Serious security breach on Developer Blog
- prehistoric
- Posts: 1744
- Joined: Tue 23 Oct 2007, 17:34
spoor of the beast
Things are slow here. Been off elsewhere, tracking. "bear" may have left a calling card on the computation freebies board some little time ago.
(WARNING: use any links with shields up! "pfix=ram", etc.)
http://freeforums.bizhat.com/index.php? ... #entry1164
Doesn't anyone ever clean up that site?
How does the date and content compare with BarryK's problems? Has anyone seen an earlier example of this particular genre?
prehistoric
(WARNING: use any links with shields up! "pfix=ram", etc.)
http://freeforums.bizhat.com/index.php? ... #entry1164
Doesn't anyone ever clean up that site?
How does the date and content compare with BarryK's problems? Has anyone seen an earlier example of this particular genre?
prehistoric
- prehistoric
- Posts: 1744
- Joined: Tue 23 Oct 2007, 17:34
Re: linked Trojan
@ymer,
Sorry, I was upset because I had had no response from all my attempts to contact ttuuxxx and the Trojan was still up. There was a typo which prevented the clueless from simply clicking through, so it did no real harm. Caneri saw it and realised he needed to disable some links, which was good.
@anyone,
I've now figured out how to handle warnings in that particular case. We need a better way in general to notify site administration when a hacked site is discovered. Suggestions?
prehistoric
Sorry, I was upset because I had had no response from all my attempts to contact ttuuxxx and the Trojan was still up. There was a typo which prevented the clueless from simply clicking through, so it did no real harm. Caneri saw it and realised he needed to disable some links, which was good.
@anyone,
I've now figured out how to handle warnings in that particular case. We need a better way in general to notify site administration when a hacked site is discovered. Suggestions?
prehistoric
- prehistoric
- Posts: 1744
- Joined: Tue 23 Oct 2007, 17:34
community vs. attackers
Here's a quote from a PM I sent while worrying about the issues of openess and secrecy in relation to our current problem.
prehistoric
Edit: link fixed, and tested. This takes you to specific page. thanks to paulh177
Does that spark any thoughts about preserving the community as well as computer systems?Not wanting to say too much to the wrong people. That's the maddening thing about this whole business. Our whole model for problem solving is built on openess and cooperation. The damage attacks cause goes beyond the stuff you could take to court as evidence of monetary loss.
This episode has taught me one lesson; you shouldn't try to consider a software system in isolation from people. When you start trying to build programs that can stand on their own against a real, potentially-hostile human world you are into AI, where huge systems that consume all the resources you have and are never finished, or debugged, are all too common. The Puppy user/developer community is an integral part of Puppy.
If you want a case study in how not to organize the developer/user community read Daniel Robbins on the two cultures he found when he tried to return to Gentoo.
http://blog.funtoo.org/2008/01/tale-of- ... tures.html
Most people in the software business still don't really believe it possible to create and maintain an operating system of any significance with volunteers. They've all seen how large teams of highly-paid people can fail to accomplish a fraction of the innovation found here. (This might have some connection with the idea that if the software is finished, and can stand on its own, there's no more need for developers.) I've seen several times how they keep looking for the trick, the exception which will allow them to classify Puppy as unreal.
prehistoric
Edit: link fixed, and tested. This takes you to specific page. thanks to paulh177
Last edited by prehistoric on Sat 19 Jan 2008, 15:11, edited 2 times in total.
that blog is worth a read, but is at http://blog.funtoo.org/ (the link from primitive's PM is broken for me)
Hi,
I have received a lot of e-mails and private messages on this subject, and I am monitoring the situation and this thread. I have regular backups, and the whole server - and forum software will be upgraded some time at the end of Jan, when hopefully I'll have some time to go through the moderator situation too.
Either way I'd like to thank Flash publicly for taking care of everything moderation related so well for us
Cheers
JohnM
I have received a lot of e-mails and private messages on this subject, and I am monitoring the situation and this thread. I have regular backups, and the whole server - and forum software will be upgraded some time at the end of Jan, when hopefully I'll have some time to go through the moderator situation too.
Either way I'd like to thank Flash publicly for taking care of everything moderation related so well for us
Cheers
JohnM
Maybe its an idea to use the wiki at www.tiddlywiki.com that stores everything in one single html file? There is also a kubrick theme that is similar to the wordpress theme for tiddlywiki here:
http://tiddlythemes.com/empties/Kubrick.html
I would think that there would be no need for servers with stuff installed, like php scripts, to have a blog online if using tiddlywiki. And if writing offline and then upload to website it will be quick to delete everything on a website if something gets compromised and insert fresh copy from the one offline.
But minus with tiddlywiki is that per today its only firefox and IE that saves changes to tiddlywiki with no problems, and that some say it gets slow when its big. Opera has a problem with saving to the file and need some extra jar file which may not work. I dont know if Seamonkey is able to save to tiddlywiki.
