Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
Posted Mar 5, 2012 23:52 UTC (Mon) by drag (subscriber, #31333)
Also. For software projects that are compromised and find out, how many out there don't realize they have been compromised? I can pretty much guarantee you that it's a non-zero number.
It's just as likely as not that this is @homakov fellow is not the first person to use this bug to hack into github.
Posted Mar 6, 2012 0:17 UTC (Tue) by dlang (✭ supporter ✭, #313)
do you really think that the hundreds of thousands of people who's machines make up botnets are allowing this knowingly? or do you think it's more likely that they are unaware that their machine has been compromised?
You may as well start yelling that all banks are unsafe because there have been three bank robberies in the US in the last week (I don't know what the stats are, but from having had a friend who worked in a national bank's security call center, I'm confident that there have been at least that many, just from probabilities)
Posted Mar 6, 2012 0:45 UTC (Tue) by tialaramex (subscriber, #21167)
If you were right that this is somehow an "OSS thing" then no doubt when I look at threads discussing the "password encryption" of this or that proprietary PHP web application I'd find that they've all carefully added Solar Designer's custom PHP salted and pessimised password hash and used it in a compatible fashion rather than say, using a fast unsalted hash or relying on PHP's ancient built-in DES-crypt.
Whereas in reality what I see is stuff like "We use SHA1, so we are not vulnerable to the problems in the MD5 encryption" or "We have a custom algorithm which we are not at liberty to divulge" (which turns out to be something like MD5(password + "specialsauce"))
Also, and far more seriously, in reality when we look at Chip and PIN we see that banks were reluctant to even invite known white hats from outside to review their design, denied the existence of flaws they had in fact verified as real, and worked hard to keep the courts from understanding what evidence was needed to really prove that the customer's correct PIN was used to authenticate a transaction (hint, not the "PIN used" boolean in the database).
The "attitudes" and "practices" you condemn are so widespread as to be effectively universal. It would be extraordinary if they were not present in Free Software.
Posted Mar 6, 2012 0:50 UTC (Tue) by bronson (subscriber, #4806)
I don't understand your comment... Do you think SF.net, kernel.org, and GitHub all connected somehow? Beyond the trivial circumstance that connects them banks, the US military, NASA, Sony, and all the other competently-administered websites getting hacked every day?
Happily, because of Git's hashing scheme, it's not very easy to make repo modifications without having people notice.
Posted Mar 6, 2012 1:03 UTC (Tue) by bronson (subscriber, #4806)
Posted Mar 8, 2012 6:50 UTC (Thu) by pabs (subscriber, #43278)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds