[TYPO3-english] TYPO3.ORG hacked

stefano cecere scecere at krur.com
Fri Nov 14 16:13:15 CET 2008 

incidents happens.. and usually we can discover big things, and improve, from them!

so let's use this incident to make TYPO3 (and our digital behaviours) the most secure as we can!

note: last week someone cloned my bancomat.. i investigated and today they can sniff password very easily.
like Robert says.. OpenID will help.. maybe also all those security guidelines that are around..

hug to all the typo3.org and core team!
stefano




Robert Lemke wrote:
> Hi all,
> 
> it is of course very unfortunate that someone unauthorized was able to 
> login
> to typo3.org. I can't give an official statement or tell details about the
> incident, but I'd like to share my personal perspective with you.
> 
> A general note: it doesn't matter much if a password is md5 hashed
> or not - md5 is just a hash and not encryption. Nowadays it's relatively
> easy to generate a password out of an md5 hash, especially if it is a weak
> password with few characters and without special chars.
> 
> So if someone knows the md5 hash of your password, it's almost as if he 
> knows
> your password in plain text. Therefore what we really need is truly 
> encrypted
> passwords or, much better, a mechanism like OpenId. I know that a team is
> currently working on improvements in that regard.
> 
> In general it is always a bad idea to use one password for several 
> purposes.
> And most people are also not aware of the fact that their passwords
> can be sniffed during public events when using a shared WLAN with uncrypted
> connections during login.
> 
> The main reason for many site hacks I know of were insecure passwords which
> were used for many purposes or were easy to guess. The reason for typo3.org
> being hacked is, as far as I know, not a security hole in TYPO3 itself but
> rather the fact that someone got hold of a working login.
> 
> So, as it seems we got off lightly this time (though getting some bad 
> publicity
> now, of course) and I am very confident that the team behind typo3.org,
> the TYPO3 core team and the security team will come up with a robust 
> solution
> which shows that we learned our lessons.
> 
> Let's learn from it and ... better check again if you have weak or 
> shared passwords
> still in use.
> 
> Best,
> robert

More information about the TYPO3-english mailing list