Slashdot Database Compromised!

Today the the Slashdot database was compromised by 2 hackers from the Netherlands. !(Nohican && {}) They secured the hole and send an email to the admins, they even should be reading it now. Update: 09/29 11:04 PM by michael : We know about it, blah-blah-blah. Don't email us. I think it's safe to say that whatever happened, you'll hear the full details soon enough. Thanks.

Re:Precisely.

[fluxrad]

ah, but for the boys on slashdot, someone is trying to break into their home at least every couple of minutes.

Personally, if someone was doing this to my house, and another individual came along, fixed the poor lock (or in this case, an open door) and left me a note stating the above...i would be grateful. This is not to say that i believe it's ok for people to attempt to break in to my, or anyone else's house. But do you honestly think we should villify the hackers in this instance?


FluX
After 16 years, MTV has finally completed its deevolution into the shiny things network

Re:"fixed" Slashdot?

[Ollinghhajuilo]

I hope by "fixed" you also mean, "deleted Jon Katz's account."

He's a hole allright. "Security Hole" isn't the first hole that comes to mind though.

Clear Text or Two-Way Encryption

[Rahoule]

I would hope that /. boys coded the whole database so that passwords were one-way encrypted. Then it would be that much of an issue to change your password.

They aren't. If you forget your password, Slashdot will mail it to you (the "mailpasswd" button on /users.pl when you're logged out). Slashdot emails you your password, in clear text. So, even if the passwords are encrypted, they can be decrypted. How else would Slashdot be able to tell you your password?

Re:That is rather funny...

[_vapor]

It would be, if they weren't lying. Apparently, /. admins never got any such email. So let's not pat these guys on the back just yet. They may have been benign, but we don't know just yet.

Re:Best article all day

[Tairan]

Of the day? This could be the best article I have seen in months! I liked it so much, I had to immediately stop playing Diablo2 (I was in the middle of killing Mephisto) to come read everything. Imagine Taco's face when he gets a call from VA tomorrow..Someone is going to have a long weekend.

Re:Stupid Crackers

[itachi]

No, the rfc1918 are non-routed addresses, but they aren't specifically localhost like 127. Now if someone is in a network where rfc1918 addresses are in use up to the point of contact with the outside world, then you might get them. Or _something_ on their network... If they aren't on a rfc1918 network, it'll probably get dropped at the first router, and definitely get dropped at the first well admined router.

itachi

133t ru//\0rz d3pt

[ackthpt]

They hacked Rob Malda's password, which just so happens to be WUMPUS, but don't tell anybody, it's a secret!


--
Chief Frog Inspector

Re:The hacker formerly known as {} ?

[Frank van Vliet]

as Frank

-{}

Re:So, is this the downside to open source?

[sampowers]

No, in fact, this is the whole point. They found a bug in slashcode, they sent the fix to the right people. We're lucky that they posted this, and why? Because now it's fixed, and can't happen again, and it's causing discussion on the subject.
Good Thing. :-)

Re:The hacker formerly known as {} ?

[nohican]

I pronounce it as "bracketbracket" :) - Nohican

Re:paranoia

[matman]

never did I say that I used the same passwords, I however do realize that other people do.

/. hacked? "nohican", huh?

[talks_to_birds]

Hmm.. Can't be too many "nohican's" around, can there?

Let's see what WebFerret [ferretsoft.com] (The only way to search the Web!) makes of "nohican"..

[time passes..]

Ha!

1. http://www.hideaway.net/vuln-dev/j uly /66.html [hideaway.net]

nohican@MARCELLA.NIETS.ORG

Kind Regards,
Joost Pol aka Nohican
Root66

2. http://www.voy.com/5188/1/52.html [voy.com]

mailto:nohican@niets.org

Joost Pol
IRIS International

3. http://archive s.n eohapsis.com/archives/vuln-dev/2000-q2/0453.html [neohapsis.com]

Subject: Re: The Million Dollar Solution (NOT?)
From: Nohican (nohican@NIETS.ORG)
Date: Sat May 06 2000 - 20:20:55 CDT

Anybody want to drop the joker a line?

ps: read his posts; I think from the context, and from the fact that this is the only "nohican" that came back, that...

...oh, let's not jump to any conclusions!

t_t_b
--
I think not; therefore I ain't®

Re:full disclosure

[Performer Guy]

/. didn't mention it.

The article was posted by the hackers, that's the whole point.

They did it to up their Karma

[slag187]

You know that's why they cracked the DB, so they could post with +1 for everything.

Maybe that ought to be a rule - anyone that cracks the DB and does no damage gets automatic GOD karma rating. :)

Other harmless hacking

[CaptainBloodLoss]

Relating to this event: A few weeks ago, I took advantage of my friend's ignorance and used ftp to place a simple perl script into his box via the internet. Then, using telnet (yet another service he has enabled!) I executed the script. This script basically repeated these commands: "eject /dev/hdc" and "eject -t /dev/hdc", thus causing his cdrom drive to continously open and close. A few seconds later, after logging out of the telnet session, I received a phone call.

