WordPress Hacked, Attackers Get Root Access 168
An anonymous reader writes "A hacker has gained access to WordPress.com servers and site source code was exposed including passwords/API keys for Twitter and Facebook accounts. From the official blog post: 'Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partner's code. Beyond that, however, it appears information disclosed was limited.'"
the cloud (Score:5, Insightful)
and that's why I don't want everything in the cloud.
Facebook? Twitter? (Score:5, Insightful)
The Word Press devs promoting integration with Facebook is like handing Sweeney Todd the razor and saying "Shave away, whatever you like."
It starts with FB managing the identities and next, the discussion threads, and slowly creeps throughout - until WP is a hollow frame on which to drape FB parts.
Eviler than Google. And that's saying a lot.
why rob banks? (Score:2, Insightful)
that's where the money is.
say you are a black hat, you gonna go after amazon cloud services or ME as an individual at home.
individuals are gonna get hit one at a time... the cloud is a really big juicy target
security through fifty-leven different systems & methods for each record.. kinda security through obfuscation.
my method will be different from my neighbor
if we are both on amazon cloud-- you only gotta get in once.
Re:the cloud (Score:5, Insightful)
Re:the cloud (Score:5, Insightful)
That's why the parent is right.
Re:the cloud (Score:2, Insightful)
Oblig. http://xkcd.com/538/
In short... It's more secure because nobody cares about his private data, and even if some hacker did care about his data specifically, whether or not it is on his own computer makes no difference.
On a large system, such as WordPress, each individual user's data is of insignificant value, but the whole of it may have some value.
It is easier to break 1 machine with 50,000 users than 50,000 machines with 1 user each.
Re:Saw some unusual activity this week (Score:5, Insightful)
If they raided the entire fridge, even if it was encrypted, they'd have the keys and thus all the passwords on a silver platter.
I think what you meant to say is you hope the passwords were hashed .
Re:the cloud (Score:4, Insightful)
Re:the cloud (Score:4, Insightful)
But it makes it far more probable.
Re: twitter/fb-This has been happening everywhere (Score:3, Insightful)
Login: Half the sites I visit these days have a facebook login option to access that site's account. A subset of which no longer really -have- an account management of their own.
Discussion threads: Almost every site that has discussions threads seems to use Disqus these days.
Avatars / Profile pictures: Thanks to the use of Disqus, that'll be Gravatar, but even sites that still have their own commenting system seem to be jumping to Gravatar; including WordPress.com .
I'm not sure who knows more about people anymore.. Google or that little conglomeration of services.
Re:the cloud (Score:5, Insightful)
I never said I didn't want "anything" in the cloud. In fact the word I used was "everything". I also placed that word in italics to emphasize that I meant some things I would rather maintain on my own machines, but not all things.
One of us has rather poor reading skills. That may be the one that is "moronic".
Furthermore, you have no idea what I do or where most of it takes place. To assert that you do is, well, rather short sighted. One might almost be inclined to say moronic.
And to decide that the security of one's data is properly handled should be a matter of luck. There has to be a good word for that view, let me think on it a bit and I'm sure it will come to me.
Oh, and if being called moronic makes you feel bothered at all, I'd recommend keeping that in mind when you throw the word at others. I'm no rocket scientist but that kind of slur really isn't called for.
Re:CGI systems (Score:2, Insightful)
Wow! You could serve TENS OF USERS with that rig!
Re: twitter/fb-This has been happening everywhere (Score:3, Insightful)
Gravatar is particularly bad because it is uniquely* identifying to your e-mail address.
(* as far as MD5 is unique for the purposes)
If you were ever silly enough to use your e-mail address on some random blog to make an anonymous post - falsely trusting that the site wouldn't make this public - and that site decides to add Gravatar -without- making sure it only adds this for non-Anonymous posts... bam. exposed.
In addition, of course, Gravatar knows who you are, at least by e-mail address (not sure what other information you have to give up). Because Gravatar hosts the avatar images but gets referenced from the original site (or via Disqus), Gravatar essentially knows where you have posted comments.
That's just two of the security/privacy issues with Gravatar - a websearch will yield many more. But users typically don't care.. they just think it's great that they can go to Gravatar, upload a new profile image, and that's instantly updated on every service you use. That's useful to some. Webmasters also generally don't care, because they believe that -all- their users are the aforementioned type of user. This happened recently at a site and after a short explanation in the discussion system there (not Disqus, thank goodness), many agreed that the webmaster made a booboo and the webmaster made it opt-in a few days later; but the damage was already done. Gravatar essentially had a list of everybody who ever commented there - people who are typically customers of that site - the moment people started viewing pages. And that's presuming Gravatar doesn't immediately scrape the site for datacollection - I know I would if I were evil.
I've long given up the idea that there's anything I can do completely anonymously - but it still saddens me to see that privacy is yanked away so readily and without any consent, thanks to the masses.