Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Yup, Somebody Cracked Slashdot 320

So last night a couple of guys (Nohican && {}) cracked into Slashdot. As they say, the weakest link in any security system is human: on one of our test boxes, we had a "clean" copy of Slashcode installed, with default data... including the temp admin password (God/Pete). It didn't take much after that to get into Slashdot itself. Hit the link below to read a bit more on the subject (but if you don't want to bother reading it, you should at least change your password).

What a great way to wake up! I went to bed at about 10 last night, completely exhausted (stuff unrelated to Slashdot stressing me out). I guess the upside is that I had a good night's sleep: the downside is I still haven't had a morning cup of coffee ;)

Allright, so by using the 31337 haxx0r tool known as "Common Sense", {} and Nohican managed to get a Slashcode test site's administrative access (this isn't a root shell or anything: its only a series of Web forms used to post stories, and configure various parts of the site). This was our biggest mistake: the password (God/Pete) was never changed on the test site. From there, it was a cake walk.

By exploiting a known security hole in pre-2.0 versions of Slashcode, they executed some perl of their own devising through our template system, and managed to run netcat on the the box. The hole itself required "God" access on a Slashcode site, so it was never a problem before... but since the password was the Slashcode default of God/Pete, it wasn't hard. We knew about the potential problem but since nobody ever had God access besides me, it was never a problem!

From there they managed to get ahold of our backup database (updated nightly). And due to another hole (one that is also fixed in the upcoming 2.0 "Bender" source tree ;) they managed to pull my Slashdot administrative passwd from the dump, and login as me, to the real Slashdot. (our db stores passwords in plaintext. Yes it's stupid, but I wrote this code 3 years ago and had no clue).

Apparently that's where they stopped: all they wanted was to post a story claiming victory. Immediately after that, they e-mailed us and told us how they did it. Our crack team plugged things back up immediately. (and the guys were nice enough to chat a bit with them on IRC explaining a few things).

The moral? Our biggest mistake was not changing the default data on the test site, and I'm sure that we'll patch the next version of Slashcode to require new administrators to change their passwords during installation. The eval hole (we've been working on removing this problem for some time now and replacing it with a templating system that is secure, flexible, and easier than the really crappy one we're using now) and the password problem (also fixed in bender) won't be a factor in Slashcode 2.0.

It doesn't appear at this stage that they actually did anything beyond posting their story. (We're taking all the appropriate precautions to make sure. Hugs to Yaz, Liz and Pat who are gonna have it the worst). You should also change your Slashdot User Password right now just to be safe.

The whole Slashdot authentication is ridiculously insecure. I coded it years ago when I didn't really know anything about scalability or security. Since then various bugs in Web browsers have changed a lot of things, so we decided to fix the problems in Slashcode 2.0. Unfortunately it's not done yet, but it's getting there. Of course, anyone with functioning neurons knows that you use different passwords on each system (especially Web sites where you aren't using any encryption!)

Nobody ever would have got anywhere had we just changed the default password though.

The good news is that it looks like {} and Nohican were good guys: the did the deed, took the credit, and went no further. Then they told us exactly how they did it so we could make sure it wouldn't happen again. Honestly, that's the best kind of hack. Two years ago we had the bad kind of hacker: he rooted the whole damn system and never told us how they gained entry. That sucked more than I can describe.

The bad news is that we have to pretend that these guys totally took over, and rebuild everything anyway. It's gonna be a long couple of days.

You can direct inquiries to me, but understand that I'm just a little busy right now, so I might not be able to reply to everyone.

This discussion has been archived. No new comments can be posted.

Yup, Somebody Cracked Slashdot (HOLD!)

Comments Filter:
  • by sverrehu ( 22545 ) on Friday September 29, 2000 @05:58AM (#744618) Homepage
    [Heh, I wrote the following text for some friends about a week ago. Fits perfectly here. :) ]

    How many sites, servers or systems do you log into regularly? On how
    many sites, servers or systems have you registered yourself with a
    user name and password? Quite some number, or what? Now; how many
    different passwords did you use? Of course you've been told many
    times to use different passwords everywhere. I keep wondering what
    idiot invented that impossible rule; it goes without saying that you
    need to reuse your passwords, unless you have a computer in your
    brain.

    What's my point? Let's say one of the administrators of one of those
    sites is not as honest as it first seemed, and takes a peek into the
    password database. Or let's say that someone cracks into that
    database and gets hold of all the passwords. What could that person,
    given your often used password, do on all the other sites you visit?
    Would you like someone else to speak for you? To buy for you? To
    sell your stocks? To use the encyclopedia you pay for? To read your
    mail? Probably not. And it doesn't have to be that way if all web
    developers out there obey the following, simple rule:

    Never store clear text passwords.

    You do not need to keep a user's password to be able authenticate her.
    To repeat: Neither you, nor your web server, need to store any user's
    password. The technology is ages old: You pass the initial password
    through a one way hash function, and store the garbled password in
    your database. Whenever the user wants to log in, you take the user
    provided password, pass it through the same hashing function, and
    compare the result with whatever you have in your database.

    I guess some of you don't know what hash functions are, so here's a
    short intro: Hash functions, or message digests, are one way functions
    that take a text as input, and produce a signature based on the text.
    Calling the function "one way" means that, given a signature, it is
    impossible to get back to the original text. A good hash function
    also makes it extremely hard to come up with a different text that
    yields the same signature.

    Several hash functions exist. The password file on Unix traditionally
    uses a DES based hash function, known as crypt, to hide passwords.
    Windows NT uses MD4 for passwords. I would suggest you use a widely
    available function known as MD5. It is considered more secure than
    both crypt and MD4. PHP has the string function md5, Java has the
    java.security.MessageDigest class which provides MD5, Perl has an MD5
    module, and I guess you'll be able to find some component for
    ASP/VBscript too.

