Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses

Re: Status of Recent User Information Leak

by moritz (Cardinal)
on Jul 30, 2009 at 21:59 UTC ( #784756=note: print w/replies, xml ) Need Help??

in reply to Status of Recent User Information Leak

Thanks to all the gods for the hard to work to handle this breach as gracefully as possible, and for all the other helpful monks who helped other monks changing their passwords, pointing them to relevant threads etc.

I know that you earned lots of criticism in the CB and in other discussions here for not handling this breach the way they wanted, or not using hashed passwords in the first place.

With 50k accounts that's to be expected. There'll always be somebody who's unhappy with your reactions, and many diverging opinions. Still I think that you did an incredible job, especially if we consider that you're all just volunteers with day jobs and real lives.

Update: And please take it with some sense of humor ;-)

  • Comment on Re: Status of Recent User Information Leak

Replies are listed 'Best First'.
Re^2: Status of Recent User Information Leak
by tokpela (Chaplain) on Jul 31, 2009 at 08:18 UTC

    And I would like to add my thanks++ as well.

    There is a saying "sh*t happens".

    But your response is quite impressive and I hold a deep respect for all of the hard work you do in your "spare" time!

      Posting as anonymous because I can't log in right now.

      I'm furious this site used plaintext passwords. What a??holes even consider launching a basic site, let alone one used by professionals worldwide, storing passwords as plaintext?

      Sh*t happens, sure, but setting up the most loyal users to be f*cked is NOT cool.

      I sincerely doubt I'll use this kindergarten site again. It was NOT worth the sainthood.

        storing passwords as plaintext?

        Guess what, I just got a password reminder from Mailman, with my password und login in cleartext... *

        let alone one used by professionals worldwide
        And now, dear tr*ll, have a look at this list... 8)

        Cheers Rolf

        UPDATE: see Mailman considered harmful


        (*) for those unaware, even "magic" p*th*n can't reconstruct a securely hashed password into plaintext!

        UPDATE2: Should be noted that Mailman explicitly warns at registration to reuse an important password. Thanks Moritz!

Re^2: Status of Recent User Information Leak
by Anonymous Monk on Jul 31, 2009 at 18:10 UTC
    "Thanks to all the gods for the hard to work to handle this breach as gracefully as possible ..."

    Um. I do not share such sentiments. Perhaps I am wrong, but it seems to me that the "gods" knew about the password being stored in plain text for a long long time and did nothing to alert us or fix the problem.

    So, no. I don't thank them for this at all.

      Calling someone with a legitimate grievance a 'troll' simply because they make their point forcefully is simply inaccurate.

      I agree that this site is maintained by volunteers. I humbly thank you all for the years of effort that you have donated. I and everyone else here have enjoyed the free ride.

      I will point out that "free ride" means a very low expectation level.

      But are we not all software developers? Do we not practice what we preach? I do not expect us to provide the same level of service that a bank does - in a way I want MORE - since we are trying to set an example to follow.

      But again, 'volunteers' means that I do not get to expect that - as much as I would like it to be so.

      However - that the volunteers had the time to modify the voting and experience system but no time for security - is a damned shame.

      It is more embarrassing still when I read in TheRegister that maybe people will not trust perl as much because of this.

      That strikes me as a larger problem.

      So has anyone volunteered their time to work on security & fix the barn doors after the horses have eaten our children?

      Wait! This isn't a Parachute, this is a Backpack!
      Everyone who bothered to find out knew it was stored as plaintext, no claims were ever made to the contrary. Fixing this was in the TODO... I still thank them, they're volunteers
        Kind of like how the hackers bothered to look into it?? This apologist attitude is tiring and counter-productive. Thank the people for the great volunteer work they have done and are still doing, but please don't apologize for the glaring oversights that also occurred. I mean, what are we, some large corporation concerned more about covering things up and figuring out how best to spin this?? I'm not sure what the beverage of choice is for Perl programmers, but I'm pretty sure it's not Kool-Aid!!

        Elda Taluta; Sarks Sark; Ark Arks

Re^2: Status of Recent User Information Leak
by bigiain (Initiate) on Jul 31, 2009 at 23:51 UTC
    FWIW, I'm reasonable sure my password stolen from here was just used to spam from my twitter account (iq tests and acai berry weightloss spam, in case anyone's interested.) big
Re^2: Status of Recent User Information Leak
by jnbek (Scribe) on Aug 03, 2009 at 15:03 UTC
    While I'm not thrilled to know passwords were stored as plain text, I beleive that this is quite excusable, and quite forgiven in my book. Good job of handling the issue, and thanks for you honesty and not pointing blame anywhere, but instead just working to solve the issue once and for all.
      Just because a good job was done of handling the issue does not equate to forgiveness in many of our books. No one is looking to punish anyone, so please stop being apologists and always remember that the volunteers chose to update the experience and voting system rather than protect the privacy of the users.

        Volunteers can do whatever the fsck they want. They're volunteers. I for one welcome our new volunteer overlords.

        Your position amounts to: Since no one had the tuits to make difficult but minor fixes to the passwords which would not have protected user emails or such at all in this recent breach, I don't want any new features.

        OK, understood. So then, what caused the site volunteers to update the experience and voting system rather than protect the privacy of the users? While I haven't spoken to any of them about this, my sense is that, like most things, the experience and voting system are very visible to the end users, while the fact that passwords were stored in plaintext was not. I would venture a guess that, had enough of the monks complained about the passwords when the folks were considering whether to update the experience and voting system or go to a different password storage system, they would have chosen to work on the passwords. That's just conjecture on my part, though.

        Updated to change "That begs the question" to "So then" to make Anonymous Monk feel better.


Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://784756]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others perusing the Monastery: (3)
As of 2018-05-26 05:06 GMT
Find Nodes?
    Voting Booth?