the grinch that hacked Blogger
December 26, 2001 9:39 AM Subscribe
the grinch that hacked Blogger with all of its users and weekly issues, what would be the glory in hacking into a system that breaks on its own?
What's the glory of hacking into a system that provides weblogging services -- for free -- to a lot of people.
I suppose if Blogger charged for its services, it could afford the technology to prevent some of the breakdowns as well as make it more difficult to crack.
posted by shelleyp at 11:10 AM on December 26, 2001
I suppose if Blogger charged for its services, it could afford the technology to prevent some of the breakdowns as well as make it more difficult to crack.
posted by shelleyp at 11:10 AM on December 26, 2001
shelleyp: Hundreds of thousands of FTP passwords, apparently. Many of them probably belong to people who don't use blogger anymore, or won't hear about this. So they don't change their FTP password, and for a lot of them, that's probably also their login password.
Figure 150,000 blogger users. Say 10% are inactive but still have valid accounts on their ftp server. So 15,000 passwords that probably won't be changed. Say a further 10% of those are on machines with vulnerabilities that can be easily exploited. That leaves about 1500 boxes that now belong to Mr. Anonymous Cracker.
1500 T1 connected machines are capable of collectively pumping roughly 1.5Gb of continuous traffic. Someone got themself a fat Santa's bag full of compromised machines for DDoS attacks this Christmas. Ho ho ho.
posted by rusty at 11:21 AM on December 26, 2001
Figure 150,000 blogger users. Say 10% are inactive but still have valid accounts on their ftp server. So 15,000 passwords that probably won't be changed. Say a further 10% of those are on machines with vulnerabilities that can be easily exploited. That leaves about 1500 boxes that now belong to Mr. Anonymous Cracker.
1500 T1 connected machines are capable of collectively pumping roughly 1.5Gb of continuous traffic. Someone got themself a fat Santa's bag full of compromised machines for DDoS attacks this Christmas. Ho ho ho.
posted by rusty at 11:21 AM on December 26, 2001
...anyone know how long Blogger hangs on to passwords? I haven't used it in, oh, about a year.
(I changed my accounts anyway, but now I'm curious)
posted by aramaic at 11:25 AM on December 26, 2001
(I changed my accounts anyway, but now I'm curious)
posted by aramaic at 11:25 AM on December 26, 2001
there are 2 passwords.
1. the blogger password to log into blogger
2. your FTP password that blogger needs to transfer/store the file(s) on your machine
if i recall this correctly, by default your FTP password does not have to be saved within blogger. once you blog a news item to your site, a pop-up asks you to fill in your FTP user name and password and the FTP login is valid for that session only.
now everyone who does store the FTP password within her or his blogger profile has done so because it does add extra convenience. i *hope* that everyone who stored the FTP password with the blogger profile was also aware of the potential security issues related to doing that. after all, it's (almost) like leaving your credit card PIN number on a (more or less) public web server.
i assume that ev is busy getting the system up and running. i also assume that he will come out later and explain what has happened and how serious this break-in really was.
until then it does not make much sense to speculate. i do enjoy the security discussion over at metaTalk though!
posted by HeikoH at 12:08 PM on December 26, 2001
1. the blogger password to log into blogger
2. your FTP password that blogger needs to transfer/store the file(s) on your machine
if i recall this correctly, by default your FTP password does not have to be saved within blogger. once you blog a news item to your site, a pop-up asks you to fill in your FTP user name and password and the FTP login is valid for that session only.
now everyone who does store the FTP password within her or his blogger profile has done so because it does add extra convenience. i *hope* that everyone who stored the FTP password with the blogger profile was also aware of the potential security issues related to doing that. after all, it's (almost) like leaving your credit card PIN number on a (more or less) public web server.
i assume that ev is busy getting the system up and running. i also assume that he will come out later and explain what has happened and how serious this break-in really was.
until then it does not make much sense to speculate. i do enjoy the security discussion over at metaTalk though!
posted by HeikoH at 12:08 PM on December 26, 2001
As somebody said above, it's a dirty trick for someone to play on a site that provides so much community service. And since transparency is the name of the game at Blogger, I'm sure EV will be forthcoming with the details, whatever they turn out to be.
