Mozilla Dumps Info of 76,000 Developers To Public Web Server 80
wiredmikey writes Mozilla warned on Friday that it had mistakenly exposed information on almost 80,000 members of its Mozilla Developer Network (MDN) as a result of a botched data sanitization process. The discovery was made around June 22 by one of Mozilla's Web developers, Stormy Peters, Director of Developer Relations at Mozilla, said in a security advisory posted to the Mozilla Security Blog on Friday. "Starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server," Peters wrote. According to Peters, the encrypted passwords were salted hashes and they by themselves cannot currently be used to authenticate with the MDN. However, Peters warned that MDN users may be at risk if they reused their original MDN passwords on other non-Mozilla websites or authentication systems.
Mozilla... (Score:4, Funny)
"Committed to you, your privacy and an open Web"
Re: Mozilla... (Score:5, Insightful)
Re:They don't deserve to be commended. (Score:5, Insightful)
but meeting the bare minimum requirements doesn't earn somebody commendation from me.
How often do hear news stories about leaks with encrypted passwords that are properly salted? :)
How often does anybody admit a possible leak, when there is no evidence anybody downloaded the database dump...?
Really, how often do you hear about things like this, if discovered internally?
I agree, it's the decent thing to do, but I don't think you can expect this level of detail, openness and honesty from commercial players.
I can't imagine any organization that wouldn't sweep this under the rug, after all it was discovered internally.
It makes me wonder why the hell they aren't doing any better.
Avoiding a leak would certainly have been preferred. But mistakes happens, processes fails.
Re: (Score:3, Insightful)
We shouldn't. They fucked up. We should call them out for fucking up.
What the GP said was not "we should commend them", but "in their defense".
It's a valid defense: they fucked up, they noticed, they cleaned up what they could, and they admitted their mistake and advised people appropriately. That doesn't make their mistake go away, but it changes it from Badness Level 50 (eBay) to Badness Level 30 (Target).
Re: (Score:1)
Because even I can't fuck up a UX badly enough to impress a Mozilla developer.
Re: (Score:3)
If even a tiny fraction of the people who bitch about their mistakes actually acted then things would be much better and you would have to find something else to complain about.
I do do something about it. You don't see this kind of leak nonsense from any product I've ever worked on. I expect developers elsewhere to be equally professional. User credential data (and personal info) is important, and development processes need to be more careful around it.
Re: (Score:3, Interesting)
Oh? Shame you haven't helped others like Mozilla with that. It would sure be nice if you could spread your magical immunity from human error out to others, but apparently you're too professional to share that wisdom.
Best practices for avoiding leaks of important stuff are well known (and, really, Mozilla didn't suck here). But they had insufficient code or process review somewhere, to have had this leak. Normally, I'm all for rapid, agile development, but when it comes to the important stuff don't do that. Go slow. Get 20 people to review the change. Come back after a week or a month and review it again. It's important, don't rush it. There's very little most of us work on that's actually important, since most p
Re: (Score:2)
I do do
Hah. You said doodoo.
Re: (Score:1)
Re: (Score:1)
Well, at least they succeeded on the last one.
Re: (Score:2)
The more you think about it, the more it sounds like doublespeak.
You: oh, so that's why they remove useful features that everyone wants with every new release? That's why they shove a godawful UI that nobody wants down everyone's throat?
Your privacy: see summary
Open web: the EME debacle says otherwise
Re: (Score:2)
You: oh, so that's why they remove useful features that everyone wants with every new release?
Wasn't everyone complaining about feature 'bloat' before? Damned if you do...
That's why they shove a godawful UI that nobody wants down everyone's throat?
I think by 'nobody' you mean 'a tiny minority'. It looks fine to me. What do you think is so awful about it?
What the fuck has happened to Mozilla?! (Score:1, Interesting)
The name "Mozilla" used to be among the most respected names in computing. It represented integrity, honesty, innovation, and quality software.
Bugzilla was one of their first successes. It was widely used during the early 2000s, and some development teams still use it to this day. It's the kind of tool that helped make a lot of software development teams a lot more efficient, and it helped users do what they could to get a better experience out of the software they were using. People's lives were made bette
Re: (Score:2)
Like how you managed to slip in a jab against "hipsters", who will no doubt destroy civilization.
And you must be smoking a lot of crack if you think IE is a better browser.
Re: (Score:1)
Well, I think the GP could be right. Hipsters have done a pretty damn good job of destroying GNOME 3, Windows 8, iOS 7, and Firefox. Given how they've managed to harm or kill prominent and widely used software systems like those, I don't see why civilization itself wouldn't be next!
