Forgot your password?
typodupeerror
Wine Security Technology News

Wine HQ Password Database Compromised 124

Posted by Unknown Lamer
from the assailant-reportedly-doped-up-on-php dept.
With his first accepted submission, tyler.russell writes with a report that the WineHQ database systems were compromised. Quoting the official announcement: "We are sorry to report that recently our login database for the Wine HQ Application Database was compromised. We know that the entire contents of the login database was stolen by hackers. The password was encrypted, but with enough effort and depending on the quality of your old password, it could be cracked. We have closed the hole in our system that allowed read access to our database tables. To prevent further damage we have reset your password to what is shown below. We strongly suggest that if you shared your AppDB password on any other sites that you change that password as soon as possible.". He adds: "A new username and password were included with this email."
This discussion has been archived. No new comments can be posted.

Wine HQ Password Database Compromised

Comments Filter:
  • Welp, there goes my information.
    • by Anonymous Coward

      Same here... I shudder to think of the consequences if I had the same password everywhere. Given what the stats says about people's habits on passwords, there are probably a lot of people that are at risk with other online accounts when this sort of thing occurs.
      The really frightening thing is that for each of the break-in we hear about, there are probably countless others done successfully (IE, without detection) that we don't know about.

    • Re:Ah Hell (Score:4, Funny)

      by Anonymous Coward on Tuesday October 11, 2011 @06:13PM (#37684434)

      entire contents of the login database was stolen by hackers

      Dammit. They didn't steal it. They made a copy. Okay?!

      • by black3d (1648913)

        According to the dictionary, they stole it. Perhaps you have a personal, very narrow definition of Steal. The word means more than you think it does.

        • by TechLA (2482532)
          It's not stealing since they still have the original data left. Hackers only made a copy of that. No harm was done.

          ... that is, according to the Pirate Party and pirates on /.
          • Right. Every pirate claims that all things that involve copying in any way must be harmless. According to my straw man, at least.

          • Re: (Score:2, Insightful)

            by black3d (1648913)

            Right, and I often hear them say that, except the problem is that no part of the definition of steal ever involves deprivation. Usually stealing leads to deprivation, but it's not required. Since the early 1900s, the definition of steal has included obtaining without permission, no deprivation involved whatsoever, especially in legal dictionaries which are what matters in this context.

            Similarly, if you take control of a bus, but continue to drive all passengers to their destination and allow them to alight,

            • by NoSig (1919688)
              The word steal invokes the mental image of taking away, while copyright infringement doesn't, so steal is an inaccurate label for copyright infringement since no taking away is involved. The same thing that makes it inaccurate is exactly what makes it a great rhetorical trick. It's like referring to a speeder as a "dangerous criminal" or someone who thinks that trains should run on time as someone who "holds certain views in common with Nazis". You can think and argue that copyright infringement is bad with
              • by black3d (1648913)

                I'm not arguing about whether or not copyright infringement is good or bad. Sorry if my message came across that way. What I was criticising was the fact that geeks are at the forefront of every advancement in society, and embrace new ideas and modern movements, but they make a special case for the word "steal" (which has evolved with the language, and includes obtaining without permission), and pretend it doesn't have that meaning simply so they can keep saying that copyright infringement isn't "stealing".

            • by julian67 (1022593)

              In the UK the definition of theft explicitly sets out several tests including:

              "dishonestly acquire, with the intention to permanently deprive"

              This is why we have other laws such as the offence of "Taking without consent" of a motor vehicle, which covers situations where the acquisition can be proven dishonest but no intent to permanently deprive can be proven i.e. the offender takes, uses and abandons a vehicle, maybe even at or near where the owner left it.

              Most of the English speaking (officially/legally)

              • by black3d (1648913)

                I concur, good sir. But we were talking about the word "steal" not "theft". Contrary to my comments about "steal", "theft" almost universally does involve the removing of products, and deprivation. To recap, GP made a common /, rail against the word "stole", to describe the actions of people who made a copy of the database. I pointed out that "steal" doesn't necessarily involve deprivation, and the legal definition includes taking without permission - even if no deprivation occurs. Talking about a verb here

                • by julian67 (1022593)

                  In English Law "steal" refers to "theft". It's the same.

