[TYPO3-english] TYPO3.ORG hacked

ries van Twisk typo3 at rvt.dds.nl
Sun Nov 16 14:18:43 CET 2008 

On Nov 16, 2008, at 7:58 AM, Erik Svendsen wrote:

> Hello Dmitry,
>
> You have my support!
>
> For instance, md5 hash aren't secure at all. Every md5 hashed  
> password with
> less than 6 - 7 characters are unsecure (the hash -> password is  
> known).

Don't forget that some people do have longer passwords and are thus  
more secure, even with a simple MD5.

>
> Security is much more than hashing of password, as long as  
> information is
> sent in plaintext you can't talk about real security.

People sniffing for passwords are much less common then hacking the  
server/system in the first place.
Even if a hack sniffs a WIFI network, then this user will only get to  
see one password,
and not the whole database of passwords. The attack is thus different  
(user vs system).


>
>
> A website isn't unsecure if the only information which is possible  
> to get
> hold of are information which is public accessible, even if it's a  
> site where
> you have to logg in to post anything. If you are using same password  
> on websites
> where security is important or on shell accounts, it's not the  
> websites -
> but yourself that makes a security risk.
>

Full ack...

> TYPO3 isn't more and less insecure than other CMS, even if others  
> have md5
> hash as default. Different websites could be more and less secure,  
> whatever
> CMS are used, depending on the overall security of the  
> implementation and
> the CMS. If you are using a two year old version of any CMS, you are  
> probably
> a security risk whatever.

We can all agree that some sort of hash/blowfish/md5 or whatever method
is better then no hash at all. Security is all about making  
'it' (whatever it is)
more difficult. In the end everything can be hacked, find out etc...

We shouldn't try to handle TYPO3 security the same as how a bank  
secures data.
We do need to be reasonable here! (We cannot force a TYPO3 BE to be run
over and only over SSL for example).

Thoughts need to go to how we can do better.

Sorry Ingo... I don't have a patch at hand....

Ries



>
>
>
>> Hi!
>>
>> Andreas Becker wrote:
>>
>>> Simply make the highest standards of security the TYPO3 standard and
>>> don't ask if someone wants a less secure one. If they want to change
>>> it to unsecure it will be their fault if they get hacked and not the
>>> one of an insecure TYPO3.
>>>
>> What I dislike in such posts is that they use words like 'insecure'
>> without understanding what they claim by using such words. This makes
>> a lot of damage to the TYPO3. Much more damage then the original
>> incident. Irresponsible posts, like yours, are bad.
>>
>>> Same is to Silverstripe, Magento, CMSMS and many more high class  
>>> CMS.
>>> They simply try to provide the highest standard in password and  
>>> login
>>> security just from scratch when you start installing your site - WHY
>>> NOT TYPO3?
>>>
>> Where is your patch? Everyone can shout and scream. It is easy.
>> Instead, do something useful and make a patch. If you can't — don't
>> shout because it is useless.
>>
> WBR,
> Erik Svendsen
> www.linnearad.no
>
>
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english



			regards, Ries van Twisk


-------------------------------------------------------------------------------------------------
Ries van Twisk
tags: Freelance TYPO3 Glassfish JasperReports JasperETL Flex Blaze-DS  
WebORB PostgreSQL DB-Architect
email: ries at vantwisk.nl
web:   http://www.rvantwisk.nl/
skype: callto://r.vantwisk

More information about the TYPO3-english mailing list