http://www.perlmonks.org?node_id=784766


in reply to Status of Recent User Information Leak

"Some time on May 20, 2009, an unused (but still on line) perlmonks server was hacked...
The exploit was published in a hacker e-zine, and was brought to the attention of PerlMonks administrators later that night.
"

From the text here, it sounds like the exploit was known to the Perlmonks administrators for two full months before anything was done about it. Can someone explain to me why this security breach was wide open for two months without any notification for the people who may have been affected?

Edit to add: The original node has been updated since I posted this, clarifying the point. Specifically, the second sentence I quoted now shows a date.

Replies are listed 'Best First'.
Re^2: Status of Recent User Information Leak
by planetscape (Chancellor) on Jul 31, 2009 at 11:21 UTC

    The gods found out about the leak sometime on 07/28/2009. The May 20 date would seem to be the result of forensic sleuthing by the gods/Pair.com. As far as anyone knows, the info was only leaked, by the hackers, as of approximately Jul 28, 2009 at 18:00 CDT (my best guess based on when certain links were posted on certain blogs - I don't feel the need to give any more direct pointers to the hacker 'zine).

    HTH,

    planetscape

      It's just the way the original node is worded -- apparently the gods were notified twice, two months apart. I was hoping that Co-Rion just mis-wrote the text and the gods were only notified once, on July 28th.

      Added: Note that I'm not looking for a link, and I agree that the fewer links to it, the better (no reason to make them all happy by giving them extra attention, not an attempt at "security through obscurity").

        The real problem is it's written as if the intent was to include the link to the ezine. Replace the link to the Wikipedia article with a link to the ezine and the sentence makes perfect sense. Well, you would need to follow the link, but after that it would make sense.

        Elda Taluta; Sarks Sark; Ark Arks

Re^2: Status of Recent User Information Leak
by Argel (Prior) on Jul 30, 2009 at 23:31 UTC
    It could be worded better but the intent is clear -- they found out about it shortly after the ezine was published (which was just recently). If that ezine link went to the actual ezine instead of a Wikipedia entry then we could see the publication date and Co-Rion's intent would be much clearer. Update: reworded previous sentence to be clearer.

    Elda Taluta; Sarks Sark; Ark Arks

Re^2: Status of Recent User Information Leak
by Anonymous Monk on Jul 31, 2009 at 17:59 UTC
    Re: the hacker "article" see here: http://staynalive.com/articles/2009/07/30/theres-more-than-one-way-to-store-a-password-perlmonks-hacked/ They claim not to have any further malevolent purposes:
    There is a really simple reason we owned PerlMonks: we couldn’t resist more than 50,000 unencrypted programmer passwords. That’s right, unhashed. Just sitting in the database. From which they save convenient backups for us. In case you guys are worried, we did NOT backdoor dozens of your public Perl projects. Honest. Why would we want to do that?
working: announcement of recent user info leak
by jdporter (Paladin) on Jul 23, 2009 at 20:36 UTC

    Nkuvu, you are right. Good catch. That is an artifact of the fact that, when originally drafted, the notice put the break-in date at July 28, the same day on which the exploit was published in the e-zine (and the day on which PerlMonks admins were made aware of the leak). Later, it was determined that the break-in occurred much earlier, on May 20. The second paragraph should have been amended to state that the exploit was published on July 28. This was an oversight and an error, principally on my part.

    To set the record straight — PerlMonks admins were made aware of the information leak on July 28, not on May 20 as the text implies.

    I apologize for the error and any consequent misunderstanding.


    Hello,
    
    Late yesterday we became aware that someone had cracked into a
    PerlMonks server and published a list of 580 account passwords and
    e-mails.  You have been e-mailed because you are one of those 580
    users.
    
    If you had not yet changed your password then we have changed it for
    you.  In either case, if you used that password anywhere else, you
    should go change those other passwords now.
    
    The server that was compromised was an old DB server that is no longer
    in use.  pair.com is investigating the breach but so far we have no
    indication that the production DB is not secure.  But there is a risk
    so please use a password that isn't used elsewhere.
    
    We are sorry about the inconvenience and are working to mitigate the
    current problem and prevent future problems of this sort.
    
    If you hadn't already changed your password, then please use
    http://perlmonks.org/?node_id=2513 to request an e-mail containing
    your new, randomly generated password.
    
    A few of you recently changed your e-mail address.  Most of these
    changes appear to be legitimate.  And we are sending this notice to
    both your previous (published) e-mail address and the new address that
    you (or somebody who used your published password) recently changed it
    to.
    
    Some of the e-mails have been reset to their previous value.  If your
    previous (or recent) e-mail at PerlMonks isn't one that you currently
    have access to and your password reminder doesn't reach you (and you
    aren't able to log in), then reply to PerlMonks Admins 
    <perlmonks.org@gmail.com> with the details so we can resolve the problem.
    
    Again, sorry for the inconvenience.  We thank you for your patience
    and understanding as we work on this problem.
    
    Sincerely,
    Tye McQueen, Max Maischein
    for the PerlMonks admins
    
    (email sent at Wed, 29 Jul 2009 21:13:14 UTC)