What did they get?

[Fervent]

So what did they get? A bunch of passwords and email addresses for a message board site? Doesn't seem like a majorly important hack.

If they were able to hack, say, Mastercard I'd be impressed (and very scared).

[no subject]

[Orgasmatron]

This story has the potential to draw the most comments ever. I'm doing my part, have you?

Re:Info!

[ryanr]

Nope. When an exploit is being actively used, you publish details immediately. Especially in this case, where the code can be patched by the end users themselves. (this all assume it's a hole in the slash code of course, and not some other problem.)

Bummer Man

[Korgan]

Reading through the posts is kind of funny. Half the people are freaking out... "OH MY GOD! /. HAS BEEN HACKED!!!" and the other half are going "Phhhft... Yeah right..".

Whats the worst that can come of a successful hack against the /. database? A password leak, a few karma points added/deleted, a few posts getting majored?

Guys and girls, if you use the same password on /. that you use on other services around the internet, then you're begging for trouble. It doesn't matter if its /. or any other service, you should always use a different password for each. As inconvenient as it is, its the only real way of being secure. There are plenty of programs out there that will let you mantain a "secure" database of all your usernames/passwords if you really think you're going to have a hassle remembering them all. Just search zdnet or any of the other major shareware/freeware sites. Admittedly most of them are Win32 based, but using things like wine [winehq.com] you can usually get around that problem.

The biggest issue is the possibility of the articles being tampered with. I don't know what else is done on the box that hosts slashdot, but if the usual rules are applied, the database should be secure on a seperate machine to the web server.

This is a blessing more than it is a curse. The great wonders of opensource have shown us that even the mighty /. has an exploit in it now and then. I wonder if this would've been made so public if the slashcode wasn't opensource. As it stands, the flaw has been located and supposedly fixed.

Oh well, could be worse I guess. ;) At least they didn't deface the site or destroy the database or any other number of things that could've been done.

<panic>OH MY GOD!!!!!!!!!!! SLASHDOT HAS BEEN HACKED!!!!!!!!!!!!!</panic>

Great, I better call my broker

[Tairan]

Time to sell off that VA/Andover stock. "How low can ya go?" Dang, too bad the market is closed. Taco is going to have a really bad day tomorrow~

Re:Perhaps they have tripwire running

[matman]

Tripwire is good for identifying a breakin. However, to rely on it is dangerous. The most secure way of checking is to take the drive out of the box that's using the drive, install it in another box that's standalone, mount it, run tripwire, and write the file to CD/readonly floppy. Then you've gota do it every time that you want to check. But things can get complicated as a hacker could put things in a home dir, or some other writable part of the filesystem that wont get checked by tripwire since that stuff changes so often. It's brutal. Tripwire is good for identifying change, but not so great for making sure that there are no reminants. There's always room for error. Better safe than sorry.

Re:It was me!

[ackthpt]

Wasn't you, was them dutch guys, y'know, the two guys in Rotterdam, to whom Bill Clinton outsourced the entire NSA? Yeah, Rob was fiddling with a new game SimCarnivore, which looked innocent enough, and it faked an AIM note that there was a new submission 'Microsoft Merges with Island of Guam, World Stunned', y'know? So anyway, like he gets this fake Mozilla popping up and he logs in and it emails his password back to these guys, just before Rob gets Segfault (core dumped) to cover the tracks. Good thing we have a budget surplus, maybe we can buy back the NSA© from those guys and outsource to someone less mischevious, such as these guys [ifilm.com]


--
Chief Frog Inspector

Re:paranoia

[matman]

You may know the guy, but I doubt that the slashdot admins do... I doubt that they know you either. A tiny bit of trust is not something to risk a business on :) Thats the thing about hacking. Even if you hack in, but dont even touch a thing, the admin still has to wipe the box and start over, because if they don't, there is not PROOF that the hacker didnt touch anything.

Re:Why the new account #'s?

[Frank van Vliet]

We have older accounts, does that matter?

-{}

This should be what the hackers should do.

[Calyth]

It's great that these hackers (i shouldn't use crackers because they fixed up the hole) exploited and sealed the compromise. In computing Utopia, all hackers should do this, then we won't have security compromises. Thumbs up for those 2.

Re:Assuming that the story is true.....

[Performer Guy]

No they are bad, the whole point is that now VA needs to check the servers and maybe everything else behind the firewall. That's a drain on resources whichver way you look at it.