Have you actually used IE 11? Its UI is kind of in the dumps, but underneath it's actually a pretty good browsers these days. It's fast, it's standards compliant, and it works. It's not as good as Chrome, but it's a huge step up
Re: (Score:2)
I honestly think Firefox fans are so caught up in the trivium that they've forgotten how good the browser really is, or how much it's sincerely improved over the years.
[citation needed]
I can't see anything that's improved in Firefox since they went Full Metal Retard a few years ago. They've screwed up the UI, they've added new bugs, they've neglected to fix old ones. All they've succeeded at is rapidly increasing the version number.
I dread a new Firefox release, because I know they'll have fcsked up something else.
Re: (Score:1)
I can't see anything that's improved in Firefox since they went Full Metal Retard a few years ago. They've screwed up the UI, they've added new bugs, they've neglected to fix old ones.
What are you talking about? Firefox is now faster than Chrome, uses less memory, and has Odin Monkey. Mozilla is a non-profit organization that is dedicated to privacy. Google is a data mining company that has begun moving towards more-closed types of projects (killing RSS, XMPP integration, etc.). Anyone that cares about technology freedom and privacy should be using supporting Mozilla.
Re: (Score:1)
What happened is that they can no longer fight the good fight on their own like they could when it was just them, the like-minded Opera, and a Microsoft who cared nothing about the situation and let their own browser rot. Now they have Google, Apple, and Microsoft to face off against, and an increasingly useless fanbase who just see the negatives and don't even want to pitch in anymore.
You try stopping Google when they say "jump". At least Mozilla stands up to them and tries to effect change. Everyone else
Re: (Score:1)
Re: (Score:1)
Where do you get the "75%+" number that people hate the UX changes? For what it's worth, I've used Firefox for years as my primary browser; I've used Chrome and IE only as necessary to test websites (or to use websites that are so poorly coded that they don't work with Firefox), and when I upgraded to FF 29 with the new UI, it took me about 15 minutes to get acclimated.
I keep hearing people lump the FF UI redesign in with things like GNOME 3 and the Windows 8 start screen. But it's nothing like them; nothin
Re: (Score:2)
And then they wasted even more on that failed mobile OS that nobody really wants.
I must have missed the part where it failed ... and the part where 'nobody' wants it.
Stop Storing Personal Data (Score:1)
Data is easy to keep but it's also easy to leak. And given the consequences of leaks, companies need to start asking themselves whether it is worth storing all this data in the first place.
How many times did Mozilla ever actually use all this personal data internally? How many times on average the data for each of the 76,000 developers used? How many records were never accessed at all?
If you don't need all this data, then just don't store it. It's easy!
Re:Stop Storing Personal Data (Score:5, Insightful)
All this personal data? It's your email address... that's it. Because your email is used to log you in.
They also leaked a hashed and salted password.
I keep hearing your argument, but I always ask myself... if you car that much, why did you surrender personal information in the first place??!? I've never been to any site other than facebook that actually required any personal information. Even then you can just put in bullshit.
Mozilla did everything right here... other than the breach itself of course. Mistakes happen, and with properly Hashed/Salted passwords and quick and full disclosure those mistakes don't have to be serious.
Re:Stop Storing Personal Data (Score:5, Informative)
By personal data, they mean 76,000 email addressed and 4000 salted password hashes.
As for how many times it was accessed, RTFA
"We traced back as much as we could. Access logs, netflow data, etc.," the user wrote. "We found that the tar.gz containing the DB dump had been downloaded only a small number of times. Mostly by known contributors. But we can't rule out that someone with malicious intentions got access to it."
Or... you could throw your toys out of your cot and post a rant condemning Mozilla.
You're obviously not effected by this either or you would already know the answers to your questions because they emailed everyone effected about it already.
Re: (Score:2)
when gender issues are poaching away resources from real work.
Your gender issues seem to be poaching away resources from real thinking. How is it related to web browsers what other people may or may not do with their nether appendages?
Btw I'm queer and I'm sad about how some marriage advocates made Brendan Eich quit. But I'm confident there's still "real work" going on at Mozilla.
Are you familiar with the debacle where the Gnome Foundation went broke because they blew all the money on their Outreach Program for Women?