    If you've ever read about password hashing, you may have run into the
    term "salting". We may use salting to make sure two hashed password
    are different even if they come from the same password. If you choose
    "beer" as your password, and have access to the hashed passwords, we
    don't want you to recognize another "beer" drinker among the users.
    You may think that requiring unique passwords is a solution, but it is
    not: If you register somewhere, and learn that the password you chose
    is already taken, you may run thru the users and test with the
    occupied password until you reach the owner. We do _not_ want unique
    passwords.

    A common strategy for salting is to combine the user name and password
    into a new string, eg. with a line break in between, and pass that
    string through the hash function. Of course you will need to redo the
    combination when you verify the password.

    What follows is a simple example in PHP. We provide one function for
    storing the hashed password, and one for authenticating a user. Of
    course you will need to implement the database functions yourself.

    # Given a user name and a clear text password, calculate the
    # salted, hashed password.
    function getHashedPassword($username, $password) {
    return strtoupper(md5($username . "\n" . $password));
    }

    # Given a user name and a clear text password, calculate the
    # salted, hashed password, and store it in a database.
    function storeInitialPassword($username, $password) {
    $hashedPassword = getHashedPassword($username, $password);
    # Save the hashed password in the database.
    setHashedPasswordForUser($username, $password);
    }

    # Given a user name and a clear text password, calculate the
    # salted, hashed password, and compare it to the one in the
    # database. Return 1 if the user is successfully verified,
    # 0 if verification failed (bad password).
    function verifyPassword($username, $password) {
    # Fetch the hashed password from the database.
    $hashedPassword = getHashedPasswordForUser($username);
    # Salt and hash the provided password.
    $hashedProvidedPassword = getHashedPassword($username, $password);
    # If the two hashed passwords are equal, everything is fine.
    if ($hashedProvidedPassword == $hashedPassword)
    return 1;
    # The hashed passwords didn't match. Invalid password.
    return 0;
    }

    As the example shows, storing hashed passwords is almost as simple as
    storing clear text password. And it is a whole lot more safe. If you
    choose to hash the passwords on the site you develop, you should
    consider mentioning it on a "privacy policy" page. Advanced users
    will appreciate it, and understand that you take security seriously.
  • The defaul login was sa. The default password was blank. I think it's about time you guys fessed up to your MSSQL addiction.
  • It's easy for them. Their readers know exactly how it is, and it's not like there's any data that needs to be protected. Accounts are free, no credit cards #s anywhere, etc... As long as they have backup tapes somewhere it doesn't matter what the fuck happens to the site. They can restore it.

  • D'oh. Configure DNS to disallow zone transfers from anyone but the secondary. Host -l dies then.
  • I think I'll put that in today!
  • by Pathwalker ( 103 ) <hotgrits@yourpants.net> on Friday September 29, 2000 @05:20AM (#744628) Homepage Journal
    It was SGI's File System Navigator [sgi.com] - a rather cool program for doing 3d visualizations of a file system. It's fun to play with, and actually suprisingly usable for normal work.
    --
  • by Private Essayist ( 230922 ) on Friday September 29, 2000 @05:22AM (#744630)
    How refreshing! Someone breaks into a site and the FBI is not called in, pols are not running around screaming about the world coming to an end, and USA Today is not running a story about how evil hackers are about to steal every cent you have in your online bank account.

    Instead, we have an open acknowledgment from the victims, a full story about what happened and what steps are being taken now, simple instructions for the users, and the proper amount of credit to the guys who cracked the site.

    A little extra work for the /. crew, a good reminder for them to take security more seriously, but otherwise no big deal.

    If only mainstream media could be this mature and accurate.
    ________________

  • by fjordboy ( 169716 ) on Friday September 29, 2000 @04:32AM (#744636) Homepage
    I always thought my password was ***** anyways....


  • I just ping to get the ip address [64.28.67.48] then try a few variations on the last number. (http://64.28.67.47:80, etc.) Finds stuff people don't want you to find. ;-)


    --
    Chief Frog Inspector
  • Actually....i think this is a commercial site. :)
  • by TOTKChief ( 210168 ) on Friday September 29, 2000 @06:16AM (#744642) Homepage
    . . . become "FascDot Killed My Pr". They must have had a low bid on that eBay auction.
    --
  • by dbarclay10 ( 70443 ) on Friday September 29, 2000 @04:35AM (#744645)
    This is nice to see. Big, front-page article saying they've been hacked, letting their users know. How many web sites do you think would do that for their users? Too few.

    On the other hand, would we have been notified if the hackers hadn't put a big article on the front page? Food for though, but I'd like to think so.

    Dave
    'Round the firewall,
    Out the modem,
    Through the router,
    Down the wire,
  • by Signal 11 ( 7608 ) on Friday September 29, 2000 @04:36AM (#744646)
    Bah, I cracked slashdot years ago. How'da think I manage to get +5, funny all the time? You think I actually post something like that? Nah. It was late one night, I was karma whoring like I usually do, and I spotted this little pi symbol on the bottom of the page (it was right after they were aquired by Andover.net) and so I clicked on it.. and there it was! Full access to everything. So, I like, gave myself 5000 karma points and changed my default posting score to be +4.

    Ah, if only the trolls had known...

    --

  • by Fervent ( 178271 ) on Friday September 29, 2000 @07:30AM (#744647)
    (but if you don't want to bother reading it, you should at least change your password).

    Change my password? Um.. why?