There's no such thing as a friendly hack.

don't trust a netherlander

[AvarAz]

This is another fine example of how we should never trust people from the Netherlands. First they bomb Pearl Harbor and now this. You know, there's a secret organization of of prominant leaders and buisnessmen from around the world who are secretly Netherlanders trying to take over the world. It starts with Slashdot. You'll see. This is just the beginning. They're just playing with us right now! You'll be sorry when the Netherlanders attack us again, oh yes, you will...

It has to be fun to be able to..

[Tairan]

browse through all the 50K users, and look at their passwords. It's got to be hilarious to comment on some of them. "CmdrTaco's password is 'secret?' Timothy's is 'gunsaregood'? Hemos's is 'ohgodmywifeisugly'JonKatz is 'pitythefoolwhoreadsmywritings.' I would love to see a copy of the database, not to do anything with other than run a few things against it and see what the most common / longest / hardest / shortest password is.

In other ramblings of my mind, our friends in the server room should make a mandatory password change. It is always good practice

Best article all day

[geoffeg]

The funny part (ok, this whole thing is funny) about this article is that its the best article that I've seen all day...

IMHO,
Geoff

How can you restore without losing recent data?

[xdc]

If you're hacked, the only ways to know that no trojans are around are to wipe clean and start over

This sounds like good advice, but I have a question. Is there a way to cleanly rebuild the site without losing the most recent posts, stories, account updates, and such? I am especially interested in solutions that would minimize or eliminate downtime on such a dynamic site.

Any loss (especially of stories and comments) would be highly undesirable for a site such as Slashdot, imho. Then there are even more important systems, such as those that handle financial transactions, in which it is probably mission-critical to not lose any information in the event of a crash or a crack. What methods do database administrators employ for recovery in such situations?

Ignorance is curable. I want to learn. Thanks in advance. :)

Re:It has to be fun to be able to..

[burris]

I haven't looked at the Slashcode, but I would be shocked if it kept passwords in the clear. There's no excuse for not running the passwords through a strong one-way hash w/salt before storing them.

Burris

nonsense

[the gnat]

Maturity? Obviously you've missed the point of this story, but in any case you seem to have odd delusions about personal property and information security. Regardless of whether the powers that be need to audit their code better, the fact that the site could be cracked in no way justifies the actions of the childish losers who went ahead and broke in. I'll avoid the tortured analogies to an unlocked house, but I certainly expect that polite users will stay the fuck away from my machines, whether or not I overlooked the buffer-overflow-du-jour. I wouldn't for a moment trust any asshole who ended up with a root prompt on a system I use or run without authorization.

I agree with earlier posters that the second-rate pieces of shit that did this shouldn't be sued or legally harassed- have their parents spank them and send them to bed early without dessert. But it's hard to imagine these vandals serving any more useful purpose than as a focus for the contempt of their middle-school classmates.

Re:They did it to up their Karma

[grappler]

no grasshopper, you need to think big!

+2 for everything AND infinite mod points.

Re:How can you restore without losing recent data?

[matman]

Well, I'm not a security/software engineer (yet) but I would think that by keeping the data, seperate from the other parts of the site - as in on another box. The data IN a database should be treated as data, and as long as it is treated as such, it wont be executed, and it shouldnt be able to open any doors. So, they should be able to keep the hacked box up as read only, dump the database, move it to a fresh box with the fix on it, and load the data, start it up and they should be alright. Of course we dont know the specific attack, so maybe I'm looking at this from the wrong way - but it sounds as if someone hacked the database and got access to it so that they could post a story. At this point there's no indication of getting outside of the database and onto the system, in which case there's less need to fully reinstall. Again, I'm no expert, and there's hardly enough info out to make an educated guess.

I can see it now...

[MousePotato]

On E-Bay:For sale ANY /. user account you want. Who needs to purchase a high karma account when you can just buy your enemies accounts and trash thier karma, reputation/image? That's right! Step right up boys and girls. 5r1p7 k1dd135 Inc. will for a limited time only give you access to any account you desire and you may trash away at will:) Call 1-800-urh4x0r3d in the next sixty seconds and we will even throw in a snippet of code that will gaurantee you the same access to any slash based site. Wait! Theres more! mention OpenSource and we will even throw in a free kernel upgrade and the link to the actual HOW-TO's will also be yours! Here's the best part!!! If you call and say CmdrTaco sent you we will even throw in his account and all the censoring powers that come with it. Imagine, you and your friends can kill off quickies and JonKatz with a single click(TM).
Note to self: IF s/N ratio>=facts(old news + /. $authors)

Don't they deserve a reward?

[Joe Groff]

CmdrTaco should send these guys a couple of "I HAX0RD SLASHDOT" T-shirts.

I kind of think they blew a great opportunity though; imagine the chaos that would ensue if they inserted a story titled "Linux 2.4 Released!" with a link to goatse.cx cleverly hidden as a link to kernel.org...

