http://qs1969.pair.com?node_id=784810


in reply to Status of Recent User Information Leak

I wanted to take a quick moment to offer thanks and public praise to jdporter who has done a great deal of work in response to this incident. I believe jdporter is the person who has done the most among those who do not have access to do much of the required work. (Though, I apologize if I missed substantial work done by others, as I surely have since I haven't had time to even read much of the discussions that have been spawned.)

jdporter went to great lengths to contact as many PerlMonks as he could and reached out to me via quite a few routes, some surely requiring some research. Unfortunately, the timing was such that I didn't notice his attempts until after I caught the tail end of some aftermath to OverlordQ speaking as vroom and as me in the chatterbox. Also thanks to bobf for being the first to successfully communicate the situation to me in a manner that I was able to clearly understand.

Thanks to many others who have expressed their support and to many more who have simply demonstrated patience, calm, and/or clear-headedness in the face of this crisis.

Finally, I would like to apologize, again. In particular, for my part in not re-implementing enough of the password system at PerlMonks. There are quite a lot of improvements that I've long wanted to get to related to passwords at PerlMonks. Hashed passwords was certainly one of them. Quite a few of the published passwords (and tons of others) would have surely been quickly found even if they had been hashed due to well-established dictionary attacks. But the plain text password storage was a stated motivation of the attack.

- tye        

Replies are listed 'Best First'.
Re^2: Status of Recent User Information Leak (jdporter++)
by hobbs (Monk) on Jul 31, 2009 at 09:54 UTC
    When you hash 'em, hash 'em well. With a grain (or a hundred odd bits) of salt. And preferably with a suitably expensive KDF based on a hash that's not known to be totally hosed. glibc 2.7+ crypt() with the $5$ method should be reasonably strong; Crypt::SaltedHash with SHA-256 is less strong, but the best thing I can think of that's reasonably portable.
Re^2: Status of Recent User Information Leak (jdporter++)
by Argel (Prior) on Jul 31, 2009 at 20:57 UTC
    I imagine this been a huge time sink and very stressful. And if Don't Panic! briefly came to mind I'm sure it was quickly discarded. I can only imagine what it's like to be in those shoes and I appreciate the effort that has gone into handling this situation. Thanks jdporter and the rest and I hope we can get a more complete list later on so that we can properly thank everyone!

    Elda Taluta; Sarks Sark; Ark Arks

Re^2: Status of Recent User Information Leak (jdporter++)
by doom (Deacon) on Aug 02, 2009 at 17:05 UTC

    Finally, I would like to apologize, again. In particular, for my part in not re-implementing enough of the password system at PerlMonks. There are quite a lot of improvements that I've long wanted to get to related to passwords at PerlMonks. Hashed passwords was certainly one of them.
    Thanks, I'm glad to hear the acknowledgement, and the apology -- but it should be part of the above summary, not buried in the comments. And while I personally agree that one should never re-use passwords, the admonishing tone about that advice is a bit much... you're pointing the finger in the wrong direction.

      you're pointing the finger in the wrong direction.
      Not to worry, because every time you are pointing a finger at someone else you are pointing three back at yourself!!! (^_^) [Think about how you fold the non-pointer fingers in.] Of course after a co-worker used that on me back at my first job I made sure to always point all of my fingers, toes/feet, and even my nose directly at him!! (^_^;)

      Elda Taluta; Sarks Sark; Ark Arks