    This is a message board site, not my bank account.
    Not the administrative passwords on my Windows 2000/Linux box.
    Not the passwords for my personal writing folders (which have a different password than the box).
    Not the password I use for my internet account.

    Basically, there is nothing worthwhile to steal here, and if someone posted something under my name so what? I would then change my password.

    But I don't need to now.

  • Yeah, but did they get first post?
  • "Our crack team plugged things back up immediately."

    Make up your mind, is the team supposed to crack things open or plug them up?

  • I am curious if people think that the folks who broke in are "white hat" intruders. If they are "white hat" intruders, what was the point of making a fake post on Slashdot in CmdrTaco's name? Why didn't they just email the Slashdot admins with the security holes and request that they be fixed?

    Making a fake post is cute, but it is a bit childish. I can not think of any other reason why the hackers made a fake posting other than making a name for themselves or embarrassing the site operators. Was the security of Slashdot really their primary or even secondary concern? Fake posts are no better than grafitti.

    Can we even be sure that they only broke into Slashdot this one time? Were the systems reinstalled with fresh code that had been secured or encrypted? How can we be certain that a backdoor hasn't been installed?

    I certainly feel that the security breach should be publicized. I am glad that the problems have been fixed. And I understand the hackers desire for anonymity given our society's penchant for litigation. However, I do not think it is polite or justified to inform a site's admins of security holes through graffiti on the front page of their website at 10:30 PM. An anonymous or pseudononymous email message would have had the same end result. (Getting phone calls about urgent time sensitive problems at 10:30 PM is bad enough for most system administrators; getting phone calls for problems that could have been solved in the morning is really frustrating.)

    The folks who broke in may not have been "black hat" intruders, but it is specious to call them "white hat" hackers. Perhaps there needs to be a term like "gray hat" hackers, but "immature self-promoting" hackers seems to work just as well.

  • OK, I changed my password to Pete.
  • I would've had them add me to the express article suggestion queue. (Which of course doesn't really exist. It wouldn't be fair to have class distinctions between SlashDot users. yeah right)
  • by ssimpson ( 133662 ) <slashdot&samsimpson,com> on Friday September 29, 2000 @05:29AM (#744665) Homepage

    It's not clear from the post, but it would appear that Slashdot simply stores the username / passwords in a table unmangled?

    Damn...The minimum you should have done is hashed it (with either MD5 or SHA-1 - both of these are available for Perl). The next (recommended) step is to also salt the password prior to hashing to prevent dictionary and similar attacks.

    Bruce Schneier is right in Secret and Lies: people just keep making the same security mistakes time and time again :((((

  • No, I think your current system of paying people to make you do unnecessary work on ridiculous topics such as "The Pre-Roman Carthaginian Patriarchy" or "Rights of the 13th Century African Immigrants" is probably right on-target.

    By the time you get out, you should be perfectly suited to a lifetime of meaningless, tedious work that slowly kills you.
  • So now you're telling me that you know the code is "shit"? Well that gives three options. Either:
    • You've never looked at the code, but you're claiming to know that it's "shit". In which case you are a punk and a faker. Fuckhead.
    • You have looked at the code, but didn't spot this hole. In which case you have no moral authority to criticise Taco, so you are a punk, and a faker. Fuckhead.
    • You have looked at the code and found the hole, but didn't bother to do anything about it. Guess what that makes you? It makes you a punk, a faker and a fuckhead.
    And you can't even fucking flame well. I'd just loooove to meet you on a dark night on Usenet .....
  • by Karmageddon ( 186836 ) on Friday September 29, 2000 @05:32AM (#744677)
    I just want to make sure that readers understand that your issue wasn't "we didn't keep the hackers out" (no one can) but instead "we left your valuables where the hackers could get them".

    There's no difference between failing to keep the hackers out and leaving stuff where the hackers can get to it. But more, I totally disagree with your "theory" about passwords. Slash, please keep our passwords in plaintext, or keep it as an option for users who want it.

    First, think of your bank account. It's real numbers stored in a computer, numbers that other people shouldn't be able to see or change. So, these numbers need to be protected. You can't effectively encrypt them (without leaving the keys sitting there: the computer needs to get to them) so the issue is purely one of protecting them. Give a computer scientist the task of protecting some vital data and she will set about designing a secure system. It's a fun problem to solve. Well, that's all passwords are: data that needs protecting.

    Yes, there are scenarios where hashed passwords allow for a neat trick: knowing the hash lets you authenticate but does not grant you access. But that trick depends on certain elements that are not necessary to guard a website. Think of it this way: if someone gains root access to a website, they don't need an insignificant user's password.

    The convenience of Slashdot being able to email a password if someone forgets it is a benefit that far outweighs the difficulty of the task of protecting them.

  • Shouldn't Slashdot be giving me a $10 gift certificate at Radio Shack? Or maybe O'Reilly or Copyleft? Isn't my personal information worth at least that much?

    Geez, talk about hypocrisy. I'd take DigitalConvergence's treatment of victim's over Slashdot's any day!

  • Duh!

    Do that and I'll forward it to spamcop.

    For pete's (ahem) sake, it's only a blinking password on a blinkin' website, it's been going over the 'net unencrypted plaintext for the past couple of years, and if you're using the same one as for your online banking then you're already a pillock, yeah?

    And besides which you shouldn't change it until our great leader CmdrTaco proclaims it as safe as before *after* it's been fixed; until then, the same paranoia factor that makes him reinstall also makes me worry that password-changes now will be intercepted.
    ~Tim
    --
    .|` Clouds cross the black moonlight,
  • How can I possibly be expected to remember passwords that long? I'll stick to my two-three character passwords for now, thank you very much.