- Joe

Re:Clear Text or Two-Way Encryption

[Tower]

The passwords are clear-text in the db. You can check out slashcode for the details. Real basic stuff...
--

Re:Info!

[pb]

Wait up, man...

Maybe some other sites running the Slash code would like five minutes or so to secure their sites before everyone else in the world knows about it?

Or rather, let's make sure everyone's got the fixes before we go passing around the exploits, ok?
---
pb Reply or e-mail; don't vaguely moderate [ncsu.edu].

Cmdrtaco

[Signal 11]

We know taco's account wasn't hacked.. he's still making typos...

--

Re:Finally!

[Anonymous Coward]

I would expect that actions like this occur fairly often, however: If this had been a 'secure' e-commerce web site, would they have posted this at all? No way! They would have hid it at best, and tried to sue the 'hackers' at worst. I did something similar (No, I'm not a cracker, and I can't 'hack' web servers, I just noticed a gaping hole) for a company I used to work for, and I didn't even get a 'thank you' from the company. Do you think this company told their customers? Yeah right. That incident, like probably thousands upon thousands of others, was pushed under the rug, hopefully to be forgotten.

Re:Classic

[enneff]

We have to learn about zillions of little countries.

Whereas we foreigners automatically know them all by heart. I am constantly astounded by North American ignorance.

Re:this is cool

[edibleplastic]

I'm sorry, but this is the kind of romantic BS that seems to cloud the open-source community. According to you, these guys are cool because they're so friendly and helpful. Yeaaaaa! Let's live in a world where everybody looks out for his neighbor, people leaving cute little notes on each other's web sites: "Excuse me, I noticed a little hole in your site, so I decided to come on over and board it up... for free! Have a nice day!"

Yes, this is most likely the best way to find and fix security problems, but we have to be *very* careful about attitudes such as the one you're proposing. What would have happened had Slashdot carried our credit card numbers as well? Would we be as happy that some people were poking around the website? According to the attitude you're suggesting, the answer would be a resounding YES! YES, because there could be other people out there who are malicious and if the hole didn't get fixed this way it could have turned out to be much worse if other people had found it. But the fact of the matter is that unauthorized hacking is wrong whenever it is committed. A blind faith in white hat hackers is very dangerous because there is no telling what their motivations are, no matter what they say. How in the world do you know that they didn't take CmdrTaco's passwords? If /. had credit cards, how do you know none had been taken? Because they told us about the security hole? That is not enough proof. Hell, the best way to commit a crime would be to hack in, steal a few things, and then report the problem. And they would be held up as heros, not hackers because "luckily, the boys at slashdot "get it""

Property is property, period. Just because this is IP, and just because it is on the Internet does *not* make it any different.

That is rather funny...

[Ron Harwood]

... you have to admit that this is a classy white-hat hacker way of posting about it...

Re:sophisticate!

[Yamao]

Actually, "spelt" is perfectly correct and current English, outside of the United States - along with "tyre," "colour," and "homogenise." Have a look at Merriam Webster's Dictionary site [m-w.com].

Those darn Americans. But the United States is so big! How can it NOT be the entire universe?

Re:Assuming that the story is true.....

[jmegq]

... now VA needs to check the servers and maybe everything else behind the firewall. That's a drain on resources whichever way you look at it.

I think that's true regardless of whether there are any visible hacks to the site. Even if they had just emailed the slashdot crew a patch saying "this is broken and allows an exploit", slashdot or VA would still have to check the servers and maybe everything else on the possibility that someone has used the exploit. It doesn't make good security sense to say "well, I don't see any hacks even though there's this exploit, therefore I wasn't hacked into" -- especially on such a high-profile site.

This has fun implications for when you upgrade an OS (or anything else) to patch a security hole; if you're really security conscious, you have to do some risk analysis to decide whether to react as if someone has used the hole already to backdoor your system.

Finally!

[TDSObeseWhale]

It's actions such as this that should show the press and the general public that hackers aren't the out-to-get you script kiddie types they are stereotyped as...

Re:Assuming that the story is true.....

[Fist Prost]

There's no such thing as a friendly hack.

Let's see, a still-working site, or
#
#w00t
w00t- not found
#rm -rf /home/
#rm -rf /var/MySQL/

Of course that's overly simplistic, but think about it. Even if the person found the security hole, and sent in a a patch privately, who's to say the discoverer or someone else hasn't already been quitely exploiting it? Of course now that an exploit has been found (and assuming they DID get the email), There still exists an exploit.

They'll still have to check and make sure that's what really happened, examine their entire system and probably do a whole lot of reinstalling, but that's what happens. I would hope they'd be doing that anyway if someone turned in an exploit+patch.