                  From the Theft Act 1968 (current English Law):

                  "A person is guilty of theft, if he dishonestly appropriates property belonging to another with the intention of permanently depriving the other of it; and "thief" and "steal" shall be construed accordingly."

                  Dishonestly appropriating the contents of another person's database wouldn't be theft in England, though it would be a very serious offence under the Computer Misuse Act. The penalty could be as high

                  • by pnewhook (788591)

                    So what you are saying is that it is by definition impossible to steal someone else's idea for something.

                    • by julian67 (1022593)

                      In English law, yes. In common speech, no. In other legal systems, I don't know.

                      Common useage is often very different to strict or technical useage or even dictionary definition, and not just in law, so 'yes', 'no' and 'maybe, it depends' are all valid answers to your question (challenge?).

                • by Zugok (17194)

                  I concur, good sir. But we were talking about the word "steal" not "theft".

                  Take a look at this in New Zealand law
                  http://www.legislation.govt.nz/act/public/1961/0043/latest/DLM329897.html#DLM329897 [legislation.govt.nz]

                  I do not know what the codified definition of theft or steal is your jurisdiction or if its even the same as in New Zealand. The point is depending on what is written in the law chances are your definition does matter.

            • by EdIII (1114411)

              Sorry, but that definition still is, and always will be, complete and utter bullshit.

              All of your points involved the physical world. The act of theft, or stealing, can ONLY occur in the physical world . It blows my mind that anyone can come to a different conclusion once all things are considered. You cannot steal an idea, thoughts, etc. All you can do is share in them.

              Regardless of how one feels about intellectual property, we should be able to not treat each other like idiots and stop using the word t

              • by black3d (1648913)

                I never brought up copyright infringement? I wasn't arguing for or against copyright infringement at any point in time. I was purely talking about the word "steal".

                You seem to be confusing the verb as a word, as I'm talking about it, and the criminal act. You're setting out with the notion that to "steal" only involves the physical world. May I ask where you got this notion? Not from the dictionary (although I'm certain you can find a dictionary with physical removal as the only definition of the word "stea

                • by EdIII (1114411)

                  It was just a comment on GPs attempt to dismiss the matter of "stealing" having occurred, when, if you accept the latter three definitions above, it did. If you choose to dismiss any dictionary which defines "steal" as also involving non-physical objects, that's your choice - but that doesn't resolve a dispute on the topic. Geeks need to man up about this and accept that words change. It's like folks are treating "steal" as a dirty word, and something they like to pretend they're not involved with; Denying any modern meaning of the word is how they go about setting themselves apart, and feel better about what they do.

                  You're wrong, and on many levels.

                  Plagiarism is not a form of stealing. Just like copyright infringement, it is a separate act, that for exactly the same reasons, had the word steal misappropriated to benefit the copyright holders.

                  Geeks do not need to "man up". We need to bunker down and refuse to allow people like you to change the word. Saying that change is just part of life, and like oh well, just go with the flow is harmful bullshit.

                  I don't "pretend" anything. I have fully admitted, that on many occ

                  • by black3d (1648913)

                    Whom do you suggest should decide on the definition of a word? Where do you think Oxford, et al, draw their current definitions from?

                    Aside from that, I agree with every aspect of your stance against the criminalisation of copyright infringement. I concur that copyright has been warped and distorted completely from its original purpose, and that copyright now almost serves the opposite purpose that it was intended to. It was intended to provide an author with a modest fee, to encourage the author to continue

                  • by bjourne (1034822)
                    You may have heard the quote "Immature poets imitate; mature poets steal" which is from T.S Eliot in 1921. That plagiarism is a form of "stealing" is well established in the English language and you are the one who want to redefine the word so that you have to call it "copyright infringement" instead, not Big Content.
                  • by pnewhook (788591)
                    You are completely wrong in your assertions. You are only making this stand to justify your own actions of theft. Get off your high horse and stop pretending your actions are to protect your rights or protect the interest of the People - they are NOT. You are stealing by copying copyright information pure and simple.
              • by black3d (1648913)

                TL;DR version:

                You cannot steal an idea, thoughts, etc

                Dictionary definition:
                Steal
                "to appropriate (ideas, etc) without acknowledgment, as in plagiarism"

                My point was only ever that geeks are trying to ignore any definition of the word steal which doesn't suit them - I'm not arguing the merits of or against any act.

