Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Mozilla The Internet

SpreadFirefox Security Breached (again) 140

Kurt writes "The hugely popular SpreadFirefox project, a Firefox community marketing site, has recently fallen victim to a security breach in their TWiki software. This breach has forced the site to shutdown until October 19th. During this time, they will be performing a rebuild of the SpreadFirefox system, to hopefully curb more security breaches."
This discussion has been archived. No new comments can be posted.

SpreadFirefox Security Breached (again)

Comments Filter:
  • Message (Score:4, Funny)

    by mysqlrocks ( 783488 ) on Tuesday October 04, 2005 @09:32AM (#13712368) Homepage Journal
    I noticed this message yesterday. I was wondering what it was about. Where did slashdot get this info? I didn't see it on Mozila's web site yesterday.
    • Re:Message (Score:5, Informative)

      by druske ( 550305 ) on Tuesday October 04, 2005 @09:37AM (#13712429)
      The SpreadFirefox team sent this email out to registered users:

      The Spread Firefox Team became aware this week that the server hosting
      Spread Firefox, our community marketing site, has been accessed by
      unknown remote attackers who attempted to exploit a security
      vulnerability in TWiki software installed on the server. The TWiki
      software was disabled as soon as we were aware of the attempts to access
      SpreadFirefox.com. This exploit was limited to SpreadFirefox.com and
      did not affect mozilla.org web sites or Mozilla software.

      We have scanned Spread Firefox servers and at this time do not believe
      any sensitive data was taken, but as a precautionary measure we have
      shutdown the site and will be rebuilding the web site from scratch. We
      also recommend that you change your Spread Firefox password and the
      password of any accounts where you use the same password as your Spread
      Firefox account. We will notify you again when the site is back up with
      instructions on how to change your password. (Note: We do use MD5
      hashing on the passwords, but MD5 cannot protect all passwords against
      off-line dictionary style attacks.)

      After Spread Firefox was compromised in July, we instituted procedures
      to ensure that we apply all security fixes to the software running the
      site (Drupal and PHP) as soon as they become available. Unfortunately,
      those procedures overlooked the installation of the TWiki software since
      it is not used by the main Spread Firefox site. When the system is
      rebuilt, all the software will be audited to ensure that security
      updates will be applied in a timely manner. We deeply regret this
      incident and any inconvenience this may have caused you. Sincerely,

      Spread Firefox Team
      Mozilla Foundation
  • ... venting frustration over seeing their office business go down the drain!

    :-)

    -Yogix
  • hm (Score:5, Insightful)

    by sexyrexy ( 793497 ) on Tuesday October 04, 2005 @09:33AM (#13712380)
    OSS isn't inherently any more secure than proprietary software. It's just that the nature of the typical OSS developer vs a corporation means that the OSS organization is more transparent when bad things do happen. It doesn't mean that the security breach didn't already happen, though.
    • Re:hm (Score:4, Informative)

      by LnxAddct ( 679316 ) <sgk25@drexel.edu> on Tuesday October 04, 2005 @09:54AM (#13712644)
      This was a problem with one very small portion (twiki) of spreadfirefox. The system was setup regardless so that no user infomration was exposed. Nothing bad happened, spreadfirefox sent out a nice email to all registered users just letting them know that a remote attack was attempted.
      Regards,
      Steve
    • Re:hm (Score:5, Insightful)

      by ArsenneLupin ( 766289 ) on Tuesday October 04, 2005 @09:55AM (#13712653)
      the OSS organization is more transparent when bad things do happen

      That's correct. OSS organizations already warn their public if something might have happened to their website.

      Commercial organizations, on the other hand, don't warn their public. There may even be entire herds of goats trampling all over their website, and the public still isn't warned. Instead they quietely chase away the goats, still without a word of explanation to the public. And then completely forget to mend the fence through which the goats entered!

      • ... whew... I misread that as goatse. Bad imagery.
      • You act like it's exemplary of them to alert their users to security breaches that may have compromised those users' data, just because many commercial entities won't do that. I'd say that's an incorrect attitude to take.

        SpreadFirefox isn't any better off for alerting the community to these incidents. They're just doing what they should be doing. It's those who do not send out alerts who are truly the awful ones.

        Sending out this alert does not right the situation, however. Since this isn't the first inciden
    • Re:hm (Score:4, Insightful)

      by ajs318 ( 655362 ) <sd_resp2@earthsh ... minus herbivore> on Tuesday October 04, 2005 @10:38AM (#13713133)
      OSS is inherently more secure than proprietary software.

      Proprietary software authors do not have to do things "properly", they just kludge things together that may or may not work in every possible weirdy case, and rely on nobody ever seeing what an awful job they made of it in the first place. Witness any open source project that used to be closed-source {Mozilla; OpenOffice.org; Solaris}. Open Source developers have to write code that they would not be ashamed to show to anybody, because they do not know who is going to be looking at it. To quote Larry Wall, "Hubris is the quality that makes you write (and maintain) programs that other people won't want to say bad things about. Hence, the third great virtue of a programmer." They also have to write code in such a way that it won't be obvious from inspecting it how to misuse it.

      Morbid curiosity is what makes people look at source code; and there are significantly more good guys than bad, so if anyone is looking at your source code, the chances are that their intentions are honourable.
      • Elegant or otherwise "pretty" code is not necessarily more secure. Sometimes kludging produces the best practical solution. Elegant code is often more secure and complete, but that is correlation, not causation. It is often easy to assume that because the two change together, one must cause the other. There is nothing inherent to nice code that makes it secure.
        • Correlation, not causation ..... you mean like how eating ice cream increases your probability of drowning, yes? {More ice cream is eaten on hot days, when people tend to gather near water. While you are thinking about how to make code look good, you are more likely to think at the same time about how to make it work well.}

          While I agree with the idea that you can write insecure but pretty code, I would question that prettiness is the only criterion people use to judge the code they look at. If somethi
          • "And, of course, if you find a flaw in an open source project and the maintainer does not want to know, you can always fork it."

            Fine for you. But if, say, mySQL AB doesn't want to fix a bug or fix it in that way, you're right that you're free to fork your own, assuming you can. But that doesn't help all of the other people who will, in all probability, continue to use the mainstream product.

            In other words, people, like Linus, or organizations, like mySQL AB, still control "their" projects.

      • Re:hm (Score:2, Insightful)

        by saider ( 177166 )
        I have seen a good number comments in all kinds of projects that can be summed up as...
        // This is ugly, but it works

        Often it is the result of shoddy hardware design or trying to weld pieces of code together that were never designed for it. Sometimes you have to resort to "bad code" to achieve your goals.
        • Re:hm (Score:3, Insightful)

          by Dan Ost ( 415913 )
          Ugly code should be tolerated only if it is the only
          alternative to getting the code to work before the deadline.
          And even then, it should only be tolerated if you've tried
          and failed to move the deadline back. And then it should be
          removed as soon as possible.

          Ugly code, left unchecked, spreads like crazy because you
          have to code around it which makes more ugly code that has
          to be coded around.

          Don't write ugly code.
      • "Proprietary software authors do not have to do things "properly", they just kludge things together that may or may not work in every possible weirdy case, and rely on nobody ever seeing what an awful job they made of it in the first place."

        This indicates that you don't know how a proprietary software development environment works, nor do you understand how an open-source development environment works.

        Yes, there are many closed-source products where code is never reviewed or audited. But if you've ever code
    • OSS isn't inherently any more secure than proprietary software. But it promotes better practices in security, because "security through obscurity" is not an option.
  • Hmmm... (Score:2, Interesting)

    by PhotoBoy ( 684898 )
    No reassurances this time that no personal data was stolen? Last time they made damn sure to point out that everyone's data was safe but it seems this time they've not told us about that. Could the hackers have a nice big list of email addresses to spam now?
    • Then again, I couldn't fault them for withholding tech-tabloid cannon fodder. As soon as someone makes a promise or releases numbers, cNet and friends go into a spin-doctor uproar (from my observation anyway)
    • Re:Hmmm... (Score:4, Informative)

      by j-turkey ( 187775 ) on Tuesday October 04, 2005 @10:31AM (#13713058) Homepage

      From the email sent out, it says that:

      We have scanned Spread Firefox servers and at this time do not believe any sensitive data was taken, but as a precautionary measure we have shutdown the site and will be rebuilding the web site from scratch. We also recommend that you change your Spread Firefox password and the password of any accounts where you use the same password as your Spread Firefox account.

