Re^2: Status of Recent User Information Leak
by tokpela (Chaplain) on Jul 31, 2009 at 08:18 UTC
|
And I would like to add my thanks++ as well.
There is a saying "sh*t happens".
But your response is quite impressive and I hold a deep respect for all of the hard work you do in your "spare" time!
| [reply] |
|
Posting as anonymous because I can't log in right now.
I'm furious this site used plaintext passwords. What a??holes even consider launching a basic site, let alone one used by professionals worldwide, storing passwords as plaintext?
Sh*t happens, sure, but setting up the most loyal users to be f*cked is NOT cool.
I sincerely doubt I'll use this kindergarten site again. It was NOT worth the sainthood.
| [reply] |
|
storing passwords as plaintext?
Guess what, I just got a password reminder from Mailman, with my password und login in cleartext... *
let alone one used by professionals worldwide
And now, dear tr*ll, have a look at this list... 8)
UPDATE:
see Mailman considered harmful
Crosspost: http://www.perl-community.de/bat/poard/thread/13803#ms_123798
(*) for those unaware, even "magic" p*th*n can't reconstruct a securely hashed password into plaintext!
UPDATE2: Should be noted that Mailman explicitly warns at registration to reuse an important password. Thanks Moritz!
| [reply] [d/l] [select] |
|
| [reply] |
|
|
Re^2: Status of Recent User Information Leak
by Anonymous Monk on Jul 31, 2009 at 18:10 UTC
|
"Thanks to all the gods for the hard to work to handle this breach as gracefully as possible ..."
Um. I do not share such sentiments. Perhaps I am wrong, but it seems to me that the "gods" knew about the password being stored in plain text for a long long time and did nothing to alert us or fix the problem.
So, no. I don't thank them for this at all. | [reply] |
|
Calling someone with a legitimate grievance a 'troll' simply because they make their point forcefully is simply inaccurate.
I agree that this site is maintained by volunteers. I humbly thank you all for the years of effort that you have donated. I and everyone else here have enjoyed the free ride.
I will point out that "free ride" means a very low expectation level.
But are we not all software developers? Do we not practice what we preach? I do not expect us to provide the same level of service that a bank does - in a way I want MORE - since we are trying to set an example to follow.
But again, 'volunteers' means that I do not get to expect that - as much as I would like it to be so.
However - that the volunteers had the time to modify the voting and experience system but no time for security - is a damned shame.
It is more embarrassing still when I read in TheRegister that maybe people will not trust perl as much because of this.
That strikes me as a larger problem.
So has anyone volunteered their time to work on security & fix the barn doors after the horses have eaten our children?
Wait! This isn't a Parachute, this is a Backpack!
| [reply] |
|
Everyone who bothered to find out knew it was stored as plaintext, no claims were ever made to the contrary.
Fixing this was in the TODO...
I still thank them, they're volunteers
| [reply] |
|
Kind of like how the hackers bothered to look into it?? This apologist attitude is tiring and counter-productive. Thank the people for the great volunteer work they have done and are still doing, but please don't apologize for the glaring oversights that also occurred. I mean, what are we, some large corporation concerned more about covering things up and figuring out how best to spin this?? I'm not sure what the beverage of choice is for Perl programmers, but I'm pretty sure it's not Kool-Aid!!
Elda Taluta; Sarks Sark; Ark Arks
| [reply] |
|
|
|
|
|
|
|
|
|
|
Re^2: Status of Recent User Information Leak
by bigiain (Initiate) on Jul 31, 2009 at 23:51 UTC
|
FWIW, I'm reasonable sure my password stolen from here was just used to spam from my twitter account (iq tests and acai berry weightloss spam, in case anyone's interested.)
big | [reply] |
Re^2: Status of Recent User Information Leak
by jnbek (Scribe) on Aug 03, 2009 at 15:03 UTC
|
While I'm not thrilled to know passwords were stored as plain text, I beleive that this is quite excusable, and quite forgiven in my book. Good job of handling the issue, and thanks for you honesty and not pointing blame anywhere, but instead just working to solve the issue once and for all. | [reply] |
|
Just because a good job was done of handling the issue does not equate to forgiveness in many of our books. No one is looking to punish anyone, so please stop being apologists and always remember that the volunteers chose to update the experience and voting system rather than protect the privacy of the users.
| [reply] |
|
Volunteers can do whatever the fsck they want. They're volunteers. I for one welcome our new volunteer overlords.
Your position amounts to: Since no one had the tuits to make difficult but minor fixes to the passwords which would not have protected user emails or such at all in this recent breach, I don't want any new features.
| [reply] |
A reply falls below the community's threshold of quality. You may see it by logging in.
|
|
OK, understood. So then, what caused the site volunteers to update the experience and voting system rather than protect the privacy of the users? While I haven't spoken to any of them about this, my sense is that, like most things, the experience and voting system are very visible to the end users, while the fact that passwords were stored in plaintext was not. I would venture a guess that, had enough of the monks complained about the passwords when the folks were considering whether to update the experience and voting system or go to a different password storage system, they would have chosen to work on the passwords. That's just conjecture on my part, though. Updated to change "That begs the question" to "So then" to make Anonymous Monk feel better.
| [reply] |
|