    Also, by using short, precise passwords, like I do, you save hard drive space, and your programs run more efficiently.

    Thank you.

  • by |DaBuzz| ( 33869 ) on Friday September 29, 2000 @05:35AM (#744685)
    And to think, Andover paid you guys over $6 million each for this site. You'd think a company willing to part with such a huge chunk of change would at least EVALUATE the site. Most companies would be all up IN your koolaid before writing such a check and their audit would have shown that this site is held together by band-aids and paperclips that are 3 years old.

    It just goes to show that Andover had no interest in the *site* and it's validity or integrity ... just the eyeballs it would deliver to their advertising group.

    I can't say I'm surprised one bit.
  • f you have a piece of data that can be used as-is to authenticate, then you have what we usually call "plain text passwords".
    You are missing the point.

    The password would not be hashed to prevent someone taking a single account on the machine; the password would be hashed because many people use the same password in a great many places.

    It's just common courtesy; hash it, and you at least have taken a step to prevent the damage from spreading just beyond your site. Normal plaintexting is just irresponsible. Think about, say, slashdot-- for each of these users they have a valid email adress and a valid password. How many people you really think are going to be using different passwords for their slashdot account and the e-mail accounts listed on slashdot..?

  • Too much of linux and opensource have this idea that boxes should be "locked down" and "hardened" after installation. Really smart people say that, but it's totally wrong. Boxes should start out without known ways of getting in. Any access should be "opened" or "unlocked" or even softened" if that's what you want to say.
    Exactly the philosophy behind OpenBSD [openbsd.org]. I like this quote from the ChangeLog:
    • 019: SECURITY FIX: July 5, 2000
      Just like pretty much all the other unix ftp daemons on the planet, ftpd had a remote root hole in it. Luckily, ftpd was not enabled by default. The problem exists if anonymous ftp is enabled.

    Now that is what proactive security is all about.

  • As one former boss suggested: Fingerprint scanning. You poke your finger into a hole in the scanning box and if your fingerprint doesn't match it chops off the finger. He assumed they wouldn't try to fool it more than 10 times.


    --
    Chief Frog Inspector
  • Encore! Encore!
    Damn, wish I could moderate, I'd push that puppy to a 5, but ...

    It is funny, but it's also art.

    /. needs an Inspired classification.


    --
    Chief Frog Inspector
  • And if you aren't assuming that your password at every site you visit isn't stored in plaintext, then you get what you deserve. Do you use the same password to your online bank as you do on /.? You might as well call for all of /. to be SSL so that people can't sniff your passwords when you log in.

    As so many people have pointed out here and in other security forums, security is all about managing risk. I use the same password here and on a few other sites - but if any one of those passwords is lost, all it means is that someone might be able to post as me here (who cares?) and read NYTimes articles online under my name. Oh dear!

    /. should make every attempt to help protect our user information. However, while /. has the responsibility to try and protect the site, users have the responsibility to make sure that a breakin anywhere has limited ability to cause us harm.
  • > after years of watching secretaries jot down passwords on 3x5 cards and post-it notes and tuck them into the pencil drawer of a desk.

    Some of Digital's VT terminals had a data field that would store text, and would echo whatever that text was back to the screen whenever you typed a certain control key. (Sorry - been too long to remember the details.) Lots of lusers in the VAX shop where I worked used to put their username-tab-password in the terminal's data field, so all you had to do is type ^whatever at the terminal, and you were logged in as the terminal's owner.

    It didn't bother me too much to discover that the forklift drivers were doing this. But when I found out one of the m0r0n5 with syspriv was doing it...

    --
  • by ackthpt ( 218170 ) on Friday September 29, 2000 @05:36AM (#744698) Homepage Journal
    Don't have to tell me that, after years of watching secretaries jot down passwords on 3x5 cards and post-it notes and tuck them into the pencil drawer of a desk.

    Probably the best I ever witnessed was at some economy barn, like a Sam's club. They had the manager's password on a note taped to the front of the monitor, it had been there for some time.
    Why don't I just give Anonymous Customer a refund of, oh, $500. Better make that $500.01 or the bean counter will get suspicious.


    --
    Chief Frog Inspector
  • You underestimate how many fucking idiots are on the web :) The security measures I am talking about would have been almost trivial to implement (I think signal 11 provided the meat of the code right in this thread), and would protect the /. crew from (correct) accusations of lax security.

    Like I said, when this type of thing happens to other major sites that don't encrypt user data, everyone is quick to say how stupid it is.
    ----
  • Like... put a wrapper on a command to delete a random file.


    --
    Chief Frog Inspector
  • by DanMcS ( 68838 ) on Friday September 29, 2000 @05:41AM (#744708)
    As if I care about my password. What's someone going to do, log in and post as me?
    --
  • host -a -l slashdot.org

    Wow, cool! Check out http://warez.slashdot.org [slashdot.org] for cool warez downloads!
  • For the systems (and users) I'm thinking of, I don't think truly random generated passwords would go down well with our user base. I was thinking of random picks from a dictionary.

    Thats not to invalidate your reply though - its all valid information. The solution I'm thinking of is the MD5 URL to visit to reset your password. It could be one-time generated with the current time, the user_id and a secret. Thus impossible to guess, and again, the password doesn't get reset until the URL is visited.
  • Frank van Vliet, aka {}, was as well the wizard who managed to put an IIS banner on apache.org some months ago.. I'm really curious for his next hack!
    Here is an interview [linuxsecurity.com] on LinuxSecurity with him.
  • by pb ( 1020 ) on Friday September 29, 2000 @04:36AM (#744719)
    - Always change your default passwords (that is the easiest way to get hacked, as seen in The Cuckoo's Egg, a la Hagbard)

    - Never store your passwords in plaintext. Preferably, just hash them.