      It seems safe to assume that personal information is a subset of sensitive data, no?

  • Wrong Date (Score:5, Informative)

    by rb2297 ( 56465 ) on Tuesday October 04, 2005 @09:36AM (#13712411) Homepage
    It says the site is down until the 15th not the 19th...
    • by Anonymous Coward
      If we can't trust them about showing correct dates, then for goodness sake, why should we believe there even WAS a security breach?
  • by elfguygmail.com ( 910009 ) on Tuesday October 04, 2005 @09:40AM (#13712462) Homepage
    It's not Mozilla software that got hacked. If it's indeed the Wiki part, then it's the MediaWiki software, which is also open source but has nothing to do with Mozilla or Firefox. Either way, that web site is very user based where tons of tools were hosted for the community like public forums and freely editable wikis, so it's not surprising that some of them may have issues. Until the actual mozilla.org site gets hacked, which I highly doubt it will ever happen, there's nothing to worry about.
  • Can you imagine... (Score:3, Insightful)

    by SocietyoftheFist ( 316444 ) on Tuesday October 04, 2005 @09:44AM (#13712507)
    Shutting your corporate website down for 2 weeks?
  • by LordKazan ( 558383 ) on Tuesday October 04, 2005 @09:44AM (#13712513) Homepage Journal
    While the "but open source is supposed to me more secure!" trolls will open their mouths about how this is evidence we're wrong - it's not.

    All software and therefore all websites contain vulnerabilities.
    The advantage of OSS is that these security holes are fixed promptly.

    Thanks to someone posting the origional email announcement we know that this breach was due to poor server administration in that they didn't keep their software patched up to the latest version. This vulnerability is probably fixed in the latest TWiki releases being that someone is out there exploiting it.
    • It seems with TWiki that the security bulletin comes out right about the time that the script kiddie attacks begin. I got bit once by a TWIki security hole so when this new advisory came out I practically RAN to my server to disable the TWiki part of my site to prevent it from happening again. You really can't claim poor administration for sure in this case, things happen too fast. For my part I'm seriously considering eliminating TWiki from the public part of my site because it's just too much of a secu
      • SFS said in their email they weren't doing security audits in the TWiki
        • Based on the timing of the attack I'm guessing they got bit by the security hole that was just announced on the TWiki security alerts list on 9/28. I'm also giving them the benefit of the doubt that while they didn't do "security audits", they are at least subscribed to the TWiki alerts. In any case I am saying that TWiki has now had a couple of these and the time from alert to hack seems unusually short. I think the time I got hacked it was a matter of hours (on the weekend) between when I got the notif
    • by kiwimate ( 458274 ) on Tuesday October 04, 2005 @10:17AM (#13712908) Journal
      ...this breach was due to poor server administration in that they didn't keep their software patched up to the latest version.

      Yep, agreed.

      Same as the majority * of Microsoft hacks. People not changing their SQL Server sa password from the default, or not applying the patch that blocks that particulary vulnerability that was released by Microsoft six months ago, or...

      * Note: I fully expect someone to come up and say "but what about...". That's why I chose that phrasing. I'm not arguing Microsoft is perfect, and you can certainly argue whether open-source means you get the advantage of transparency **, or whatever your retort may be. But my contention is that the majority of hacks of Microsoft products come down to poor server administration.

