Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Re: What happened?

by rowdog (Curate)
on Jul 30, 2009 at 09:35 UTC ( #784547=note: print w/ replies, xml ) Need Help??


in reply to What happened?

zf0 is what happened to us. The cat's already out of the bag so go read zf05 for yourself.

At least they kind of like us...

In case you guys are worried, we did NOT backdoor dozens of your public Perl projects. Honest. Why would we want to do that?
Not worth our time ;)

Ah well, live and learn I guess.


Comment on Re: What happened?
Re^2: What happened?
by Yary (Scribe) on Jul 30, 2009 at 18:19 UTC
    Thanks for the link to a copy of the haxor's newsletter.
    There is a really simple reason we owned PerlMonks: we couldn't resist more than 50,000 unencrypted programmer passwords.

    That's right, unhashed. Just sitting in the database. From which they save convenient backups for us.

    Believe it or not, there is actually debate at perlmonks about whether or not this is a good idea. Let's just settle the argument right now and say it was an idea that children with mental disabilities would be smart enough to scoff at. We considered patching this for you but we were just too busy and lazy. I'm sure you can figure it out yourselves.

    This isn't a bad set of passwords, either. Programmers have access to interesting things. ...

    And they also published that servers private ssh key, so that might be used to compromise other servers that trust it (depending on their config). And they published that server's password hashes, which is subject to a brute force attack.

    I'm shocked this site hasn't gone off-line for housecleaning. Bad enough to be hacked, glad there's a homepage announcement. Would like to see more repairs. Would like an announcement about how the original exploit, and how subsequent vulnerabilities caused by the info liberated during the breach, have been addressed.

    The one time I suspected a server had been hacked- didn't even have firm proof, just a good hunch- I took it off line, wiped the drive, re-installed the OS from CDs, gave all users new passwords, and restored the scripts/executables from known good sources and the data from backups. Pain in the buttocks but it had to be done. That was a small machine with half a dozen users and I know this site is much much bigger and thus more of an issue to take off-line, but please, it has to be done.

Re^2: What happened?
by dws (Chancellor) on Jul 30, 2009 at 18:27 UTC

    ... we did NOT backdoor dozens of your public Perl projects. Honest. Why would we want to do that?

    There's more than a bit of wiggle room in that statement. Would PerlMonks.org code be considered a public project?

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://784547]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others surveying the Monastery: (4)
As of 2014-09-15 05:01 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite cookbook is:










    Results (145 votes), past polls