          • So you think the only think that can do harm is stealing? So I guess it's OK if someone burns your house down, because after all, it's not stealing.

      • I think that's true.

      • They did steal it, because now the original owners are deprived of their old username and password. Did you not even read TFS?
  • Oh that's secure (Score:4, Interesting)

    by theswade (2020510) on Tuesday October 11, 2011 @06:10PM (#37684396) Journal
    So their solution to a security breach is to send out everyone's logins via clear text?
    • by Amouth (879122)

      that was my thoughts exactly.. i figured it would be a forced reset on long-on and an e-mail with a unique id to use during that (think of it as a second factor token)..

      but to just reset the password and send it.. that is just ...........

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      Do you have another, better solution?
    • by Unreal One (21453)

      They wanted to see who would wine about it.

    • by Carnildo (712617)

      So their solution to a security breach is to send out everyone's logins via clear text?

      It's much harder to intercept email than it is to decrypt an encrypted password: assuming that WineHQ users are typical in their password habits, about 75% of the passwords in the database are vulnerable to a dictionary attack and thus should be considered known to the attackers. By giving everyone a new password and emailing them in the clear to the users, they ensure that only those users who also have their email inte

    • They should have done it with white text on a white background, so that you couldn't see it through the e-nvelope. Only once you open the email and highlight or copy/paste the details will it become readable.

      That's how I send all my private messages anyway

    • They were being sent in clear text all along anyway. The login isn't done over SSL.

  • is sending out passwords via mass email in plain text? No wonder they had their system compromised.
    • Well I guess they could have just left the old one in there. Or do you have any better ideas that you are for some reason keeping to yourself...?
      • Better ideas? No. I don't. But then again, I'm not a network administrator in charge of a system that just had a massive security breach. I would've thought that having procedures in place for something like this would be part of a system / network administrators job. If even a lowly, green-behind-the-ears tech can see that your "email passwords in plain text" idea is lacking thorough planning, then something is wrong. My first reaction to this would have been to disable all accounts until a better id
        • by CastrTroy (595695)
          They should just have reset everybody's password to some really long (20 character?) random string (different string for each user) and not recorded the result. Any user who wanted to log in would have to use the "lost password" feature.
          • Actually, the common way of doing that is to make the hash impossible to achieve. Adding an invalid character such as a ! to the beginning is a unix favorite and works quite well.

            But then you run into the whole issue of the resets being sent in cleartext anyways, so not much improvement there...

            The big problem with this method is when the website uses one those absolutely asinine recovery systems that asks you for the answer to a secret question. Most security-wise people fill that field full of gibbe
    • Re:How secure... (Score:4, Insightful)

      by Carnildo (712617) on Tuesday October 11, 2011 @06:52PM (#37684890) Homepage Journal

      How secure...is sending out passwords via mass email in plain text?

      Sending passwords in clear-text emails is only a minor security risk: in general, only network providers, system administrators, and three-letter agencies are in a position where they can intercept or read a user's email. If the people who attacked the WineHQ database don't fall into one of those categories, resetting passwords and sending the new ones in clear-text emails represents a dramatic reduction in the impact of the database compromise. If the attackers *do* fall into one of those categories, sending the emails does not increase the impact.

      • by Dunbal (464142) *
        Unless you are sending the new login and password to an email account which the hacker already controls because, you see, he already grabbed your password and you probably use the same password for your email, and your email (if not also stolen) is probably login@yahoo/hot/gmail.com. In fact if he was smart he would just make note of the new login and password and delete the email, and you would be stuck wondering why you can't log in to a website in a couple months' time, while he's had a couple months of
        • while he's had a couple months of reading all your mail and possibly even contacting people on your behalf through your email. Dad could you email me your login/password for that website again? I forgot it...