    - Never trust a good password to a website. I have a throw-away password I use for unencrypted web stuff; slashdot can have it, and I'm gonna keep it. If they hack my kuro5hin account, I'll survive.

    - Hope for the best, expect the worst. If someone compromises your system, it doesn't matter how nice they are about it; make sure you check everything, regardless.
    ---
    pb Reply or e-mail; don't vaguely moderate [ncsu.edu].
  • It was the LATER story I was referring to.
    ________________

  • Ahem. I rest my case.
  • Yes, this is what really costs businesses money, irrespective of whether any damage was done.
  • If Slashdot supported SSL and client certificates, we would have no need to change our passwords when the database is compromised- restore the backed up data to fix any client certificates that were changed by the hackers, and all is well.

    Using certificates instead of username+password also eliminates the possibility of my password being stolen when somebody on my LAN or at my ISP sniffs the cleartext HTTP traffic.

    This goes back to one of my comments on the question of 'Should Slashdot charge for access?', the concept of having an enhanced account level with SSL support, and giving SSL traffic a higher priority on the WAN/LAN links to the servers.

    Call it a 'subscription' and I can get my employer to pay for it.

  • by Darchmare ( 5387 ) on Friday September 29, 2000 @10:50AM (#744728) Homepage
    ---
    if Microsoft had posted an article explaining their security holes or in the same tone ("Yes it's stupid, but I wrote this code 3 years ago and had no clue", "it was never a problem!") then slashdotters worldwide would have been all over this complaining about the utter inability of Microsoft to do anything right
    ---

    ...the difference being that Slashdot doesn't sell their code as if it were flawless - in fact, they don't even sell their software at all.

    And I don't think Slashdot is indicative of most open source software projects. Slashdot started off a while back as a project for a guy who wanted to post articles on his web site. The Slashcode is just a side effect.

    This is entirely different than, say, Linux or Apache (or Microsoft's stuff, even) where the main idea is the software itself.


    - Jeff A. Campbell
    - VelociNews (http://www.velocinews.com [velocinews.com])
  • by DanMcS ( 68838 ) on Friday September 29, 2000 @05:44AM (#744730)
    Yup.
    --
  • The reason I'm scrambling it is to so that the string people use to log in can't be used elsewhere.
    This is a lot more secure then then plain text, especially if people use the same password in more then once place.
    If the password database is compromised, then I would still urge people to change their passwords like Slashdot is doing, but at least people wouldn't have to worry about the actual phrase being known to others.

    So the increased security is as follows:
    Compromised db does not compromise password when used on other sites.
    Cookie does note contain plain text password string - again, safety from other sites.

    You're right, it doesn't prevent the cookie from being grabbed (which I acknowledged) or the db.
    However, the use of session IDs would solve that first problem, which, like I said, I plan to implement soon.
  • by Derek Pomery ( 2028 ) on Friday September 29, 2000 @04:38AM (#744737)
    I'll admit, I'm fairly new to the writing of code for the web, but the first thing I did on taking over someone's site admin was change the passwords from plain text in the cookies and db to crypt() (didn't want to use md5 since a lot of different scripts and programs used the db - crypt is more common).

    Even so, the way I have it currently set up is a problem. Someone could grab a copy of the local encrypted cookie, then use it to connect as the user from then on. The easiest way I can think of to solve this is to have the cookie be a combination of a timeout value and the encrypted pass, and store that value in the db as well ('till timeout) but even so, at least user passwords can't be read out of the database in my current setup.

    Come on, this is just common sense. It wouldn't have taken 37737 knowledge of perl to have implemented that in the first version of Slashcode.
  • by pangur ( 95072 ) on Friday September 29, 2000 @05:45AM (#744738)

    Now, the fact that the default password was used to get into the box is one issue.

    Another issue is how the crackers managed to get root after the fact. They exploited known security holes.

    Just something to reduce my karma, but since the code is open source, bugs are supposed to be found much more quickly and fixed within a few hours given the right channels. Yet, since the bugs are supposedly easier to find (looking through source code as opposed to trying various techniques to so what happens) than in closed binaries (that is one of the main arguments for open source), we have our lesson for today.

    Which is:

    If you use open source products, patch early and patch often. If you reinstall an old version, plan to spend a significant amount of time applying patches. Otherwise, those well known and easily-researchable bugs will come back to haunt you in sequential order.

    Having been a computer instructor for a year and a half, I have found that there is good news when an authority screws up publicly. First, it shows than no one is an authority on everything. More importantly, when a mistake is made, sometimes students can learn more by finding out how to fix something than how to do it correctly in the first place. This event will have more admins thinking about security today than a dozen security articles would have.

    All my programs have but one purpose. They take the contents of RAM and place those contents into a file called 'core'

  • Is that the encrypted string cannot be used to log in, only to try and convince it you are already logged in.
    That's why using a combination of a login password and a random session id would make this completely secure, save from packet sniffing.
  • They hacked in, and then they closed up the security hole; that's awfully nice of them. Let's hope that the hackers that crack the SDMI's DMAT aren't so nice (or greedy).
  • by Anonymous Coward on Friday September 29, 2000 @04:39AM (#744743)
    Sonny, in *my* day, we actually had to hack into the slashdot mainframe. What you have to do is find a known hacker, in our case an 8-year-old girl, and trust her to navigate the dangerous Doom-like interface of the security system with her mouse, gaining you access at the last possible second before all hell breaks loose. We had to work for our extra karma points, and we liked it!
  • by streetlawyer ( 169828 ) on Friday September 29, 2000 @05:47AM (#744744) Homepage
    If you write an insecure system with passwords in plaintext when you're a college student with a small website, and you expect "the community" to download the code, notice the error and fix it for you, you're going to be disappointed.