Here's coverage if you're unfamiliar, although if you're a queer slashdot reader you probably aren't:
http://www.phoronix.com/scan.p... [phoronix.com]
The Eich issue showed the world that Mozilla is chock full of the same sentiment. And Mozilla's lost so much market share that they're only a bit player now. When push comes to shove, their "Real Work" is not cutting the mustard.
I've wo
Re: (Score:1)
Re: (Score:1)
FUBAR (Score:3)
This is the one thing we didn't want to happen [youtube.com]
Could have been worse (Score:1)
At least they had enough sense to salt the hashes. It's gotta be annoying to have your email address floating around out there though.
Slashdot comments (Score:2)
Re: (Score:2, Interesting)
I think people in here believe that Mozilla made an honest mistake here. A mistake that wasn't a result of cost cutting or malice.
In those instances, a little understanding is called for.
Re: (Score:2)
Are ignorance, negligence, or arrogance better reasons not to behavior professionally and follow accepted best practices?
Sure, maybe I could have reviewed the code personally since, I assume, it's open source (as are, I assume all the administration scripts they use? Yeh, right). But, I probably use, directly or indirectly, nearly a billion lines of code every year - I really don't have time to review each change any more than I have the resources or interest to test each gallon of gasoline I put in my car
Sentence Structure (Score:3)
Makes it sound like Stormy Peters is both the Director of Developer Relations and the developer who discovered the error.
what kind of hash / salt? (Score:2)
Neither of the two links in TFS mentioned what kind of hash was being used. Does anyone happen to know? If it was the old fashioned DES hash as commonly used in .htpasswd, it may well be plaintext. If it was crypt('$5$xxxxxxxxxxxx' SHA, it's only a concern for people who chose very bad passwords.
Re: (Score:2)
DES isnt a hash, its a Data Encryption Standard.
On which the most common hash is based (Score:4, Informative)
DES is the encryption standard which is the basis of what for many years was the most common type of hash. .htpasswd files, the least significant bits of the first eight characters are used as a 56-bit key. This key (the users password) is used to encrypt a null bytes, 25 times. crypt(3) accepts a two-character salt, but uses only the lowest six bits of each character, so it's a 12 bit salt and a 56 bit password (maximum).
For DES-based hashing, as used in
crypt(3) can also support better hash algorthims by passing salt values such as $1$xxxxxxxx$ or $5$xxxxxxxxxxxx$
Re: (Score:2)
The more you know...
Not clear why you would use an encryption scheme to do hashing, though-- my understanding is that while both should have good hash characteristics (small changes in plaintext should cascade into large changes in the secured form), purpose-designed hash algorithms will generally be more resistant to attack than encryption schemes, and often faster.
Why wouldnt they have used MD5 back when DES Hash was used?
Re: (Score:2)
A good encryption algorithm cannot be reversed without knowing the key, and a hash shouldn't be reversible, so a good encryption is a good basis for a hash. For PASSWORD hashing you don't use just the primitive, whether that primitive is DES or MD5. You do many rounds, with salt.
If you're not kidding about MD5, DES was in use twelve years before Rivest proposed MD2. Maybe 20 years before MD5, I don't remember the exact year for MD5.
Purpose-built hash algorithms have not been better, historically.
* emphasis on more bits (3DES) (Score:2)
I said:
> A DES-based hash would still be fine, just by allowing more bits.
I should clarify that DES itself specifies a key length of 56 bits. To get more bits, you do DES three times*, which is called Triple DES or 3DES. If you use three different 56-bit keys, that's effectively a 112 bit key due to meet-in-the-middle, and that's strong for an another fifteen years.
* encrypt(key1,decrypt(key2,encrypt(key3,plaintext)))
Backlash (Score:2)
Probably backlash from the 80% disapproval rate for that shitty new interface they dreamed up. I'm using Palemoon now.
Different concerns now (Score:1)
Obviously at Mozilla, the effort to be 100% Politically Correct means security takes a back-seat in terms of effort.
What would one expect of an organization... (Score:2)
...that would think it was okay to screw over users with a new UI and not continue to provide security and stability updates for a few years to those who didn't want a new broken UI (something few successful commercial enterprise companies have managed to do). Or, thought it was okay to, a few days ago, push an update which either broke the UI further or broke a popular add-on that many of us were using to work around their earlier mistake.
If you can't get UIs right or understand that UI stability is import
What's he big deal? (Score:2)
Who cares if the passwords were re-used? (Score:2)
Could someone explain (Score:2)
If the failure a result of a code change, why was there no unit test to catch it?
And if there was no code change, why would you set up such a publish process to silently continue if such a critical step failed?