          More likely, using the password reset feature of many sites which works by sending out an email.

    • by Anonymous Coward

      just as secure as resetting your password via email by clicking on the "I forgot my password link", If someone can intercept your email they can easily change your passwords.

  • And went to my email and sure enough it's in my spam filter. So check there if you have missed it.

  • Most site admins are clueless about security, so the fact that they caught the intrusion at all is a very good sign.

    I always wonder how many sites are actually compromised out there.

    Remember, folks, it's always a good idea to USE A UNIQUE PASSWORD ON EVERY SITE! Of course, I'm probably preaching to the choir here.

    • by Baloroth (2370816)
      Unique passwords are hard to remember (at least, if they're any good). Password managers help (a lot) but if the main password gets keylogged, you're screwed. We really need a better system than ID + password.
      • Unique passwords are hard to remember (at least, if they're any good). Password managers help (a lot) but if the main password gets keylogged, you're screwed. We really need a better system than ID + password.

        I have a algorithm I use in my head that's based on the site name. It's not perfect, and if someone *really* wanted to figure it out and they had one of my passwords, they could do it. But, the barrier has been raised at least so most hackers will just test it out on various major sites then ignore it if it doesn't work.

        For instance, say your main password is "bur_rito" (too short, but it's an example), and the site here is slashdot.org. To create a unique password, you could do something like:
        * Tak

        • by J_Darnley (918721)

          It's also annoying that every site has its own restrictions on non-alphanumerics and password lengths.

          This has got to be the worst thing about using a password manager, the fact that you have to remember which sites have what restrictions.

      • by h4rr4r (612664)

        No they are not. Come up with better passwords. Use phrases instead of total randomness. "This Is The Worst Password any 1 has ever |-|ad", is one such password that is easy to remember and very secure.

        • by Baloroth (2370816)

          And remembering which one you used on every single site you use regularly? Sure, for email and the like, but there are at least a dozen (probably more) sites I visit semi-regularly. Remembering such passwords for each site is quite a trick. You can vary the password based on the site name (as others have suggested) or some such scheme, but it gets tricky if you use even a fair number of internet sites.

          I only remember the passwords for 3-4 sites I visit (which I might want to access from random computers), a

        • by Carnildo (712617)

          My password database just passed the 300-entry mark. How on Earth am I supposed to remember that many unique passphrases, especially for sites I might not visit for years at a time?

        • by c++0xFF (1758032)

          In addition to the other replies, I'll add that some (most?) sites implement passwords poorly. The worst offender is a length limit, which I've seen capped at 20 or less. I still have to use some old Unix systems that won't recognize anything beyond 8 (and "This Is " isn't exactly a good password).

          Until sites do things right, passphrases won't work.

      • Re: (Score:2, Insightful)

        by c++0xFF (1758032)

        Good, unique passwords are fine until you have more than a handful of accounts. Even using a base password with something unique per site will only get you so far.

        Password managers are the next step, but they have to be available wherever you happen to be. That either means a smartphone (but typing in the password from my phone defeats the purpose and is a pain with truly strong passwords, a lost/stolen phone becomes a nightmare, and I don't have a smartphone anyway) or a website I can log into and copy/p

      • by Terrasque (796014)

        We really need a better system than ID + password.

        I've changed to Google's account for as many sites as I can (Google support OpenID), and I use two factor auth for my google account.

        Some things I like with openid:
        1. you don't need to have any special agreement or API key to services to add support for it to your site.
        2. If you don't trust provider A, then use provider B instead.. Or set up your own OpenID server.
        3. Since it's only one place you need to log in (and log out of), you can affort to have extra security there, which would otherwise be too annoy

  • But really, the important lesson from this is that you shouldn't share passwords between different sites. Use a variety of auth manager and a lot of the risk goes away.