posted by barkingterrier at 1:44 PM on December 26, 2001
posted by barkingterrier at 1:44 PM on December 26, 2001
a suggestion, if you have the luxury of running your own unix based server give the account that posts to blogger a shell of "/bin/noshell" and your allowed hosts for ftp should be 64.41.146.217 and 64.41.146.215 and that's it. if your server supports logins via ssh, it most likely supports scp [secure copy] as well. instead of using that nasty old ftp to transfer files from remote locations if you're running windows winscp is a godsend. it looks and feels just like your standard ftp client and is far more secure.
if anyone's interested i can dig up some scp clients for mac os 9 or x.
posted by boogah at 3:02 PM on December 26, 2001
if anyone's interested i can dig up some scp clients for mac os 9 or x.
posted by boogah at 3:02 PM on December 26, 2001
D: i've been told by some of my friends who are a bit more rabid about os x than i that rbrowser is quite nice for your scp needs.
and if any of you other folks have another version of mac os [8.x/9.x] grab a copy of NiftyTelnet SSH and follow the utterly simple directions here to use scp to your heart's content.
posted by boogah at 4:10 PM on December 26, 2001
and if any of you other folks have another version of mac os [8.x/9.x] grab a copy of NiftyTelnet SSH and follow the utterly simple directions here to use scp to your heart's content.
posted by boogah at 4:10 PM on December 26, 2001
Gosh. I had three e-mails telling me that since my blogs have been closed down for a time, this is the best news they have had in a long time and this shows God is good and powerful.
posted by Postroad at 4:26 PM on December 26, 2001
posted by Postroad at 4:26 PM on December 26, 2001
Ev writes as follows:
Hi, folks.
As most of you who were online today probably know already, Blogger was hacked yesterday (merry Christmas). I took it down this morning and have been investigating, etc, all day. I'm in the process of recovering and putting it back online now, but I haven't necessarily found the hole, so I'm doing so very cautiously. So, the API services have been down and will continue to be down until I'm able to tighten them up more, which probably won't be tonight (though I expect to have the main interface back up tonight).
Sorry,
Ev.
posted by Steven Den Beste at 4:58 PM on December 26, 2001
Hi, folks.
As most of you who were online today probably know already, Blogger was hacked yesterday (merry Christmas). I took it down this morning and have been investigating, etc, all day. I'm in the process of recovering and putting it back online now, but I haven't necessarily found the hole, so I'm doing so very cautiously. So, the API services have been down and will continue to be down until I'm able to tighten them up more, which probably won't be tonight (though I expect to have the main interface back up tonight).
Sorry,
Ev.
posted by Steven Den Beste at 4:58 PM on December 26, 2001
correction: unlike what i mentioned previously if you set your ftp user's shell to "/bin/noshell" you cannot use that username to login via scp. apologies for any confusion i may have caused.
posted by boogah at 5:08 PM on December 26, 2001
posted by boogah at 5:08 PM on December 26, 2001
Ev seems to be using this as a back-channel means of communication. Keep your eye on it for updates.
posted by Steven Den Beste at 5:09 PM on December 26, 2001
posted by Steven Den Beste at 5:09 PM on December 26, 2001
does anyone know if the hacker actually got the ftp passwords out of the system?
all I saw happen was that every blogger password was changed to "1".
I am definitely not an expert, but if that was what happened, surely by changing them all back, or changing them all to some proper random alphanumeric password, the access to people's boxes would be cut off?
if passwords were actually downloaded, that's a different story.
posted by jennys at 5:11 PM on December 26, 2001
all I saw happen was that every blogger password was changed to "1".
I am definitely not an expert, but if that was what happened, surely by changing them all back, or changing them all to some proper random alphanumeric password, the access to people's boxes would be cut off?
if passwords were actually downloaded, that's a different story.
posted by jennys at 5:11 PM on December 26, 2001
does anyone know if the hacker actually got the ftp passwords out of the system?
when it comes to a breakin, expect the worst. he may not have gotten any actual passwords, but perhaps he got the file[s] with the md5 crypthashes [if that happens to be what blogger uses]. if that's the case, he can run the file[s] at a password cracker and if one was to use something as simple as "lemon" or "robert" as their password then the intruder would pretty much have an open account to play with. the more enterprising intruder may have even more complicated wordlists to compare your password to [like words in hebrew, latin, klingon. no language is safe.]