    Taco should not be so hard on himself over that particular flaw; the real shame should be felt by the million and one fuckheads who downloaded the code and didn't even look at it before installing.

    'Course, this puts the whole "security through obscurity" thing in a slightly different light ...

  • If any other website had there unencrypted password database stolen, everybody here would be outraged. I can recall more than one story on /. involving such elementary security mistakes. What if I used the same username/assword on every website? Now the hacker has access to my ebay, amazon, buy.com, etc accounts, all because Rob never fixed a major, 3-year-old security glitch.
    ----
  • The feature I' [goatse.cx]d like to see most is a killfile. [yhbt.org]
    I can block out story authors that annoy me, [georgewbush.com] I wish I could do the same to posters that annoy me. [olsentwins.com]

    --K
    MODERATORS: Flamebait or Troll. None of this Offtopic, Redundant, or Overrated crap.
    ---
  • Try doings a 'host -l slashdot.org' and you'll see that the DNS servers are setup to allow zone transfer to anywhere...

  • How will I ever remember a new one?

  • Speaking strictly for myself, good luck, CmdrTaco & all the crew...

    Bugs are hard to avoid -- thankfully, you were dealing with "white hats" this time. By the way, isn't it funny this information is already available [linuxtoday.com] on other sites... ?
  • Taco just wanted us to be sure that they'd really given the site back.

    Bruce

  • Go back and watch the movie. The UI had a colorful little Apple logo in the upper left corner of the screen...

  • by Millennium ( 2451 ) on Friday September 29, 2000 @04:41AM (#744769) Homepage
    The last thing we need is for some troll to hack Slashdot and turn it into a goatse.cx mirror (a dream I'm sure has crossed the mind of many a middle-school, immature techno-jerk).

    Honestly, though, what other features can we expect to see in Slashcode2? Story moderation (or changes to the overall mod structure)? Perhaps user-definable themes (OK, I know I'm going out on a limb there)? Removal of the suid requirement on the script? Just throwing out some honest questions...
    ----------
  • passwords are stored in cookies on your home machine

    No, they aren't. My ~/.netscape/cookies file just has my userid in it. Check yours.

    As a matter of fact, there are no passwords in my cookies file at all.

    - A.P.

    --
    * CmdrTaco is an idiot.

  • So, the code looks like this in getUser:

    if($uid > 0) { # Authenticate
    $I{U} = sqlSelectHashref('*', 'users',
    ' uid = ' . $I{dbh}->quote($uid) .
    ' AND passwd = ' . $I{dbh}->quote($passwd)
    );
    }

    So I think you want to change the definition of passwd to be a char(32) and change "passwd = $I{dbh}->quote($passwd)" to "passwd = MD5->hexhash($I{dbh}->quote{$passwd})".

    You would, of course, have to change the code for adding users and changing passwords, but you get the basic idea. This is easy stuff. The only thing that it does not allow for is mailing a user their password. How to solve for this?

    Well, I would add a two-step process where a users says "I forget my password". You then invent a temporary password which you mail to their email address. This password is sent with a link to a special "verify that you forgot your password" page. If it's an attacker, the primary account password has not changed, and the user gets annoyed by an email message (as they would now). If it is the real user, they authenticate themselves via this temporary token and THEN you email them a new primary password which they are required or at least asked to change immediately. In fact if you want to make it really easy add the temporary token to the URL for the verification page (e.g. http://sd.org/verify?user=ajs&token=3485839828).

    All the security of the current system plus encrypted passwords in the database.

    For coming up with the new primary password, I would use the trick of using a random dictionary word followed by a random digit and a random noise character. This works out to be around 2^21 easily remembered passwords (about 5e4 words with a good list of 4-6 letter words, 10 digits, 32 noise characters = 16x10^6 = ~2^21). An easily cracked space woefully, but decent for throwaway passwords, especially if they're required to change them.
  • Say that again after somebody posts something in your name that results in a lawsuit. Yes, we've already seen companies such as Microsoft applying legal pressure to have things removed. One of these days, somebody is going to post something libelous (sp?), or something else illegal, that will result in legal action from the injured party. You maintain the copyright on all articles posted. You will have to prove your innocence, which is more hassle than I'm prepared to put up with.

    Please correct me if I'm wrong or barking up the wrong tree ;)
  • Practice. Same way you get to Carnegie Hall.

    Of course, I understand you're being sarcastic, but lots of people really think that way.
  • by Signal 11 ( 7608 ) on Friday September 29, 2000 @04:43AM (#744785)
    ...Riiiiight. And did you, uhh, hack a Gibson too in your day?

    --

  • What exactly did they post? I failed to see it and I was on a lot yesterday. Was it that initial post about being hacked?
  • You know, that site full of smart ass, 20-20 hindsight kids getting cracked. "We told you all that long haired pinko commie type hippie fag freeware was in secure!", market-troids will cheerfully chirp, "You need to grow up and get yourself a real commerical OS." The New York Times has been making references to SlashDot (not always flattering). Even Scientific American made a snide comment or two this month about the "propeller head crowd on Slashdot." ZDNet will burst, and the clueless will be able to stick their heads in the sand again.
  • "The password to the Air Shield is 1 2 3 4 5 sir."
    "Brilliant! That's the same password I have on my luggage."
  • [...]first thing I did on taking over someone's site admin was change the passwords from plain text in the cookies and db to crypt()[...]
    [...]the way I have it currently set up is a problem. Someone could grab a copy of the local encrypted cookie, then use it to connect as the user from then on.