  • Dropbox+KeePassX (Score:3, Interesting)

    by Maquis196 (535256) on Tuesday October 11, 2011 @06:26PM (#37684604)

    If you accept that the internet will spit out your details at some point do this;

    1. Sign up to dropbox (it's free and works on all platforms - including mobiles)
    2. Get a copy of Keepassx, mac/windows version might have different name, never used them.
    3. Store database of keepassx on dropbox so you've always got access to it.
    4. Each website gets own generated password, short passwords for things you might need to type in on phone but still random.

    This way, 1 bad event like this keeps you safe. I have both on my Android as well so it's with me always. /Maq

    • by Bios_Hakr (68586)

      I have been using LastPass for a while now. And the more I use it, the more skittish I get.

      It's not that I'm really worried about losing access to the 500 or so sites in my database. Most of those I could reset via email.

      And my email password has to be rememberable because of my android phone and such.

      I just feel really skittish about relying on something that, in-effect, is an absolute book of knowledge about me. I used to keep that book inside my head. Now, it's out there. And it keeps me up some nig

      • by lakeland (218447)

        I don't know if LastPass is the same but I use 1Password and the data in that is encrypted with a password which is not stored in the database. By the sounds of the product name I'm guessing yours is similar.

        So even if someone does manage to get your password file they'd still have to crack your master password which I'd hope is exceedingly secure.

      • LastPass (cloud service with browser plugins) supports Yubikey, a low-cost token for two-factor authentication - so someone would have to both install a keylogger on my system and physically steal the Yubikey token to get the LastPass passwords. http://www.yubico.com/ [yubico.com]

        This makes it actually more secure to always use LastPass even if you remember the site password, because the LastPass login is Yubikey protected while the site password isn't (and the way LastPass sends the password to the site doesn't involv

    • You sir are my hero.
    • by lakeland (218447)

      I use 1password with this setup.

      It works really well though it was a bit expensive to set up - I had to buy 1password for mac, windows and phone, so I think it cost about $60.

      Still, it got me onto dropbox which I now use for quite a few things :)

  • Use a password manager like LastPass [lastpass.com] or KeePass [keepass.info], or, as I do, keep an encrypted file of your sites+logins+passwords.

    You really need to manage your passwords. Reusing the same pass in multiple places is just a problem waiting to happen.

  • by gmuslera (3436) * on Tuesday October 11, 2011 @06:46PM (#37684810) Homepage Journal
    but having security problems adds another layer of compatibility with windows.
  • those showoffs were running IIS on WINE.

  • They recently deleted my account. After not having used it for a few years, I started getting several messages about old comments and reports I'd made being deleted, then I got a message saying my account would be deleted as well.

    They kind of lost a lot of credibility with me when they insisted I make good on my pledge to buy a copy of the program when some random person claimed to have gotten my requested app to run. Except you couldn't open, work with, or save any files, and no one verified the report. Bu

    • They recently deleted my account. After not having used it for a few years, I started getting several messages about old comments and reports I'd made being deleted, then I got a message saying my account would be deleted as well.

      They deleted my account as well - didn't mess with the pledge stuff and no malice on my part, just the fact that I got game consoles and Linux gaming didn't really keep me on grip. =)

      But the weird thing is this: they just now sent me a new password. Did you get this notice as well? I tried to log in with the new password, and it said the account didn't exist. I re-registered, boom, there I was again, so it was not like it was somehow closed for all the eternity.

      Did they keep my email and hashed password on

    • They kind of lost a lot of credibility with me when they insisted I make good on my pledge to buy a copy of the program

      You can't buy Wine, it's community-supported FOSS. Are you confusing them with CodeWeavers (CrossOver etc), by chance?

    • by fgouget (925644)
      This does not make sense. appdb.winehq.org has no pledge system and no program to sell.
      • by crossmr (957846)

        Right, I was thinking of Crossover. it's been a few years.
        my account from the appdb was deleted though.

  • This is one of the downsides of forcing everyone to _register_ just to report a bug. (The other downside is the tremendous pain in the user's butt.) If they only used a simple solution like Request Tracker or so.

NOWPRINT. NOWPRINT. Clemclone, back to the shadows again. - The Firesign Theater

Working...