Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Re^2: Status of Recent User Information Leak

by Anonymous Monk
on Aug 02, 2009 at 04:49 UTC ( #785187=note: print w/ replies, xml ) Need Help??


in reply to Re: Status of Recent User Information Leak
in thread Status of Recent User Information Leak

This only approaches the root of the problem in my mind.

This place was the core of the Perl community. If the community core could not mold Perl into the best choice for web development than I have to decide that no one can. The technology may be suited to the task, but there is no guidance on how to get there. As someone who regularly recommends technology my faith in the the Perl community has been more than shattered. A lot of smart people in one room who still can't make it work. In short, it makes Perl seem like a fruitless endeavor.

I also feel that the response to this incident was very poor. A placeholder for perlmonks.org notifying users of the situation would have been appropriate, within 10 minutes of realisation of the hack. All user data should have been locked down immediately, and announced as such until further notice - futher notice being when everything was guaranteed secure and the hack completely understood. Instead, for some bizarre reason the site continued to operate with clear confusion and indecision dominating the chatterbox for hours. Stern advice to immediately change passwords despite persisting ignorance surrounding the circumstances was paramount idiocy. Why give away one perfectly good password, when you could give away two?

To add insult to injury, after a painfully long waiting period of inaction, some monk with appropriate access decided that a leet-speak banner on the front page would be the best way to announce the site being compromised, followed by a joking reference to The Hitchhikers GTTG. Really? I failed to see the humour in it and found it to be one of the most publicly unprofessional acts I have ever witnessed.

To be sure, I laughed all day long as I removed Perlmonks from all my browsers bookmarks on all my computers. I continued laughing as I re-visited every site I've been to since 2002 checking to see if the password I used there was the same as perlmonks. Then I laughed as I checked all my personal accounts, my servers, and any other place I use a password to make sure it wasn't that one I favored long ago when I setup my perlmonks account. It was hilarious. Wasting the time of 50,000 people in addition to compromising their personal details is FUNNY.

I commend the few monks with any amount of public facing professionalism, such as tye. Conversely I vehemently censure the others who lean on the crutch of mediocrity waving slogans like, "it's a forum, not a bank", and "no site is secure". Before you posture as The Oracle, you need to be the oracle.

So now, to me, there is no trusted community core for Perl. That is the elephant in my room.


Comment on Re^2: Status of Recent User Information Leak
Re^3: Status of Recent User Information Leak
by ysth (Canon) on Aug 02, 2009 at 05:23 UTC
    I also feel that the response to this incident was very poor. A placeholder for perlmonks.org notifying users of the situation would have been appropriate, within 10 minutes of realisation of the hack.
    ...I vehemently censure the others who lean on the crutch of mediocrity waving slogans like, "it's a forum, not a bank"...
    It's a forum, not a bank. I continue to not see what would possibly have been gained to make it worth shutting down legitimate access to the website.
      *cough* apologist *cough*
Re^3: Status of Recent User Information Leak
by jettero (Monsignor) on Aug 02, 2009 at 05:31 UTC
    There seem to be an awful lot of overreactions going on here. Breakins happen from time to time. Storing the passwords cleartext is embarassing, sure, but it was probably considered handy for mailing passwords to people back in 1996 or whatever.

    Also, hashing the passwords does not make them that much safer. Are you talking md5/sha1 hmac stuff like the Linux shadow files? Well, a few hours with john will get you a huge majority of the passwords I imagine, even with salts. And for the patient (or the botnet operator), even the really good ones will be discovered in relatively short order.

    Pfft, I say. This is why you should use a randomly generated unique password on each site.

    It doesn't really have anything to do with Perl or the Perl community either. I imagine the everything 2 engine has crypted passwords -- I don't really know that, I just imagine. Probably this was a bad design decision unique to this particular e2 site.

    I'd guess more forum sites store passwords cleartext than don't though, doesn't really matter what language. It was really common to send your clear text password over cleartext email when you clicked "forgot password." A lot of sites changed this behavior, for good reasons, but a lot didn't. It's historical, not a Perl-the-language problem.

    Basically, people were just too lazy to change it, because that's how it's always been.

    -Paul

      Also, hashing the passwords does not make them that much safer. Are you talking md5/sha1 hmac stuff like the Linux shadow files? Well, a few hours with john will get you a huge majority of the passwords I imagine, even with salts.

      Absolutely, they had access to all the code base.

      Probably this was a bad design decision unique to this particular e2 site.

