Mozilla Posts File Containing Registered User Data 154
wiredmikey writes "Mozilla yesterday sent an email to registered users of its addons.mozilla.org site, letting them know that it had mistakenly posted a file to a publicly available Web server which contained data from its user database including email addresses, first and last names, and an md5 hash representation of user passwords."
Re:Kudos to Mozilla (Score:5, Insightful)
it should not happen, but we are all humans (i think!!) and human people do mistakes (and scripts/robots break and fail by the way)
all of us that administer servers have done some mistake in the past and probably will make more in the future. We can try to put enough road blocks to reduce the severity of the mistake, but they happen.
so as "sh*t happens", the openness and honesty of mozilla is to praise, most close source companies would try to hide and ignore things like this.
Re:Kudos to Mozilla (Score:2, Insightful)
So, are you proposing that the offenders be drawn and quartered? Where are the torches and pitchforks?
I mean come on, we are human after all and humans make mistakes. They have owned up to this mistake and you seem to want to make an example of them.
But then, I suppose *you* have never made any mistakes. It must be great to live in a world that is so black & white.
Re:Kudos to Mozilla (Score:5, Insightful)
No, they should not. But mistakes happen where humans are at work. The question is, how do these human then deal with the problems they caused?
The usual is to hush-hush and hope nobody notices. Mozilla could have done just that, and with far better conscience than other companies who followed that practice. According to the logs, the file was downloaded once, and that's by the person that informed them about the mistake. Essentially, one could assume that this is as "safe" as it gets considering the blunder. If they just decided to shut up about it, probably nobody would have noticed.
But is that the right way to deal with a problem that can potentially affect your customers?
I quite strongly recommend NOT chewing them out for making a mistake but actually applauding their very considerate approach to dealing with it. Consider the "learning effect": Chew them out and the learning effect is that it's better to just hush up when you lose customer data, especially if the chance of it getting into the wrong hands is slim. That's pretty much what most other companies do, and even if it gets out it rarely causes more than a bit of a tempest in a teapot on /.
Outside the security concerned tech community, nobody even notices.
So yes, mistakes like that should not happen. But they do. They happened, they happen and they will happen as long as humans are somehow involved in the process. Hence I welcome how they dealt with it.
Re:They handled it well (Score:4, Insightful)
Consider the consequences if it doesn't "excuse" it.
Essentially, a company making a mistake has two choices: Hush it up or come forwards. Now, obviously the latter does not have any immediate benefit for them. It becomes known that they fucked up. Not good.
Trying to cover it up has the nice effect that maybe nobody notices. And in this case, the chance of this happening was actually pretty high.
If the net effect is the same, whether they cover it up or admit it, the choice is obvious. If I get accused of a crime and whether I plead not guilty (and hence force a lot of witnesses to testify and clog down the legal system) or guilty (and spare the witnesses to face me again, as well as running the whole process with far less waste of resources) has no effect on the verdict, nobody will plead guilty and confess anymore. Why should they? There's nothing to gain with it, is there?
If you condemn a company making a mistake no matter whether they admit it or try to hide it, nobody will admit it anymore. And that can cause quite a bit more harm if that info gets into the wrong hands and hence your passwords get known by people who might abuse them, all because a company decided to play possum and you not knowing that your credentials have been compromised.
Encrypting passwords is less secure (Score:4, Insightful)
Urrgh.
Please, don't encrypt passwords. Encryption implies that you can retrieve them if you have the keys, which could have made this much worse.
MD5 hashing is probably still a secure practice, done right, for a given degree of "secure". Like any kind of data security, it's all about raising the cost of obtaining the data beyond the amount that a given person is will to pay to do so. While MD5 costs less to crack these days, the cost to obtain each Mozilla user account password is probably still higher than most are willing to pay (although stealing the resources to do this via a botnet probably reduces this cost considerably).
Given equally sound methodology, encrypting passwords is always less secure than hashing them, because encryption implies that you can retrieve the plaintext, which leaves it open to all sorts of additional attacks, like stealing the encryption keys along with the data, "persuading" the sysadmin to decrypt them with either a rubber hose or a wad of cash, etc, etc.
On the other hand, hashing means that you genuinely cannot retrieve the password without expending a large amount of CPU time, and persuasion isn't going to help.
Any site that will emails you your password as plaintext is doing it wrong - there is no reason that any authentication system should be able to retrieve your plaintext password. It's acceptable to offer a means to force a password change, it is NOT acceptable to send my password to me via a medium that any intervening server could read, and it's not acceptable to be storing passwords as plaintext or even encrypted when it is demonstrably less secure than hashing and there is no benefit to retaining them.
In fact, you should mail the sysadmin of any such system and let him know that his system is doing it wrong, and why.
Re:Mozilla's public disclosure (Score:4, Insightful)
I think you're stretching "easily computable" - when I want to log into a website I don't want to spend 10 minutes with a calculator and an ascii table, or require access to the md5sum application.
Plus, this only works if it remains an uncommon way of generating passwords. If it becomes commonplace, then if a hacker can run through a bazillion md5 sums do you think that it will take them long to include variants of site names represented as ascii in their attacks? Once they figure out your algorithm through brute-force then it can be trivially applied to any other sites you have accounts on.