    If you have a piece of data that can be used as-is to authenticate, then you have what we usually call "plain text passwords". At least, what you're storing is plaintext. Scrambling it a little to confuse people and not letting people use that password on a web form doesn't really buy you much security. Of course, these days, crypt() and lousy passwords doesn't get you very good security, either...

    IOW, your solution doesn't help any. If they get the password db, they can log in. Okay, okay, maybe brain-dead script kiddies can't.

  • Just wondering, is {} pronounced
    "O-pen-brak-et-klozd-brak-et"

    Or is there a Dutch pronunciation???
  • I thought the passwords were stored as hashes. This sure is one helluva breach of confidence...
  • Yeah, I just changed mine to xyzzy nobody'll guess that! 07.45 Time to make the donut...


    --
    Chief Frog Inspector
  • it was a test server that had the default password left on...

    --

  • Another issue is how the crackers managed to get root after the fact.

    You mean root to the box that hosts /.?

    I thought they just pulled CmdrTaco's password and logged in to admin.pl and posted the story. Wasn't that the extent of their intrusion?

  • Is Slashdot going to give 10 Karma points to everyone to compensate for the intrusion?
  • Never mind. Found it. Surprisingly subtle post.

    Anyone think briefly that someone at the Slashdot "compound" did this to drive up traffic? Just a whim...

  • by Anonymous Coward on Friday September 29, 2000 @04:48AM (#744825)
    Signal 11's karma exceeded an unsigned BIGINT and triggered a buffer overflow leading to an exploit. Slash code operators are encouraged to kick Signal 11 in the nuts until the problem goes away.
  • 2 years ago we had the bad kind of hacker: he rooted the whole damn system and never told us how they gained entry.

    Damn, I can't believe I've been reading slashdot for that long!

    I seem to recall consensus at the time was that the attacker probably got in through a hole in BIND 4.9.6, which was distributed with the version of RedHat (5.0? 5.1?) slashdot was running.

    --

  • by sverrehu ( 22545 ) on Friday September 29, 2000 @09:07AM (#744835) Homepage
    I must agree. I've been running Crack for both Unix (Solaris and GNU/Linux) and Windows NT where I work, and it's amazing how many passwords were found just in a few minutes. Crack is an extremely cool program.

    http://www.users.dircon.co.uk/~crypto/download/c 50-faq.html

    I don't remember where I found the NT port of Crack. Sorry.
  • by dsplat ( 73054 ) on Friday September 29, 2000 @04:49AM (#744838)
    Is there anyone else out there who hears warning bells when reading the words, "Change your password immediately here." with a link? Has nobody ever heard of social engineering? I know that I'm not the only person on Slashdot with a mild case of paranoia.

    [dsplat ducks under his desk to avoid being spotted by the black helicopters]
  • Doesn't everyone just use 'slashdot' for their password?

    kc.
  • The question remains: Would there have been an acknowledgement if the crackers hadn't posted their story?
  • I'm glad somebody else has the dream of customizing the colours of Slashdot .. the white/teal look, while is nice and pleasing to the eye, is getting a little old :/

    Now, colour schemes like Enlightenment [enlightenment.org]'s (with the nice graphics .. I know, it's white on teal. Cut me some slack here!) would be a nice change of pace!


    ------------
    CitizenC
  • by Zulfiya ( 44302 ) on Friday September 29, 2000 @04:51AM (#744854) Homepage
    This is nice to see. Big, front-page article saying they've been hacked, letting their users know. How many web sites do you think would do that for their users? Too few.
    On the other hand, would we have been notified if the hackers hadn't put a big article on the front page? Food for though, but I'd like to think so.

    Well, they announced it the last time: Slashdot Gets Hacked [slashdot.org].

    Although you could argue it was pretty hard to cover that one up, too.


  • I'm wondering here ... On this test box install, did that also include
    the sample story? You know, the one that tells you to login as God/Pete
    and also suggests that the first thing you should do is change the password?
    <nelson>Ha Ha!</nelson>

  • by Krieger ( 7750 ) on Friday September 29, 2000 @04:52AM (#744859) Homepage
    Why bother changing your password? It just means that you'll have another unencrypted plain-text password laying around... Besides who really cares if your /. account gets hacked? What are they going to do? Kill your Karma?

    Bah! Wait until they get the Slashcode 2.0 up and can affirm that encrypted passwords are being used.
  • by dnnrly ( 120163 ) on Friday September 29, 2000 @04:53AM (#744862)
    For once we have seen that it is possible for a victim to acknowledge that something was their fault. I don't want to jump on a bandwagon but it just goes to show what happens when your honest. (this is a the tendancy in open source, not the rule) In a matter of hours, things are being fixed, things are back to normal, no-one has lost face and the hackers have gained a little kudos for acting honourably - leaving a calling card that does no harm and then telling everyone about it.

    dnnrly

    dnnrly

  • by NYC ( 10100 ) on Friday September 29, 2000 @04:54AM (#744872)
    Slashot had a story [slashdot.org] about 3 weeks ago stating that Western Union got cracked and recommended to their customers to changes passwords and even cancel their credit cards.

    --weenie NT4 user: bite me!
  • by ca1v1n ( 135902 ) <snook&guanotronic,com> on Friday September 29, 2000 @05:06AM (#744887)
    http://dailynews.yahoo.com/h/zd/20000928/tc/mitnic k_to_it_managers_everybody_is_suspect__1 .html is a story about Kevin Mitnick's warning that people are always the weakest link in security. Here we have slashdot admins making a simple password mistake. Just imagine what the average user on a corporate network (with read access to the rest of that network) could do.

