a hosted service, which sounds like you could have used and should have looked into.

Re:Not surprising (2)

Drakonblayde (871676) | about 10 months ago | (#44150863)

If you're virtualizing Atlassian apps, it does take a bit of work and optimization to make them play nice, which is how every install (including my own personal ones) I've ever worked on has been installed. Once they're tuned, they hold up and scale pretty well though.

Re:Not surprising (4, Interesting)

CrankyFool (680025) | about 10 months ago | (#44150377)

It may be a factor of whether you're talking as a user or as an administrator.

I can't speak authoritatively to JIRA as a product I'm responsible for -- I never owned a JIRA installation (well, not one with significant volume) -- but I use JIRA, and we use JIRA here, for a whole crapton of things from change tickets to production emergency handling, to task handling, to all development tasks. As a software engineer, and a software engineering manager, I love it -- and so do most of the other users we have here.

It helps that we think of this kind of stuff as something you should actually invest in, and we have someone who probably has about 50% of his time dedicated to making JIRA run and making it work better for us. I've always found that bug/defect/issue/task tracking systems are better, and make their users happier, when they have a champion who's allowed to invest real resources in their care and feeding.

Re:Not surprising (3, Insightful)

_merlin (160982) | about 10 months ago | (#44150299)

But then again, I don't use ghostery, don't know what it is, never heard of it, don't use it and wonder why you expect Atlassian to craft their software stack against third party software.

It's a browser plugin for blocking intrusive tracking elements in web sites. I've never had it cause trouble with any other web site besides those that intentionally require you to submit to tracking (e.g. airport wi-fi sign-on pages), but those sites will usually detect the elements being blocked and give you an upfront message about it. It's almost like Atlassian went out of their way to make their stuff not work with Ghostery.

From the tone of your post, you are just leaping at a chance for a cheap jab at Atlassian with trumped up nonsense.

From the tone of your post you are a shill who has something to gain from Atlassian sales, jumping at a chance for a cheap sales pitch with vague anecdotes.

Personally, I enjoy the Atlassian stack, find it unrivaled in feature coverage and have migrated many clients to the Atlassian stack.

Ah, right. You sell Atlassian software. Can you say "conflict of interest"?

Re:Not surprising (3)

l0ungeb0y (442022) | about 10 months ago | (#44150851)

No, I don't sell Atlassian Software, I consult startups for a living.
I get nothing from Atlassian, and don't put all my clients on Atlassian.
Many of them I put on Github Enterprise.

It depends on the client, the product, the development cycle, the team, and the roadmap.
But hey -- don't let that stop you from making wild and baseless accusations.

Re:Not surprising (3)

Drakonblayde (871676) | about 10 months ago | (#44150881)

Ah, right. You sell Atlassian software. Can you say "conflict of interest"?

You're being a dick. It's fairly obviously he does consulting work for clients, and as such, provides them with solutions to meet their requirements and improve their work flow. That's like saying that, just because I'm a network engineer whose decides to implement a Cisco solution for a customer, that I'm selling Cisco hardware.

You're sounding like a bitter jerk.

Re:Not surprising (0)

Anonymous Coward | about 10 months ago | (#44151937)

You're sounding like a bitter jerk.

Says the guy who failed to contradict the point and relied entirely on ad hominem name calling.

Re:Not surprising (0)

Anonymous Coward | about 10 months ago | (#44151395)

Fisheye runs horribly under google chrome. Since chrome is faster for nearly everything else, they've got to be doing something strange (perhaps generating lots of errors).

It is the only thing I end up using firefox for these days.

Re:Not surprising (1)

Anonymous Coward | about 10 months ago | (#44150633)

JIRA helped kill our company.

Had nothing to do with the technical stuff beyond the fact that it replaced a bunch of people who could derive metrics from database queries -- with a bunch of people who could only use webapps. But the webapp crowd was buzzword-compliant, and the middle of the pack was more than willing to go along in order to put "JIRA" on their resumes. The top devs were driven out because they weren't agile enough, or whatever the managers came up with. (The managers could understand the pretty graphs they got out of JIRA, and could spend hours mucking about reconfiguring dashboards. They didn't want to read anything the devs wrote.) The rest, as they say, was history.

