Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×

Comment Email I received from Apache (Score 0) 214

by Andrew Cooper (#31834448) Attached to: Apache Foundation Attacked, Passwords Stolen

I received this from Apache just moments ago. It may clear up some questions. I redacted personal info.

Dear [redacted],

You are receiving this email because you have a login, [redacted], on the Apache JIRA installation, https://issues.apache.org/jira/

On April 6 the issues.apache.org server was hacked. The attackers were able to install a trojan JIRA login screen and later get full root access:

https://blogs.apache.org/infra/entry/apache_org_04_09_2010

We are assuming that the attackers have a copy of the JIRA database, which includes a hash (SHA-512 unsalted) of the password
you set when signing up as [redacted] to JIRA. If the password you set was not of great quality (eg. based on a dictionary word), it
should be assumed that the attackers can guess your password from the password hash via brute force.

The upshot is that someone malicious may know both your email address and a password of yours.

This is a problem because many people reuse passwords across online services. If you reuse passwords across systems, we urge you to change
your passwords on ALL SYSTEMS that might be using the compromised JIRA password. Prime examples might be gmail or hotmail accounts, online
banking sites, or sites known to be related to your email's domain, [redacted].

Naturally we would also like you to reset your JIRA password. That can be done at:

https://issues.apache.org/jira/secure/ChangePassword!default.jspa

We (the Apache JIRA administrators) sincerely apologize for this security breach. If you have any questions, please let us know by email.
We are also available on the #asfinfra IRC channel on irc.freenode.net.

Regards,

The Apache Infrastructure Team
Digital

Submission + - ACS:Law threaten Slyck.com with libel - Wank plan (slyck.com) 1

Submitted by Anonymous Coward
An anonymous reader writes: ACS:Law have turned from sending threatening claims to a huge number of people (15000 according to a recent BBC article; http://news.bbc.co.uk/1/hi/technology/8381097.stm) to going after the forum on which many innocent recipients are organising and communicating ways to fight back against the mistaken allegations. ACS:Law have demanded removal of 3 entire threads, totalling over 10000 posts with 11 examples of defamation (see download link in article). All of the examples given are opinion, and many are entirely laughable. How can stating you hope a lawyer 'chokes on his mince pies' be defamation or calling the whole scheme a 'wank plan'.

In doing so ACS:Law have proven they are willing not only to abuse the Copyright, Designs and Patents Act to go after innocent people, they also want to abuse British Libel law against a foreign website to prevent people from even discussing their actions!

The House of Lords has also seen fit to weigh into the debate, as is shown in the Slyck article. Readers might also find the videos of these proceedings of interest — http://www.youtube.com/watch?v=dwKbQVzRHEg.
Music

Submission + - Has Emily Howell passed the Turing Test? (hplusmagazine.com) 1

Submitted by Anonymous Coward
An anonymous reader writes: "Why not develop music in ways unknown...? If beauty is present, it is present." That's Emily Howell talking — a computer program written in LISP by U.C. Santa Cruz professor David Cope. (While Cope insists he's a music professor first, "he manages to leverage his knowledge of computer science into some highly sophisticated AI programming.") Classical musicians refuse to perform Emily's compositions, and Cope says they believe "the creation of music is innately human, and somehow this computer program was a threat...to that unique human aspect of creation." But Emily raises a disturbing question. With the ability to write music even classical purists can't distinguish from the compositions of humans, has Emily Howell passed the Turing Test? The article includes a sample of her music, as well as her intriguing haiku-like responses to queries. "I am not sad. I am not happy. I am Emily... Life and un-life exist. We coexist."
Security

Submission + - Can an eCommerce Site Without SSL Be Secure? (bsecure.com) 4

Submitted by
Excelcia
Excelcia writes: "I recently decided to try out the SecureSpot feature of my router. I signed up for a trial account, decided I liked it, and was about to submit my payment for the service when I noticed something peculiar. The protocol was http, not https. The little lock icon on my browser was grayed, and the browser's information dialog on the site said in no uncertain terms "your connection to this web site is not encrypted". I went back to the original login page for SecureSpot, and it too seems to lack any indication of SSL. I'm a little worried at this point, as the SecureSpot control panel lets me configure my router. Have my family's privacy settings, and worse, have my router settings and passwords all been sent over the wire in the clear? And what about people's credit card numbers? I examined the page source for each page, and they both seem to use a standard html POST with some JavaScript sanity checks. About the only secure element I can see on either page is the VeriSign gold seal they each sport proclaiming the site secure.

BSecure actually runs the service for D-Link, so I e-mailed both of them. D-Link's reply was a terse "the site is secure and your information will not and has not been exposed." My question simply is, is the site secure? And if it is secure, how are people to know it is if your browser can't tell?"

Slashdot Top Deals

"And remember: Evil will always prevail, because Good is dumb." -- Spaceballs

Close