    I would have made it a link, but either netscape or slashdot kept putting spaces in it because it was so long. Sorry.
  • by Bedemus ( 63252 ) on Friday September 29, 2000 @04:57AM (#744896) Homepage
    For crying out loud, this got moderated *up*? The guy wrote the stuff 3 years ago, when Slashdot users could hardly have been referred to as customers. Heck, even now, I don't know that you can hold them to "Customer focus." Last I checked they weren't charging us anything to use slashdot, and weren't selling our data to anyone for profit. If you want to call loading a banner ad being a customer, then I guess...

    But still, that's no reason for the demeaning tone of this post. I just love the way we geeks all tend to rip each other to shreds when we make stupid mistakes, and when we do so, the tone we take is almost always one of "I know everything -- I do no wrong." This should have been moderated as "Flamebait."

    You had no moral obligation to inform the readers of anything. Slashdot folks are a pretty educated crew -- we're fully capable of drawing our own conclusions, thank you.
    --
    NeoMail - Webmail that doesn't suck... as much.
  • by Frank van Vliet ( 237907 ) on Friday September 29, 2000 @04:59AM (#744899)
    host -a -l slashdot.org (:

    the database was hosted on just one box, never touched the webservers
  • by Matts ( 1628 ) on Friday September 29, 2000 @04:59AM (#744900) Homepage
    The question then becomes how do you implement forgotten passwords?

    Generated passwords (emailed to you) opens you up to some sort of randomization attacks.

    "Hint" questions are a bad idea, because finding out the sorts of things that people use for hints on the internet is fairly trivial. If someone breaks into the DB and gets the Hints database, they can probably figure out your password. Besides, what can you use for a hint for "aF3g!5%fg" ?

    A base64 encoded Unique URL to visit is probably the best thing. Mail that to the user, and get them to click on the link.

    Any other thoughts on this?
  • by Ardant ( 93302 ) on Friday September 29, 2000 @05:00AM (#744901) Homepage
    True enough, but do remember that the weakest link defines how strong the chain is.

    So what if you encrypt passwords on the server, passwords are stored in cookies on your home machine, as well as sent plaintext over miles upon miles of internet cabling before reaching slashdot.org.

    If someone really wanted everyone's slashdot passwords, all they'd have to do is sniff some connection along the way.

    Hackers will always hack in. There's no such thing as an invincible system. It's just a matter of time and determination (as we've seen time and time again).
  • by sjames ( 1099 ) on Friday September 29, 2000 @05:02AM (#744915) Homepage Journal

    (didn't want to use md5 since a lot of different scripts and programs used the db - crypt is more common).

    Actually, the newer libcrypt supports MD5 out of the box. Just put the salt into the MD5 format, and the string returned will be MD5. That still requires making old programs parse out the salt correctly, but it's less of a pain than a total conversion. Since it's easy enough to support both formats, the thing to do is convert a bit at a time and manually create an account with an MD5 password for testing. The day that account passes all tests, conversion is complete.

  • by Ih8sG8s ( 4112 ) on Friday September 29, 2000 @05:14AM (#744926)
    This was no crack. This was some really bad administrative habits inviting something like this to happen.

    The person that left the default password on a publically accessible server should be canned.

    At any job I've worked, something like this would get the preson responsible auto-canned for not making reasonable efforts to protect company data.

    This is a special case, becasue the person who decided to implement a 'default password' in slashcode also works in the company where it is used. CmdrTaco also needs a good butt-kickin. Did feature lust could your judgement?

    Also, the idea of storing the user database in clear text on a publically accessible server is also insane. Store nothing on publically accessible webservers.

    I totally cringed when CmdrTaco decided to proclaim "No one would ever have gotten in if it wasn't for the default password".

    OH MY GOD

    I hope he takes a good look at his bliefs surrounding security. That's a very cocky and naive thing to say. I'd submit that someone who believes that enough to say that will most certainly get 'cracked' again. Have a nice day :)

  • by Anonymous Coward on Friday September 29, 2000 @05:14AM (#744927)
    Apologies to Sam Cooke (and Art Garfunkel)

    "Don't know much about TCP
    Even less ICMP
    Don't know how to make a subnet class
    Even script kiddies would kick my ass
    But if an OS that can be bought
    Will install securely by default
    What a wonderful thing that would be

    Don't know much about LAND attack
    Don't know how to spoof an IP stack
    Don't know much about the port I'm on
    Can't decide to leave a daemon on
    If I install OpenBSD
    And it does most of my work for me
    What a wonderful thing that will be

    Now I don't claim to be a sys admin
    But now broadband's in my town
    And I have to put something between me
    And the people who know how to bring me down

    Don't know much about DDoS
    And my shell programming is a mess
    Don't know how to build a firewall
    Don't know much about nothin' at all
    But if I can shield my root account
    Without emptying my bank account
    What a wonderful thing that would be."

    -- Beldon // beldon@scamail.com
  • by Booker ( 6173 ) on Friday September 29, 2000 @05:15AM (#744931) Homepage
    While I'm sure it really sucked for cmd Taco, I thought the front page of the previous /. hack was kinda clever...

    It's archived here [rootshell.com].

    ---

  • by gattaca ( 27954 ) on Friday September 29, 2000 @05:19AM (#744937)
    Is this what happens when you put PERLs before Swine?

"No, no, I don't mind being called the smartest man in the world. I just wish it wasn't this one." -- Adrian Veidt/Ozymandias, WATCHMEN

Working...