Re:Not surprising (1)

loom_weaver (527816) | about 10 months ago | (#44150931)

4 years ago when I used Atlassian products JIRA was great and worked just fine for our company. Crucible was fine too. Fisheye seemed a bit slow.

Customer support was responsive. I don't think their other products deserve the vitriol your posting but this backdoor, if indeed put in intentionally by them, is pretty damning.

Curse and I would have got away (0)

Anonymous Coward | about 10 months ago | (#44149977)

with it too without you meddling NSA kids being unable to catch snowden!

Crowd is shit. (0)

Anonymous Coward | about 10 months ago | (#44150061)

use cas and it's jasig developed altlassian plugin, Crowd is shit.

The bug report with included patch (3, Informative)

miknight (642270) | about 10 months ago | (#44150085)

Re:The bug report with included patch (1)

Anonymous Coward | about 10 months ago | (#44150239)

>

That's for the bug that the report actually discusses, not the backdoor that the report mentions but does not discuss.

Re: The bug report with included patch (0)

Anonymous Coward | about 10 months ago | (#44150773)

He did not report the second one.

Re: The bug report with included patch (0)

Anonymous Coward | about 10 months ago | (#44151221)

I wonder if Atlassian have even considered creating a bug report themselves? Maybe they don't look for/fix bugs until they've been reported by others at least twice with 12 months in between?

! Obama Regime Has A 'Cold' ... Ah Chew (-1)

Anonymous Coward | about 10 months ago | (#44150237)

'Resources' of the Obama Regime, including c[r]o[w]d infrastructures at NSA, Ft. Meade and Utah, are compromised !

Allied forces in Europe gained access to servers at US NSA Ft. Meade Maryland and Utah Installation Intelligence Community Comprehensive National Cybersecurity Initiative Data Center at 00:07 UTC July 2013.

US Forces Central Command and National Security Council and C3I Directorate have not been informed at this time.

45 Penta-bytes of files have been copied 1 hour after gained entrance to servers in Reykjavík, Iceland and co-copyed to servers in København, Denmark.

At 00:10 UTC servers at the USA White House were compromised and access gained to storage units. Files from the Obama Regime have been copies to servers in Berlin and Paris, with copies sent to København, Denmark.

At 00:15 UTC servers at the USA Supreme Court and the District Court of the District of Columbia were compromised and access gained to storage units. 13 Penta-bytes of files have been copied to servers in Brussels, Belgium with copies of the files sent to servers in Reykjavík, Iceland.

The European Union Headquarters in Brussels has alerted INTERPOL that USA Government Flights are not allowed across EU Air Space. European Forces will be dispatched if a USA Government Flight invades European Air Space. European Forces Fighter Jets are given legal ground to interdict USA Government Flights which enter EU Air Space with orders to escort the invading aircraft on a reverse trajectory. If the USA Government Aircraft refuses or does not answer to the EU Forces Jet Fighter, the EU Forces Jet Fighters are instructed to shoot down the USA Government Aircraft as it is an invader to the peaceful airspace of the European Union.

A General of the European Union Forces gave this comment: "Perhaps there is a God to Forgive Obama and his Regime, ... We however will not ! "

security alerts (4, Insightful)

manu0601 (2221348) | about 10 months ago | (#44150259)

While it is nice for the persons in charge of this obscure software to be notified about a problem on Slashdot, I am not sure I would be very happy to see that generalized.

But that leads to a real question: how do you learn about vulnerabilities for the softwares you are in charge?

Re:security alerts (0)

Anonymous Coward | about 10 months ago | (#44150483)

Go to Blackhat/Defcon? Read 2600?

Re:security alerts (0)

Anonymous Coward | about 10 months ago | (#44152427)

While it is nice for the persons in charge of this obscure software to be notified about a problem on Slashdot, I am not sure I would be very happy to see that generalized.

But that leads to a real question: how do you learn about vulnerabilities for the softwares you are in charge?

If it is obscure software, you need to get out more.

Commercial Trash (3, Interesting)

gweihir (88907) | about 10 months ago | (#44150373)

Unless it starts to really, really hurt selling this kind of trash, not fixing _known_ vulnerabilities and not using secure coding practices, nothing will change. It is just cheaper this way and most customers do not care or cannot do anything anyways. One reason surely is managers at the customers that made this broken decision or supported it and now cannot back out without hurting themselves. Another is that absolutely nothing is going to happen to the vendor legally.