As for security breaches and hacking attacks, its a good question who may be behind them. Some think that even governmental elements would like to get rid of things that is focused on freedom and cooperation and sharing. After all, the internet grew to be the peoples net and not something that could be controlled. I know someone in China so I hear very often about how they are blocked from websites and such. Thats the government whos doing this.
PS: As a matter of fact I told this person about puppylinux and a few days later I heard that all sites on puppylinux is blocked in China where they are (dont know how it is with other cities there). Really strange to hear...
http://tiddlythemes.com/empties/Kubrick.html
I would think that there would be no need for servers with stuff installed, like php scripts, to have a blog online if using tiddlywiki. And if writing offline and then upload to website it will be quick to delete everything on a website if something gets compromised and insert fresh copy from the one offline.
But minus with tiddlywiki is that per today its only firefox and IE that saves changes to tiddlywiki with no problems, and that some say it gets slow when its big. Opera has a problem with saving to the file and need some extra jar file which may not work. I dont know if Seamonkey is able to save to tiddlywiki.
As for security breaches and hacking attacks, its a good question who may be behind them. Some think that even governmental elements would like to get rid of things that is focused on freedom and cooperation and sharing. After all, the internet grew to be the peoples net and not something that could be controlled. I know someone in China so I hear very often about how they are blocked from websites and such. Thats the government whos doing this.
PS: As a matter of fact I told this person about puppylinux and a few days later I heard that all sites on puppylinux is blocked in China where they are (dont know how it is with other cities there). Really strange to hear...
- prehistoric
- Posts: 1744
- Joined: Tue 23 Oct 2007, 17:34
forces of darkness
@kattami,
Have strong evidence this is unlikely to be big forces of darkness.
Is "bear" a prince of insufficient light?
prehistoric
Have strong evidence this is unlikely to be big forces of darkness.
Is "bear" a prince of insufficient light?
prehistoric
blocked
From what I know, it's servage.net that is blocked. And it happened that both puppylinux.org and puppylinux.com are now hosted in servage.all sites on puppylinux is blocked in China
However, there are many other mirror and repository sites:
http://puppyisos.org/
http://puppylinux.ca/
http://s3.amazonaws.com/puppy/index.html
http://mymirrors.homelinux.org/puppy/
(the few that I can recall now, that is).
I hope that distrowatch.com and ibiblio.org are not banned in China.
Puppy user since Oct 2004. Want FreeOffice? [url=http://puppylinux.info/topic/freeoffice-2012-sfs]Get the sfs (English only)[/url].
- prehistoric
- Posts: 1744
- Joined: Tue 23 Oct 2007, 17:34
Psychology of Security
Here's some thought-provoking material from Bruce Scheier.
http://www.schneier.com/essay-155.html
Here's a description of Schneier himself.
http://en.wikipedia.org/wiki/Bruce_Schneier
I first knew about him because of his work in cryptography, back when I was more mathematical than today. His Applied Cryptography is a classic.
When he went into Computer Security as a professional, he had a series of shocks. This formed the basis of his book Secrets and Lies.
The classic example from that book, for me, is the teenage hacker he interviewed. How did he break in?
His book, Beyond Fear is particularly relevant to this discussion, but I have not read it, yet.
Added: For those who think the psychology is off topic, I offer an alternative viewpoint particularly relevant for people who value minimalism in software, as Puppy people do.
http://www.ranum.com/security/computer_ ... index.html
Hope this will shift our thinking in a productive direction.
prehistoric
p.s. Thanks to Flash for straightening me out on the book links. I've also changed them so they take you directly to the author's web pages, instead of Amazon. As my career started before HTML existed, or had anything to link to, I am still learning.
http://www.schneier.com/essay-155.html
Here's a description of Schneier himself.
http://en.wikipedia.org/wiki/Bruce_Schneier
I first knew about him because of his work in cryptography, back when I was more mathematical than today. His Applied Cryptography is a classic.
When he went into Computer Security as a professional, he had a series of shocks. This formed the basis of his book Secrets and Lies.
The classic example from that book, for me, is the teenage hacker he interviewed. How did he break in?
"I called them up and told them I forgot my password."
His book, Beyond Fear is particularly relevant to this discussion, but I have not read it, yet.
Added: For those who think the psychology is off topic, I offer an alternative viewpoint particularly relevant for people who value minimalism in software, as Puppy people do.
http://www.ranum.com/security/computer_ ... index.html
Hope this will shift our thinking in a productive direction.
prehistoric
p.s. Thanks to Flash for straightening me out on the book links. I've also changed them so they take you directly to the author's web pages, instead of Amazon. As my career started before HTML existed, or had anything to link to, I am still learning.
