|
Re^4: Status of Recent User Information Leak
by Argel (Prior) on Jul 31, 2009 at 19:53 UTC
|
Kind of like how the hackers bothered to look into it?? This apologist attitude is tiring and counter-productive. Thank the people for the great volunteer work they have done and are still doing, but please don't apologize for the glaring oversights that also occurred. I mean, what are we, some large corporation concerned more about covering things up and figuring out how best to spin this?? I'm not sure what the beverage of choice is for Perl programmers, but I'm pretty sure it's not Kool-Aid!!
Elda Taluta; Sarks Sark; Ark Arks
| [reply] |
|
|
I'm not apologizing. The outrage is what is tiring and counter-productive.
I'm sorry you feel a free website owes you bank level security.
Like a building with high level of security, but once inside "personal records" are only secured by padlock.
Did it promise you security from breaking/entering? No.
They're not protecting your money, only one single word, your password.
Ok, 3 words if you put in your real name.
Be outraged at yourselves for
- put in personal information into random website
- reuse passwords
- confuse random website with a bank or shopping site
| [reply] |
|
|
| [reply] |
|
|
|
|
Hell no. This is a developer resource, by and for developers. The fact that they stored plaintext passwords, which has been a worst practice since the invention of the hashing algorithm is in one word: Outrageous. This stuff is so basic, so incredibly basic, that there is no excuse. If you can't even bother hashing your passwords, you should be banned from posting code on the internet altogether.
| [reply] |
|
|
My outrage was deemed paranoia in the face of a horde of apologists. We need less anonymonk posts on this and say it plainly: the conduct was not acceptable. My thank you's are hard to find when the persons I am supposed to thank are at fault to begin with. If a bank gave away your personal info and didn't notify you, but said they'd get around to fixing it someday, do you send them an e-card?
| [reply] |
|
|
If a bank gave away the information they hold on me, I'd face the risk of losing all my property.
If PerlMonks gives away all the information they hold on me, the worst thing that can possibly happen is that someone might pretend to be me on PerlMonks.
I really don't think the two scenarios are comparable.
Yes, storing passwords as plaintext was stupid. But let's get some perspective here. "Outrage" is a strange reaction to the leaking of passwords for a simple discussion forum; would it really affect your life significantly if someone else posted as Zen on PerlMonks? And anyone who was reusing the same password for more serious purposes elsewhere was being just as stupid.
| [reply] |
|
|
|
|
Storing password either in plaintext or hashed version is not really much of consequence as after supplying login data, password is sent in plaintext from your user agent to the web server. (I would surely change my tune if/when the login starts taking place over an encrypted connection and passwords would still be stored in plaintext.)
That is same as sensitive (for some definitions of it) emails being sent from banks or family in plaintext. How does it matter if they are encrypted after receiving?
| [reply] |
|
|
Well, would you consider sending an e-card if it had some cross-site scripting attacks embedded?!? (^_^) Just kidding of course, but I couldn't resist! (^_^;)
Elda Taluta; Sarks Sark; Ark Arks
| [reply] |
|
|
Actually, I happen to rather like Kool-Aid, especially in this kind of weather. (However, my favorite flavour is kiwi-lime, not grape.)
| [reply] |