Unless we start to require sound secure software engineering practices OR ELSE! nothing will change.

Re:Commercial Trash (0)

Anonymous Coward | about 10 months ago | (#44151917)

There are two vulns the paper talks about
1. The one it describes in detail, which has been fixed, and
2. The one described under "UNPATCHED VULNERABILITIES" section, which has not been disclosed to Atlassian yet.

"un-patched vulnerability..." (0)

Anachragnome (1008495) | about 10 months ago | (#44150467)

The NSA has pretty much proven to me that the INTERNET is an "un-patched vulnerability..."

Re:"un-patched vulnerability..." (0)

Anonymous Coward | about 10 months ago | (#44150709)

The NSA has pretty much proven to me that the INTERNET is an "un-patched vulnerability..."

It was designed that way, remember - no borders, anonymity, free content with ads, free service if you share with advertisers?

You can be robbed by a man in Nigeria pretending to be a hot chick down the street but when the government reads email you knowingly share for market analysis, "oh noes, the Internet is insecure".

Makes perfect sense. (0)

Anonymous Coward | about 10 months ago | (#44150479)

ATLAS SHRUGS at your weak, pathetic, concerns.

Atlassian Slow as Molasses (0)

Anonymous Coward | about 10 months ago | (#44150529)

I tried really hard to like Atlassian's products. Jira is okay. Confluence, on the other hand, turned me off to all Atlassian products. The interface is awful, and it is slower than molasses. I have no idea how anyone evaluates that product and thinks, "Yeah, this looks great and is snappy. This will work wonderfully!"

I think Atlassian is more interested in putting on dog shows than writing quality software.

Re:Atlassian Slow as Molasses (2)

Drakonblayde (871676) | about 10 months ago | (#44150907)

Confluence works fine, but you have to be willing to throw the right hardware at it, or be willing to tune it. Something like Doku or Mediawiki is alot less resource intensive, but Confluence is, in a nutshell, a java app, and you need to treat it accordingly. Once tuned and scaled properly, it works just as well as any other wiki, and I personally find formatting for it to be alot easier, as well as the actual management of it.

Re:Atlassian Slow as Molasses (0)

Anonymous Coward | about 10 months ago | (#44151047)

would you share your hardware specs and anything specific tuning wise?
we were forced to migrate to confluence and it's slow, so if someone has it running fast, i'd like to share what you did with our admins

I also can't believe they took away wiki mark up in the newer versions

Re:Atlassian Slow as Molasses (1)

Drakonblayde (871676) | about 10 months ago | (#44151569)

Yeah, I'm a tad annoyed at some of the changes in Confluence 5.

As far as tuning goes, that I cannot offer any advice on. In the enterprise, we run Confluence virtualized, and our VMWare admins and server admins were the ones who beat their heads against it. My personal install is also virtualized on VMWare, and I just tossed 4 gigs of memory and 2 vCPU's at it, and it works fine. However, it only supports like 4 users, so it's not exactly the greatest stress test in the world.

The report's author are pretty convincing (1)

fgrieu (596228) | about 10 months ago | (#44151325)

The original report says about the last vulnerability discussed (but not disclosed)

Indicators such as covert positioning, the use of special parameters, absence of log messages, facilitation of persistence, and apparent lack of legitimate purpose suggest that this vulnerability could be classified as a symmetric backdoor if malicious intent were to be established (which it has not).

I like the tone: they stop short of stating this is a deliberate backdoor of the worst kind, but give extremely convincing argument that it is one.

Re:The report's author are pretty convincing (4, Informative)

Anonymous Coward | about 10 months ago | (#44151935)

I work for Atlassian and the author has not yet disclosed the vulnerability described in the "UNPATCHED VULNERABILITIES" section to us.

Atlassian provides source code for most of our products (including Crowd) to paying customers. We would never deliberately build a backdoor into any of our products and I personally would never work for a company that would do that.

You can make a difference... (1)

treval (89829) | about 10 months ago | (#44151819)

Appropriately enough, they are looking to hire a "Director of Security" in their Sydney office.

https://www.atlassian.com/company/careers/jobs/listing?org=ATLASSIAN&cws=1&rid=688

(Actually, Atlassian make some really good software and it would be a great place to work.)

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...