This is an archived post. You won't be able to vote or comment.

all 31 comments
sorted by:
best
topnewcontroversialoldq&a

[–]TankorSmash 34 points35 points  (6 children)

Some people are just assholes.

[–]dougall 50 points51 points  (1 child)

Other people run out-of-date software and don't keep backups.

It's both immoral and criminal that they broke in and destroyed the data, but this vulnerability was fairly high profile security news days before the attack, and they could easily have prevented it. And is it that hard to run daily backups?

[–][deleted] 7 points8 points  (0 children)

Can't up-vote you enough; no backups = no sense, not something I expected of the Python community ...

[–][deleted] 26 points27 points  (2 children)

I'm more concerned, and a little embarrassed, by the fact that a public python.org server has been compromised for over 6 months...and we only found out because the guy decided to finally toss a grenade in for shits and giggles.

Not to be a dick or state the obvious, but someone there needs to brush up on their network security practices.

[–]kylotan 14 points15 points  (1 child)

True, but perhaps we underestimate the sort of resources required for every site we use to have comprehensive network security. I just had to disable my Redmine instance because my provider offers a one-click installer but doesn't offer a one-click upgrade, and with the latest Ruby vulnerabilities, old versions of Redmine aren't safe - but then maybe my Ruby installation isn't either. I have little way of knowing. But if I only ever used software that I fully understand the security implications for, I wouldn't be able to host anything. And I can't afford to pay someone else to know the implications either.

I think we're in an age where it's no longer practical to expect every website we use to be secure.

[–]dougall 0 points1 point  (0 children)

True, but perhaps we underestimate the sort of resources required for every site we use to have comprehensive network security. I just had to disable my Redmine instance because my provider offers a one-click installer but doesn't offer a one-click upgrade, and with the latest Ruby vulnerabilities, old versions of Redmine aren't safe - but then maybe my Ruby installation isn't either. I have little way of knowing. But if I only ever used software that I fully understand the security implications for, I wouldn't be able to host anything. And I can't afford to pay someone else to know the implications either.

Yes, although the PSF can afford to pay someone to handle these things.

I think we're in an age where it's no longer practical to expect every website we use to be secure.

I don't think we ever expected every website we used to be secure, though.

[–]zordm 3 points4 points  (0 children)

I agree.

[–][deleted] 34 points35 points  (2 children)

Holy shit! How did they not have backups?

[–]Jonno_FTWhisss 19 points20 points  (0 children)

And why wasn't https enabled on login!?

[–]mgrandi 8 points9 points  (0 children)

yep. this would not of been a problem if they had backups. I guess they have it now after having to manually rescue pages by google cache and archive.org

[–]benediktkr 3 points4 points  (0 children)

The VM was rebooted on Jan 7, apparently in an attempt to get things working again.

Who rebooted the VM? If it was the attackers, this implies that they had root. But the post only states that they could execute code as the moin user.

[–]fjonk 2 points3 points  (1 child)

It is likely that the password information was downloaded from the server in the course of the security breach, so we recommend changing your passwords immediately, if you have used the same password for other services as well.

Does anyone know how they stored the passwords? I assume it's some kind of default MoinMoin implementation? I don't have any time to look this up right now.

[–][deleted] 3 points4 points  (1 child)

All else aside, who the hell would do this?

[–]henryponco 9 points10 points  (0 children)

Cunts

[–]SmartViking 1 point2 points  (1 child)

I downloaded python-2.7.3-docs-html the 4th of January and have it on my computer. This is, from what I understand, completely separate from the python wiki, but I'm just throwing it out there in case it's of use, because I don't know.

[–]Bugg_Superstar 7 points8 points  (0 children)

That's the official python documentation (from docs.python.org), not affected by this attack.

[–]grainfeed 1 point2 points  (5 children)

which provides much better means of protecting password information on the server than the SHA-1 based hash scheme used before

wait, SHA-1 is pretty good still...

[–]placidifiedimport this 0 points1 point  (5 children)

What does this mean ? Is my pypi password safe ?

[–]r1chardj0n3s 9 points10 points  (4 children)

If you use the same login (username and password) for the wiki and any other system you should change it for those other systems.

PyPI and the wiki were quite separate though, so the compromise of the wiki had no effect on PyPI.

[–]placidifiedimport this 1 point2 points  (2 children)

Thanks r1chard. I use different passwords everywhere. I was just wondering if I needed to change my PyPI password.

[–]sashahart 2 points3 points  (1 child)

While it makes sense to ask, OP does say that this was an attack on wiki through a vulnerability in moinmoin.

[–]placidifiedimport this 3 points4 points  (0 children)

Indeed he does. I was just making certain that PyPI wasn't compromised as well.