      ** Which advantage is also extended to the hackers, of course.
      • yes the majority of all hacks are _old_ code - but the threat severity of most OSS hacks doesn't come near to the threat severity of most Explorer or Outlook hacks since those applications are integrated into the OS.
        • I don't see how IE being part of the OS makes any difference. The problem is that the holes in IE allow arbitrary code to be run. If a hole popped up in Firefox for Windows that allowed some random .exe to be run, I'm sure it would be exploited the same way that the ActiveX vulnerabilities are exploited in IE.

          There's no difference that I can see whether or not it's integrated into the OS, the only thing that matters is that arbitrary code can be executed. This hasn't been readily demonstrated in Firefox, y

    • Well there's also the OTHER advantage of OSS, that's choice. I've looked into different Wiki setups and Twiki was one of the first I evaluated, especially because of its file upload capabilities. I had a bad feeling after the considerable ammount of work it took to get it up. I looked over the code and I was.. not impressed, to put it nicely. Overall I think Twiki is junk and they need to re-write it from scratch.

      Now some people will cling to various insecure software, but when you have a stream of fixe
  • Dupe! (Score:5, Funny)

    by Scoria ( 264473 ) <slashmail AT initialized DOT org> on Tuesday October 04, 2005 @09:45AM (#13712522) Homepage
    Look at this! Now they're even taunting us by appending "(again)" to the duplicate subject entries!
  • by po8 ( 187055 ) on Tuesday October 04, 2005 @09:45AM (#13712529)

    I also recently had my TWiki [twiki.org]-based wiki farm [pdx.edu] broken into, for the 3rd time in 4 years, despite trying to stay up to date at least with Debian releases. Fortunately, I had each wiki set up to run suexec as an individual user, so the damage was reasonably well contained.

    Since TWiki's security problems seem intractable (giant Perl codebase that's very difficult to audit and doesn't seem to have been designed to handle security) I decided that enough is enough and followed freedesktop.org [freedesktop.org]'s lead in moving the whole farm to MoinMoin [wikiwikiweb.de]. MoinMoin is written in Python rather than Perl, and seems to be better thought out in terms of security, although I had to hack up the source some to get what I wanted. Some open source migration tools will be made available shortly.

    I wouldn't recommend to anyone that they run a publically-viewable TWiki installation at this point.

    • Rockbox [rockbox.org], the open-source firmware project for the Archos Player, Recorder and iRiver H1xx's recently lost their entire TWiki on a similar security flaw. I'm not sure if it is the _same_ flaw, but it allowed the guy who did it to just wipe the whole thing clean. Thank god for the whole backup-culture...
    • I also recently had my TWiki-based wiki farm broken into, for the 3rd time in 4 years, despite trying to stay up to date at least with Debian releases.

      TWiki is not part of any official Debian release. The current round of bugs was fixed for the twiki package in unstable in March 2005, in version 20040902-2.

      Since TWiki's security problems seem intractable (giant Perl codebase that's very difficult to audit and doesn't seem to have been designed to handle security)

      Actually, it's not that bad. External proce
      • I like what you've done by way of replacing backticks/qx with something that calls the multi-arg form of system. However, I do take issue with this statement:

        SpreadSheetPlugin uses regular expressions to ensure that strings which are passed to eval are harmless. While I could not discover an exploit, this approach should be considered poor engineering from a security standpoint.

        While it is certainly easy to use regular expressions in this manner to produce code that qualifies as poor engineering from a sec

        • Actually, thinking about it, I'd be much calmer about their code if the safeEvalPerl sub read like this:

          # Allow only simple math with operators - + * / % ( )
          # (shh... don't tell anyone, we support comparison operators)
          my ($termre, $opre, $expre);
          $opre = qr{ [!<>=]= | [<>-+*/%] }x;
          $termre = qr{ [0-9]+(?:\.[0-9]*)? | \( (??{$expre}) \) }x;
          $expre = qr{ $termre (?: $opre $termre )* }x;
          sub safeEvalPerl
          {
          my( $theText ) = @_;
          $theText =~ s/\s+//g; # spaces don't change mean

    • And I'm not trolling or insinuating anything, I'm genuinely asking.

      Does TWiki even use taintperl? Not that that provides much more than minimal security help anyway.
      • And I'm not trolling or insinuating anything, I'm genuinely asking.