Which also brings up another point. This site in particular seems to have an inordinate amount of content being passed back and forth that is simply incredulous. How many times a week must Rob &Co. get email to the effect of "3y3 0VVn Jo0!"? How do you know when someone is serious? When the hacker posts a story about it, of course! I'd say this is probably the best (if not funniest) way to let everyone know at once. BTW I do feel sorry for the crew up there having all the shit to go through that they must right now.

One question I do want to see answered, even before the how-to on the crack...EXactly what DID they put in the 1rst post that got it deleted so quickly? Remember that The policy on /. is no to delete posts unless there's something messing with the page display, was it that infamous hello.jpg, or worse?

Fist Prost

"We're talking about a planet of helpdesks."

Tomorrow's date

[jesser]

Something else uses tomorrow's date.

Update: 09/29 11:04 PM by michael: We know about it, blah-blah-blah. Don't email us. I think it's safe to say that whatever happened, you'll hear the full details soon enough. Thanks.

--

Re:paranoia

[Fist Prost]

At least they didn't post a who's who by seeing which accounts passwords all matched, eh? Could be pretty embarrassing to some of those who have special "blow off steam" accounts.

Sincerely,
Bruce Perens*

*Joke, get it? Joke.

Fist Prost

"We're talking about a planet of helpdesks."

Hehe

[|DaBuzz|]

Hahahaha, not even Taco has grammar that bad!

Re:/. hacked? "nohican", huh?

[talks_to_birds]

Domain Name.......... niets.org

Registration Date.... 2000-02-21
Expiry Date.......... 2002-02-21
Organisation Name.... Root66
Organisation Address. irc.xs4all.nl
Organisation Address.
Organisation Address. Utopia
Organisation Address. N/A
Organisation Address. N/A
Organisation Address. NETHERLANDS

Admin Name........... Joost Pol

Admin Address........ irc.xs4all.nl

Admin Address........
Admin Address........ Utopia
Admin Address........ N/A
Admin Address........ N/A
Admin Address........ NETHERLANDS
Admin Email.......... mohican@poxz.net
Admin Phone.......... +310628887995
Admin Fax............

Tech Name............ Domain Administrator

Tech Address......... 2261 Morello Avenue, Suite C

Tech Address.........
Tech Address......... Pleasant Hill
Tech Address......... 94523
Tech Address......... California
Tech Address......... UNITED STATES
Tech Email........... hostmaster@alldomains.com
Tech Phone........... 1 925 685 9600
Tech Fax............. 1 925 685 9620
Name Server.......... ns1.netcorps.com
Name Server.......... ns2.netcorps.com

Of course, it all means nothing, I'm sure.

Surely a case of mistaken identity..

t_t_b
--
I think not; therefore I ain't®

BFD

[mikpos]

Even if you *haven't* been compromised, the only way to know no trojans, etc. are installed is to do a fresh install. Just have a little faith, man.

Good, bad, no difference

[slashdot-me]

Since the slash crew doesn't know these guys personally they'll have to do a tape restore anyway. Right?

Ryan

Re:They did it to up their Karma

[Felinoid]

Part of the bug fix adds a secret flag that gives the person automatic +5 with moderation cancling on all posts

Re:

[account_deleted]

Comment removed based on user account deletion

full disclosure

[Evro]

Yay, congratulations for having the balls to mention it!

__________________________________________________ ___

Just freaking fantastic

[Mtgman]

Now I have to go and change the email address I signed up with, my passwords and make sure my karma is the same...Oh wait, I signed up with a spam hole email account that I only checked once to get my password, kept the generated password they issued me so I don't have conflicts with this password and any other systems and I don't give a damn about karma.

Way to go guys! You guys are 31337! (notice the 3 at the beginning, I may speak lamerese, but that doesn't mean I can't speak proper lamerese) It's pretty damn funny to hack /. post a story, fix the hole, and then let the admins know about it. I just hope it doesn't come out later that you guys did something more, that would really undermine a lot of the white hats efforts.

Steven

Re:better watch out

[mazur]

Better watch out. US law reaches to the Netherlands.

Luckily, this isn't so, as the CoS found out.

But really, you can't blame the guys, it's in our blood: when we see a hole we plug it, for safety's sake. It's what comes from living in a country two-thirds of which are below sealevel. Plug first, then think. And, maybe, pray.

Stefan.
It takes a lot of brains to enjoy satire, humor and wit-

Re:this is cool

[jmegq]

I don't think anyone's particularly happy that people are poking around their websites. However, if a stranger comes by and leaves a note that says "your front door was open", that is more helpful than nothing.

Of *course* you still have to do a risk assessment and decide if you might have been robbed while the door was open, possibly by the person leaving the note. That's true of the real-life front door to your house as well as a web site.