so until ev says "nope, he didn't grab the password file[s] don't sweat it." i'd say change your password... i'd still change your password just as a safety precaution.
in any case you should use a secure password. i use a number, word, special character [like ^ or |] in a random string. it's not hard to remember three to five characters before or after a word or abbreviation, honest.
posted by boogah at 5:38 PM on December 26, 2001
when it comes to a breakin, expect the worst. he may not have gotten any actual passwords, but perhaps he got the file[s] with the md5 crypthashes [if that happens to be what blogger uses]. if that's the case, he can run the file[s] at a password cracker and if one was to use something as simple as "lemon" or "robert" as their password then the intruder would pretty much have an open account to play with. the more enterprising intruder may have even more complicated wordlists to compare your password to [like words in hebrew, latin, klingon. no language is safe.]
so until ev says "nope, he didn't grab the password file[s] don't sweat it." i'd say change your password... i'd still change your password just as a safety precaution.
in any case you should use a secure password. i use a number, word, special character [like ^ or |] in a random string. it's not hard to remember three to five characters before or after a word or abbreviation, honest.
posted by boogah at 5:38 PM on December 26, 2001
Jenny, it's much too soon to know. When Ev finds out, I'm sure he'll tell us.
But he's trying to repair a server located in SF using a laptop in DesMoines; and he doesn't have any of his manuals or notes or access to his backups. It's not that easy.
Practice patience, Grasshopper.
posted by Steven Den Beste at 5:42 PM on December 26, 2001
But he's trying to repair a server located in SF using a laptop in DesMoines; and he doesn't have any of his manuals or notes or access to his backups. It's not that easy.
Practice patience, Grasshopper.
posted by Steven Den Beste at 5:42 PM on December 26, 2001
More fun secure password tips: Pick a phrase that you are able to remember. A line from a song, perhaps, or a line from a movie. Something with several words, like 8 or 9 or more. Try not to pick the refrain from the song that's currently all over the radio, though! Take the first letter of each word, and use that as your password. For extra security, capitalize some letters according to some scheme you can remember, and add some punctuation, like a comma where you mentally pause, or two exclamation points in the middle. Also, if your phrase includes words like "to" or "for", use the digits for those. Or spell out a whole short word in it for no apparent reason. You get the drift.
The important thing is that it's much easier than it sounds to remember, and ends up looking like line noise, and being impossible for others to remember if they don't know the phrase you're basing it on. Definitely a technique worth using.
posted by rusty at 6:40 PM on December 26, 2001
The important thing is that it's much easier than it sounds to remember, and ends up looking like line noise, and being impossible for others to remember if they don't know the phrase you're basing it on. Definitely a technique worth using.
posted by rusty at 6:40 PM on December 26, 2001
I think Blogger would be better implemented as a local application on the users computer, ala CityDesk. Of course, the downside to that approach is being unable to update your weblog from a remote location. But even that could be worked around. Make the application small enough to be easily downloadable, and store the raw data on the users webserver along with the formatted weblog.
Having all those passwords is an invitation for skiddies to come in and have a play, especially when the passwords are the keys to servers most likely connected to big fat pipes.
posted by helloboys at 7:46 PM on December 26, 2001
Having all those passwords is an invitation for skiddies to come in and have a play, especially when the passwords are the keys to servers most likely connected to big fat pipes.
posted by helloboys at 7:46 PM on December 26, 2001
Blogger is back up again.
posted by Steven Den Beste at 8:31 PM on December 26, 2001
posted by Steven Den Beste at 8:31 PM on December 26, 2001
Can somebody please make an announcement here when they are able to successfully make a Blogger posting? I'm no longer getting the Sorry page, instead just getting a 500 error.
posted by KenGoldstein at 8:52 PM on December 26, 2001
posted by KenGoldstein at 8:52 PM on December 26, 2001
Wow. I decided to remove my password from the Blogger servers a few weeks ago, on the chance that it would be vulnerable to a hack.
I'll change my account password anyways. That bites.
posted by Down10 at 9:19 PM on December 26, 2001
I'll change my account password anyways. That bites.
posted by Down10 at 9:19 PM on December 26, 2001
« Older | Cambodians Lead Social Evolution Through Tactical... Newer »
This thread has been archived and is closed to new comments
posted by jkottke at 10:01 AM on December 26, 2001