Last edited by prehistoric on Sun 20 Jan 2008, 21:11, edited 1 time in total.
A very dumb question or maybe suggestion:
The story is that I've always fears of puppy running only with a root account, a simple compromise would allow the intruder to take control of everything, which you know what could be done by that.
Also, I think it would be great to have a notification system integrated into puppy: for example if some serious security patches comes up or ... shouldn't we get notified by some applications rather than waiting for us or the user to visit the forums, news, ... sections to find out that we had to update something.
I know that Linux in general is more secure (or at least more securable) than M$, but I think those days of Linux hacking are coming and with this trend we might get caught with our pants down.
Sorry for a rather long post.
PS: I know these kind of topics for sure have been discussed before, but by rising of these kind of treats, shouldn't we put these into the priority of puppy Linux.
The story is that I've always fears of puppy running only with a root account, a simple compromise would allow the intruder to take control of everything, which you know what could be done by that.
Also, I think it would be great to have a notification system integrated into puppy: for example if some serious security patches comes up or ... shouldn't we get notified by some applications rather than waiting for us or the user to visit the forums, news, ... sections to find out that we had to update something.
I know that Linux in general is more secure (or at least more securable) than M$, but I think those days of Linux hacking are coming and with this trend we might get caught with our pants down.
Sorry for a rather long post.
PS: I know these kind of topics for sure have been discussed before, but by rising of these kind of treats, shouldn't we put these into the priority of puppy Linux.
Although I don't know tiddly about the system's architecture, it seems to me that if it's that browser-dependent, then it has serious flaws already.kattami wrote:But minus with tiddlywiki is that per today its only firefox and IE that saves changes to tiddlywiki with no problems, and that some say it gets slow when its big. Opera has a problem with saving to the file and need some extra jar file which may not work. I dont know if Seamonkey is able to save to tiddlywiki.
Any "glitch" like that gives an attacker their entry vector: update method 1 works, update method 2 fails. There's something different about them that the software isn't expecting. The attacker simply analyzes the differences and looks for a way to exploit them.
The fact that some obscure .jar will make Opera work is even more troublesome and has the potential to open another security hole.
- ttuuxxx
- Posts: 11171
- Joined: Sat 05 May 2007, 10:00
- Location: Ontario Canada,Sydney Australia
- Contact:
My site was attacked also and it took my service providers 4 days to work it out, They went out and bought new servers and transfered all my files and folders. Now it up and running perfectly, I have a strong feeling that it was the phpbb forum that i have that was hacked. I think i'll have to change to a different forum, I get tooooooo much porn ads anyways and that really peeves me off. Hope everyone else don't get the hassles that I did. I couldn't even log into my server. And in the end it was 100% offline. I do want to thank all the support from people who were worried.
ttuuxxx
ttuuxxx
http://audio.online-convert.com/ <-- excellent site
http://samples.mplayerhq.hu/A-codecs/ <-- Codec Test Files
http://html5games.com/ <-- excellent HTML5 games :)
http://samples.mplayerhq.hu/A-codecs/ <-- Codec Test Files
http://html5games.com/ <-- excellent HTML5 games :)
ttuuxxx
Since all this hacking started I have been viewing the source code for pages that the Firefox plugin NoScripts red flags. Even though your site is up and running now, I found this line to be a little strange at the very start of your index.
link href="file:///C|/Documents and Settings/sparepc/Desktop/liquid design/project.css" rel="stylesheet" type="text/css"
???
Since all this hacking started I have been viewing the source code for pages that the Firefox plugin NoScripts red flags. Even though your site is up and running now, I found this line to be a little strange at the very start of your index.
link href="file:///C|/Documents and Settings/sparepc/Desktop/liquid design/project.css" rel="stylesheet" type="text/css"
???
- ttuuxxx
- Posts: 11171
- Joined: Sat 05 May 2007, 10:00
- Location: Ontario Canada,Sydney Australia
- Contact:
ya thats a stupid line. I still use Dreamweaver CS3 for my websites, well I took a diploma class in web development and all we learned was Dreamweaver for desktops, and CMS php server-side. Strange we had to learn Microsoft products for the Creative side, and Linux for servers. I would of rather to learn Code 100% but noooo it was like 10%. So I'm teaching myself as I go, but really for websites without a content management system, Dreamweaver is pretty good, and damn Adobe for not porting it to Linux, only apple and windows. grrrrrr
ttuuxxx
ttuuxxx
http://audio.online-convert.com/ <-- excellent site
http://samples.mplayerhq.hu/A-codecs/ <-- Codec Test Files
http://html5games.com/ <-- excellent HTML5 games :)
http://samples.mplayerhq.hu/A-codecs/ <-- Codec Test Files
http://html5games.com/ <-- excellent HTML5 games :)