The person leaving the note has done two things for you, though: alerted you (and possibly others who visit your house while you're out) that there may have been a problem; and helped reduce the window of exposure to the threat. You do *not* get to conclude that therefore there was no exploit, in part because you don't know how long your front door has been sitting open.

Your IP/property comment strikes me as a non-sequitir; there is nothing wrong with leaving a note on someone's door in real life, so by your argument it should be fine to leave a note on someone's door on the internet.

I may have missed your point, though; if you're instead making an argument that "seeing an open vunerability on a web site is inherently *different* than seeing that someone's door is open in real life, and we should close our eyes on the internet lest we see open doors", well, I disagree. But it would make for a good discussion :)

Re:Please explain this to me

[BluBrick]

Who is

they? What is it? Why is the word even there?

Try reading the story out loud in a Dutch accent. (That is a serious suggestion.) You'll find that poor grammar is much more acceptable when spoken in a foreign accent than when read without the benefit of accent and emphasis.

If that doesn't help, carve the following sentence into one side of a length of 2" x 4" timber and beat yourself over the head with it until you understand.

English is not everyone's native language.

slahsdot.org

[Barbarian]

you were probably at http://slahsdot.org [slahsdot.org]

--

They Weren't Hackers

[kingkai27]

I don't know who penetrated the system, but it couldn't have been hackers.
Hackers only DOS and Nuke people.
Good luck with finding the real person who did it.
Rock 'n Roll, Not Pop 'n Soul

What the hell is a LART?

[Barbarian]

For the benefit of those of us who don't read news.admin.net-abuse.misc every day, please explain the acronym LART.

--

Gold medals at swimming and now this...

[ackthpt]

I'm so proud of the 5/16 of me which is dutch!

Ok, fun's over, guys, gimme back my Karma point! I was saving them up to buy a CowboyNeal doll for my dog for Christmas.


--
Chief Frog Inspector

Re:paranoia

[sulli]

Really you need to do a cold boot. Does Slashdot have that little Reset button you can press with the end of a pen?

First 0\/\/|\|

[Zico]

Heh, actually, this isn't the first time. Other oldbies might remember when Slashdot was hacked into back in 1998. (Story: http://slashdot.org/articles /98 /09/14/1949212.shtml [slashdot.org])

Cheers,

Re:Info!

[Kwikymart]

In this situation, I think it would be better just to release an update to slashcode to fix the problem in a day or two, rather than tell everyone now. I think this would be better for a couple of reasons:

(this is assuming it is a slashcode hole)

1) Because this is not a hole that everyone knows how to exploit, so if its more secretive it will give time for everyone to upgrade. The hackers seemed nice about their hack; so its better to trust them with the power to take down all the systems running slashcode for a long period of time than it would be to give the power to a huge group of people for a short time.

2) Say if it was a hole in apache for example, its better to tell everyone about it because obviously a few crackers/hackers allready know about it. We wouldn't know how honest these hackers would be with the power, so its safer to eliminate it asap. In this situation with the hack of slashdot, I think we can trust them.

3) Not everyone will be able to patch their own slashcode so it leaves the newbies with the soap dropped in the showers of a maximum security prison.

parsing Katz

[extra88]

I'm sure you meant JonKatz's password as "pity the fool who reads my writings" but it also works as "pity, the fool whore ads my writings."

Re:paranoia

[ChadN]

If you use the same passwords for slashdot as you do for other systems, change them.

Does Slashdot store your password in plaintext, or is it hashed using a salt? If the latter, you have a lot less to worry about (assuming a decent hash; MD5 should be fine) Can anyone who has checked the slashcode comment on this? Otherwise, I'll be forced to look it up, and I hate perl. :)

"fixed" Slashdot?

[spam-o-tron mk1]

I hope by "fixed" you also mean, "deleted Jon Katz's account."

Bruce

Dear God WHY!?!

[Mtgman]

This has to be a white hat effort. Think about it, what information which could net a profit for the hackers does the /. database contain? A bunch of email addresses. Of these addresses, most are either spam holes or the addresses of geeks who are typically violently anti-spam. If someone sold this email address list the buyer would get LARTed by about 98% of the active account holders. And even of the 2% that wouldn't LART the spammer, how many do you think would take more than a passing glance at the spam? 0.000000000000000069% give or take JonKatz.

Even more damming, can you imagine the type of colossal idiot it would take to buy a list of email addresses which is about 90% geeks? "Hmm, should I buy the addresses of wealthy known philanthropists? Or should I target my spam towards a known group of spam-hating technophiles? I'll take the /. list!"

Steven

Re:paranoia

[ndfa]

thank you... that was soo needed.. you beat me to the punch... hahahaha...
BTW not a dumb joke..

Re:it's not that cool

[interiot]

If there's a very large visible car whose popularity is partly staked on being locked, then it's in a different class from some Anonymous Coward's car. Malicious people are much more likely to target the big car, and the people in the big car generally think they're safe, so it's nice if someone informs them that they're less secure than they thought (thinking you're 98% secure but really being 80% secure is much worse than just being 80% secure).
--

Re:What the hell is a LART?

[buysse]

(L)user Attitude Readjustment Tool.

Re:paranoia

[VenTatsu]

12345! now I have to change the compination on all my luggage.

sorry, it begged for the propper reply.

Re:Info!

[TrevorB]

Okay, so you've hacked Slashdot, fixed the security hole and pulled a classic white hat move which will live in infamy.

What are you going to do now?

We're going to DISNEYLAND!!!

Re:"fixed" Slashdot?

[jd]

That wouldn't be "fixed", that would be mercy.

Re:Stupid Crackers

[Robert S Gormley]

Better: ftp.linuxwarez.org was registered as 127.54.86.26 (random last three octets, but you get the idea) - it passes quick inspection much more easily

Ask Slashdot

[fader]

It will be interesting to see the /. crew's reaction to this... how 'bout it, Taco, Hemos, et al? :)

err...

[Li0n]

I don't think they actually store the /. user account passwords in /etc/passwd

~
~

Re:it's not that cool

[jesterzog]

I don't think anyone's particularly happy that people are poking around their websites. However, if a stranger comes by and leaves a note that says "your front door was open", that is more helpful than nothing.

I know what you're getting at and sometimes I do feel that way. Also though, I think it can be a very gray area and IMHO it's risky the way you're going with it.

I'll use the car-in-the-parking-lot scenario. Would I mind someone leaving a note on my car if they noticed one of the doors was unlocked? Within reason, probably not. But do I think people have the right to walk around the parking lot trying to open car doors, just to see which ones aren't locked? Of course not.

There are metaphors everywhere. I can encrypt my email to prevent people reading it. Do I want anonymous strangers to try to decrypt it as long as they promise not to read it? Not really. If I say I don't mind, it gives anyone who wants to break it an easy back-door out of being prosecuted. Imagine what it would be like if govco could get away with saying "we were only trying to show you that your cryptography was faulty. Oh and by the way, we stumbled on this evidence which we're going to use against you.". It always starts with small things, and I can't see why it wouldn't lead to that.

Obviously I'd like to know if anyone stumbles on a way in accidently or sees something by chance, but I'd like to arrange for it to be tested on my own, thank you.

So I guess my point is that if it's ethically okay to try to crack websites etc in the interests of improving security, it suddenly makes it ethically okay to crack them. As long as someone hasn't actually stolen the credit card numbers yet, it makes it okay.

Sure some crackers mean well, but it shouldn't be an excuse to let them off. If they really want to test a site that way they should ask permission first. Let sites decide whether they want everyone trying to break them or not. Most of them will say no, and at that point, what right does anyone else have to force their "better" opinion on another person or company regardless? I've had enough of that from govco and I don't want to start getting it from random unidentified script kiddies.

===

Info!

[Skyshadow]

Okay, so you've hacked Slashdot, fixed the security hole and pulled a classic white hat move which will live in infamy.

So, let's hear some details. Howdya do it? Remember, we're techies and not magicians; we can reveal our secrets.

----

this is cool

[fluxrad]

i think something like this truly embodies the hacker ethic (yes, we're talking about the one you hear about in the news :(

Technically, you could sue these guys and have them thrown in prison (with certain international legal asumptions). Luckily, the boys at slashdot "get it." - This is truly the open source of cracking. Finding a problem and making fixing it. I feel like there should be a sign on the front porch of the internet that says "Please leave this place tidier than you found it"


FluX
After 16 years, MTV has finally completed its deevolution into the shiny things network

paranoia

[matman]

They claim to be good guys, but there's no proof of it. If you use the same passwords for slashdot as you do for other systems, change them. I realize that it's unlikely that any hacker would pick you out of the hundreds of thousands of accounts on slashdot, but they might. I hope that the admins have stuck a fresh slashdot up online (new box, new install, installed patch for the problem, etc) or are doing that now. If you're hacked, the only ways to know that no trojans are around are to wipe clean and start over, or make sure that you were running the box off of a cdrom disk and you've replaced writable areas. Even doing file digest scans are not trickyness-proof.

Full disclosure?

[psychosis]

Just curious if we'll have a report on what happened and how it was done after everything is cleaned up. With slash being full-open-source, it would be a good way to educate the community.
Not that I think we should expect something in the next hour or anything, but in a week or so, maybe...

Refund!!!

[www.sorehands.com]

Ok, you promised to keep all my private stuff secret.

I want my membership money returned. Actually, make it 5X my membership fee. What's 5 x $0.00???

This Post May Spontaneously Combust

[gunner800]

Well, I've been a little worried for awhile about the generally poor quality of stories on Slashdot. But finally, something worth reading about.