      I just checked, it is the default in the codebase. Maybe other sites wrote updates, but they haven't made it back to sourceforge.

      There seem to be an awful lot of overreactions going on here. Breakins happen from time to time.
      It's true that break-ins happen but I think a couple things make this different:
      1. With identity theft such a big deal these days and considering how much more hostile the Internet is (organized crime using botnets, etc.) the reaction is going to be stronger.
      2. Considering how many times people have told new Monks not to use clear text passwords, not to use weak algorithms, etc. I think many assumed this site was practicing what it preached.
      3. There is a difference between being told your account was hacked and finding out your information was published.
      4. And finally there is a huge difference between being told it was hacked and actually seeing your information listed in a hacker ezine!! There is nothing abstract about it after that!

      I will close with a quote from this blog entry:

      As a Perl developer, and CPAN author, this is a bit concerning. First, it would be one issue if this were just some random group of people whose passwords had been hacked, but this is a database of tens of thousands of developers, probably most with root access to the machines they write code on, and according to the hackers, many using passwords that are being re-used elsewhere. These are the passwords of developers like Chromatic, Brian D Foy, Andy Lester, engineers at major corporations and government entities, and more. The hackers couldn’t have picked a worse server to crack and expose.

      I think it's for reasons like these that there has been such a strong reaction.

      Update 2009-08-06: Looking at the ezine again I can add two more reasons. The hackers specifically stated that they "couldn't resist so many clear text passwords" (paraphrased) and that "several Monks reuse their respective passwords" (paraphrased). That indicates that non-PerlMonk accounts have been accessed. And as previously mentioned, keep in mind the breach occured over two months before it was discovered.

      Elda Taluta; Sarks Sark; Ark Arks

        I think many assumed this site was practicing what it preached.

        It is alive now? And managed by all 50,000 members? ...

Re^3: Status of Recent User Information Leak
by ELISHEVA (Prior) on Aug 02, 2009 at 06:09 UTC

    This place still is the core of the Perl community and therein lies your anger. You expected more. You got less.

    Your anger at wasted time is legitimate. But the blame is not on "the gods", but on all of us - me included, you included. Perhaps you may not have noticed but the number of monks actively involved in patching and enhancing this site can be counted on less than one hand. This is a large complex site with +80 database tables, 100 different node types, and 50-100K* lines of code - managed day to day by less than 5 people. With so few volunteers managing so many resources, it is almost guaranteed that even very important things will fall through the cracks or get pushed back onto the round tuit table.

    Did you volunteer for pmdev? If you did, when did you last contribute? If not, did you seek out ways to help developers better prioritize an ever growing to-do list? Did you donate money to hire a paid full-time developer? Did you volunteer when we discussed how to better manage enhancement requests? Did you take up mr_mischief on his request for information on how other on-line volunteer organizations manage volunteers? Or tye on his request to improve the patch application system? Add an insight to the discussion about the site improvement process? Volunteer to help coallate the numerous suggestions for improvement spread across tens, maybe hundreds of nodes?

    Nothing in life is free. We can each pay money for a site that is managed by paid staff. We can volunteer our time and expertise to "pay" for a site that is free. But if we do neither and then the site fails our expectations, we have only ourselves to blame.

    Best, beth

    * very approximate "guestimate" based on number of nodes containing operational code * 100 lines avg.
      Regarding joining pmdev, you might find redesign everything engine? illuminating (and disheartening). I don't really think it's fair to "blame . . . all of us" considering that the majority of Monks on here are probably not up to the task -- and people just starting to learn Perl certainly aren't!! Not to mention that we have a reputation of being nice to new users! I guess back in October when you joined the site we should have also forced you to join pmdev?? (^_^) Not to mention that people contribute in different ways. Both ikegami and BrowserUK are clearly qualified to work on the PM code but what's the point of having a great engine without great content?

      Regarding site improvements, lots of people have made suggestions in PM Discussions in the past (including myself), but few are actually implemented. The majority of actual improvements have either been more incremental in nature or have been Javascript/CSS tricks (which are encouraged by a long list of CSS enhancements to the site). And of course that thread I mentioned up above helps explain why -- the PM codebase is complicated to work with and familiarize oneself with.

      [And of course thanks to everyone who has worked on it!!]

      Elda Taluta; Sarks Sark; Ark Arks

        There is always something to do for any skill level and any combination of skills. My claim that we are all responsible comes out of my deep belief that we all have something to give - even a newbie.