        Genuine answer: because the code is, _in general_, more readable. Of course it's possible to write perfectly clear perl or horribly obfuscated python, but in general python code is far more readable than perl code. And that makes it far easier to check it's doing what it should do.

        • While I agree with parent that Python code tends to be more readable than Perl code, I'd like to amplify that we really aren't moving from Perl to Python, but from TWiki to MoinMoin. I believe that MoinMoin is more secure because it has a far better security record, because I've watched freedesktop.org, which is a target, run successfully for a while, and because I was able to read, audit, and modify the authentication code at the heart of MoinMoin to suit our purposes quickly.

          I'm not thrilled with MoinMo

    • I had a server running twiki that got compromised twice.

      I agree that it's best to ditch twiki, although SELinux is also good for damage limitation.
    • In addition to your story and the one in TFA, the Rockbox project [rockbox.org] recently had a security breach in TWiki too, and the whole thing got deleted. The news item is still there on their website, if you want to read it. I know the plural of "anecdote" is not "data", but this little collection of tales of woe still doesn't do much to bolster my confidence in TWiki.
    • Besides writing code with security in mind in the first place, it is all about establishing the right security process and acting quickly.

      The TWiki community has a well established security alert process [twiki.org], summarised at TWikiSecurity [twiki.org]. The security team acted very quickly on the last incident, as documented in the timeline [twiki.org].

      Like other web based software, TWiki is safe to use on public sites if site administrators establish the right security process and act quickly on an incident.

      • The last two times I discovered we were hit, I got a security alert a few days later. This may indeed be a very quick response, but it doesn't solve my problem. :-)

        I don't agree that TWiki is safe to use on public sites in its current form. The code base is so diffuse, complex, and difficult to audit that I expect more serious incidents in the near future. Responding to incidents is not the same as proactively hardening the software to prevent them. Perhaps the "Dakar" release will solve the problems--

    • by dbg400 ( 920233 ) <<dbg400.net> <at> <gmail.com>> on Tuesday October 04, 2005 @12:29PM (#13714164) Homepage

      I also recently had my TWiki-based wiki farm broken into, for the 3rd time in 4 years, despite trying to stay up to date at least with Debian releases. Fortunately, I had each wiki set up to run suexec as an individual user, so the damage was reasonably well contained.

      I'm running the TWiki Debian packages (from Unstable) but follow the security mailing list [twiki.org] and fortunately have patched (just) in time (so far). The first [twiki.org] of the two recent vulnerabilities brought an attempted attack on my server around 12 hours after getting the initial email warning.

      Since TWiki's security problems seem intractable (giant Perl codebase that's very difficult to audit and doesn't seem to have been designed to handle security) I decided that enough is enough and followed freedesktop.org's lead in moving the whole farm to MoinMoin

      It's probably not much consolation, but the upcoming Dakar [twiki.org] release features a much revised code base with security [twiki.org] in mind.

  • and ended up having to use google cache's of the pages I needed to read. Oh well. Poor SFF.
  • isn't that Firefox is more secure than Internet Explorer or Mozilla is infinitely better than Microsoft. Both are hackable and exploitable. The difference is in their response. When something happens at Microsoft, it's not announced until significantly after the fact and it takes forever for them to do something about it. Mozilla's response is to immediately shut down their site and rebuild it from scratch to be certain there is nothing left to exploit and get everything taken care of. I can't imagine Micro
    • In class and barely paying attention :-P The subject should be: The difference between Mozilla and Microsoft *cough* Feel free to mod me down for typos :-\
    • I *LOVE* how Firefox users have changed their tune in recent months. It's no longer "Firefox is more secure than IE!" and has no become "It's now about which is more secure, it's about response times!". :) It makes me smile every time.
      • Haven't you heard that phrase "security is a process"? The reason Firefox is more secure, and Mozilla before it, is because they respond quickly to security issues. Not because they don't have any. That's always been the case, since before Mozilla 1.0. The list of security flaws fixed in the release notes of every release going way back should tell you that people have never claimed that Mozilla has zero security bugs.