My mom is not a Karma whore!

Rebuild

[Malc]

So, does that mean /. is going to be rebuilt from a known backup? What do companies normally do? This could be a pretty good scam: pretend to be open about what happened so that /. isn't rebuilt, but really set themselves up for something more malicious.

I hope they fixed Slashdot!

[quickquack]

Maybe in their quest to l33t-dom, they fixed the obvious bug in Slash. Here's the rogue code:

while(1) { if($c%2==1) { post_article("Cease and Desist Letter to %s","UPCDatabase.com || F---edcompany.com || Napster || FlyingButtMonkeys"); } else { post_article("%s Sues %s for %s","MPAA || RIAA || D:C, FlyingButtMonkeys || Microsoft || 2600, MP3s, DeCSS, CueCat Decoder"); } ++$c; }

I'm surprised no one has caught it yet; it's a pretty big mistake.

#disclaimer.h
I like the MPAA/RIAA/Napster/DeCSS/CueCat/FBM/MP3 stories. I just thought it's fun to get some karma, too.
------------

Hackers Crack Slashdot Database, D.C. files Suit

[Greyfox]

The hackers who cracked Slashdot's database today got a Cease and Desist letter from Digital Convergence's lawyers at Kenyon and Kenyon. Citing a violation of Digital Convergence Intellectual Property, they demanded that the hackers cease and desist at once. Stated James Rosini, "Slashdot is written in perl, right? Well perl can be used to violate Digital Convergence's Intellectual Property, so Perl is their intellectual property, too." He went on to aside "We're also going to send one to that dipshit Greyfox for taunting us and doing the ``Blow me Dance'' at us."

Nohican and {} were unreachable for comment, and when we got in touch with Greyfox, he did the ``Blow Me Dance'' at us. The community declined to comment officially but some members of it said that they were pretty much doing the ``Blow Me Dance'' and ignoring Kenyon and Kenyon, too.

You believe them?

[pberry]

Someone hacks your box, tells you they fixed it, and you buy it?

Maybe I'm over paranoid but there is no way in hell I let that box stay up.

Assuming that the story is true.....

[Manaz]

Assuming that the story is true (that the hackers closed the hole and then informed the Slashdot admins of what had happened, rather than planting bombs, scripts, backdoors, etc), I believe that this is a good example of the fact that hackers aren't all bad - that they can, despite the media's poor representation of them (let's not go into the hacker vs cracker argument) actually serve a useful purpose.

Guys, well done for showing some maturity. I assume you've boosted your Slashdot karma scores to reflect your recent real-life boost in karma? :)

Re:paranoia

[Anonymous Coward]

I suggest reinstalling Windows.

By now...

[rhk]

I'm sure hundreds of people have submitted this as a story to the slashdot guys....

Re:COMPROMISED!

[Anonymous Coward]

THEY DELETED THE FIRST POST!

You bastards!

hehe

Comment removed

[account_deleted]

Comment removed based on user account deletion

Can't fool me

[SMN]

April Fools! Ha, bet you thought you had me, Taco, didn't you? Just because I believed that Microsoft really DID sue Slashdot in '99 doesn't mean I'll fall for your trickery twice, "CmdrTaco" - if that's even your real name!

Re:paranoia

[Tony Shepps]

You're not going far enough. It *could* be that not only did they crack /., but that they cracked the boxes that /. runs on, the routers leading to those boxes, etc. and have basically taken control. The first step after securing their own access was to post a bogus /. story saying that /. has been cracked but that this was a white-hat job and everything is back to normal! And since then, they've continued to post /. stories to give the userbase a sense that everything is fine!

What use of it? Well imagine the information that could be gathered about the userbase. We've basically given away a ton. Preferences, slashboxen, posts, poll answers, REAL email addresses, IP addresses. Now consider who could benefit from a database of that kind of specific information about over 100000 users. Governments? FBI? NSA? No, you're thinking too small. It's DOUBLECLICK!

Now we don't know any of this for sure, I'll grant you. But if you start seeing targetted banners that talk about different brands of hot grits, well all I can say is that I TOLD YOU. And by the way, another hint of the takeover would be if this post were moderated in such a way that most users wouldn't see it. They can't remove the post, you know, that would be too obvious! They need to take advantage of our own biases!
--

did anyone else notice...

[xjesus]

...that they also took away the privilege of first post: http://slashdot.o rg/comm ents.pl?sid=00/09/29/0231248&cid=1 [slashdot.org]

and also that the sid uses tomorrow's date.

Priceless

[mincus]

First Post: Hours of time waiting for a new story to appear

reached the 50 karma cap: Months of posting links to partners.nytimes.com

Look on CmdTacos face when he sees the newest /. article: Priceless