        Coding isn't the only skill this site needs to run smoothly. Editing, writing, interpersonal skills, project management and volunteer coordination skills all could be put to good use. I think if you reread my post you will see that I made a point of listing many things that people could do without needing to be part of pmdev. And the list is by no means exhaustive.

        If you aren't sure where you fit in, you can always ask in the chatterbox, or if you are feeling particularly bold, in a PM discussion node. If you time it right there will almost certainly be someone willing to brainstorm with you.

        Best, beth

      This place still is the core of the Perl community and therein lies your anger.
      I call the wiki style
      citation needed
      here, The Perl foundation is the core of the Perl community.
      "But the blame is not on "the gods", but on all of us - me included, you included."

      Wrong.

      The blame is on those who knew, but did not correct the problem.

      The blame is on those who knew, but did not tell others.

      That may be you -- but do not include me. If I had known, I would have put my foot down until the situation was rectified. Remember when Janitors were pruned? Don't go pointing fingers about volunteering when you know damned well that you keep people out of your inner circle.

      And why ... pray tell ... has the issue still not been rectified?

        If I had known, I would have put my foot down until the situation was rectified.

        We still sign-in without https so the site is, as it always was, insecure. If you ever had your password mailed to you, which I think we all have, then you should have known they were plain text.

        The site's value was never that it was a paragon of forum software. Nothing about what makes the place valuable has changed. All that happened in the end was some cold water got thrown on a bunch of users who prefer to post anonymously.

        (Sidebar: Fun to see if this thread is still going when Perl 6 is released.)

Re^3: Status of Recent User Information Leak
by Anonymous Monk on Aug 02, 2009 at 06:46 UTC
    Who are you Mr. Professional?
Re^3: Status of Recent User Information Leak
by planetscape (Canon) on Aug 02, 2009 at 09:00 UTC
    To add insult to injury, after a painfully long waiting period of inaction, some monk with appropriate access decided that a leet-speak banner on the front page would be the best way to announce the site being compromised, followed by a joking reference to The Hitchhikers GTTG. Really? I failed to see the humour in it and found it to be one of the most publicly unprofessional acts I have ever witnessed.

    This reminds me of The Parable of the Old Man, The Boy, and The Donkey. Thus far, site admins have been vilified for notifying all users, not notifying any users, notifying only FaceBook users, notifying only users whose e-mails and passwords had been leaked, and on and on. Frankly, I am surprised we still have admins to bitch about and a site allowing us to bitch, given the "damned if you do, damned if you don't" mentality of so many. Fortunately, even more seem to ask what they can do to help rather than stand back and pour more kerosene on the fire.

    HTH,

    planetscape
      for notifying all users
      Is that a typo? Tye indicated he is still working on notifying the users who had their respective information published and that while he would like to notify all users that was likely not going to happen.

      Elda Taluta; Sarks Sark; Ark Arks

        Not a typo, though obviously less clear than I'd have preferred. What I was referring to was the notification on the The Monastery Gates that would presumably alert all users visitng the site. Sorry for any confusion.

        HTH,

        planetscape
      Bit of misinformation here. All users were not notified. Therein lies one of the many problems with the admin response.

        Obviously you did not (choose to)? read/understand my clarification. Not misinformation; simply not worded as precisely as I'd have liked. But then, that does not fit the conspiracy theory, does it?

        HTH,

        planetscape
      "Thus far, site admins have been vilified for notifying all users, not notifying any users, notifying only FaceBook users, notifying only users whose e-mails and passwords had been leaked, and on and on."

      You are right -- they should instead be vilified for sweeping this problem under the rug.

Re^3: Status of Recent User Information Leak
by jethro (Monsignor) on Aug 02, 2009 at 16:08 UTC

    Stern advice to immediately change passwords despite persisting ignorance surrounding the circumstances was paramount idiocy. Why give away one perfectly good password, when you could give away two?

    Oh right, passwords are really so expensive that losing two would really put a dent into your pension plan. Where do you buy your passwords?

    But seriously, the reason to change the passwords was to prevent copycats from using the (freshly) published passwords. Sounds sensible to me

    I can understand your anger, but please direct some of that anger to your own "unprofessionality" (if I may reuse your words) to use web passwords also on your personal accounts or your servers. Are you sure your password would have been safe from a dictionary attack? If not, all that checking and changing would have been necessary even if the passwords had been hashed.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://785187]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (14)
As of 2014-10-20 18:12 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    For retirement, I am banking on:










    Results (86 votes), past polls