        So any tune you imagined was one inside your own head.
        • I think you've missed the point. Firefox (and it's users) began no with a claim of a faster response to security issues, but rather to a superior security architecture which was less conducive to the remotely exploitable vulnerabilities IE has fallen victom to. Clearly they were wrong and now all they have to hang on to is their response time, which they push every second they can.
          • >>>to a superior security architecture which was less conducive to the remotely exploitable vulnerabilities IE has fallen victom to. Which they have. FF simply is more secure. There are far more high resk threats to IE. And FF does respond to what threats there are many times faster than IE, but that's less material than the fact that there are less serious threats. MS sells IE for the same price if it's insecure. More now that they are going into virus protection software. FF are simply trying
  • by 8127972 ( 73495 ) on Tuesday October 04, 2005 @10:33AM (#13713080)
    .... Likely a Microsoft employee. These days, they'll do anything to avoid a flying chair.
  • This stuff is happening so much these days i dont think it really should be considered 'news'.

    Sure, its sad we have reached this point, but its a sign of society in general.

    When was the last time a home break-in was on the front page of the paper? ( unless it was someone 'special' of course.. )

    Crime has just become part of the 'background noise' in life today.. Almost like the world of marketing has..
    • This is Slashdot. If some completely clueless 11 yr old blog writer can make headlines by doing an ROI comparison of Windows and Linux (which favors Linux) then why wouldn't this?
  • ... the counter [spreadfirefox.com] is still up. With less than 5 million to go before 100,000,000, I don't want to miss the final tick as it goes by [infocraft.com].
  • The last time this happened I received the following replies to questions concerning the practices of the SpreadFirefox admins:

    http://it.slashdot.org/comments.pl?sid=155997&cid= 13079208 [slashdot.org]
    mykmelez (6506) on Friday July 15, @08:01PM
    (I am a foundation employee, but I am now speaking for myself, not for the foundation.)

    You should trust our competency because we almost always stay up-to-date with the latest security updates to all installed software and because we're revising our security plan and procedure

    • What makes you think that just because you've decided to use an open source product that they "own" you anything? I say you owe them!

      It doesn't sound to me like you are an ardent OSS supporter - you don't seem to understand what it's about at all. I'll give you fanboy, though.
      • They owe us all a full investigation into this matter. We need the name(s) of the person/people who failed to keep these servers updated. Why? Well, the SpreadFirefox site first needs to show that they take security seriously, especially after these numerous breaches. Thus they need to stop letting these people maintain their servers. Second, we all need to know who these people are so that we never have any serious business relationships with them. They are obviously unfit to run servers.

        • I'm going to ravage your mother.
        • Contributors to open source projects donate their personal skills and time. There's no contractual obligation or guarantee of any level of competence. If you can't handle that concept, then you should probably stick to commercial software or purchase commercial support. Although that won't get you any guarantees of competence either, at least you'll have someone to yell at.
          • It doesn't matter if they're donating their time/services or getting paid. If what they're doing end up being more harmful than good (ie. running servers so as to have quarterly security breaches), then the project is better off if they get rid of such a volunteer.

            If somebody were to volunteer their cleaning services at a church, for instance, and proceeded to repeatedly damage the pews and the flooring, then they would be politely asked to stop volunteering. It's time for SpreadFirefox to to the same, so a
  • TWikis next generation (codename Dakar) release will be out in about 10 days from now and it got really changed in every way. For example it got a brand new security model to prevent such hacks very effectively see http://develop.twiki.org/~develop/cgi-bin/view/TWi ki/DakarReleaseNotes#Security [twiki.org]:

    Dakar Release introduces the use of 'safe pipes' to prevent any malicious request from executing code on the server. This strategy stops any of the known attacks dead in its tracks. The Dakar codebase has not been

  • The site is on fire.
  • Summary contains factual error. SpreadFirefox runs (ran?) on Drupal [drupal.org], not TWiki.

"Gotcha, you snot-necked weenies!" -- Post Bros. Comics

Working...