
Apple servers hacked by Anonymous - shawndumas
http://i.tuaw.com/2011/07/04/apple-servers-hacked-by-anonymous/
======
robtoo
_"The passwords appear encrypted so there is little threat that others can
abuse this account information."_

This is nonsense, of course. Several of the hashes are googleable.

Sometimes I feel like web app security is still where unix security was 30
years ago. Before /etc/shadow.

(edit: and before setuid programs realised they should do privileged
operations early then drop privs asap.)

Also, pastebin link because it's not included in the article:
<http://pastebin.com/tkmZDG9m>

~~~
yuhong
There are already good password hash algorithms available, like bcrypt. In
particular, the problem of googleable hashes were solved long ago with salt.
It is just that not all websites use them. To make things worse, it is hard to
determine which password hash algorithm a site uses without having access to
the source code.

~~~
robtoo
The solution to a fundamentally-flawed security architecture is _not_ a better
hash algorithm, sorry.

bcrypt is good at what it does, but that is such a limited domain that it is
insignificant next to the decades of security research and experience that
many popular modern web apps blindly ignore.

What does bcrypt have to do with the principle of least privilege, for
example?

------
personalcompute
Link to the actual tweet/pastebin instead of the clueless tech reporter
blogspam who thinks 'Anonymous' has an official twitter account and that MySQL
'PASSWORD()'(SHA1 x2) hashed passwords have little threat of being abused.

------
aw3c2
Clickable link to their posting: <http://pastebin.com/tkmZDG9m>

~~~
revorad
I never understood what the point of linking to such leaked data is. Surely,
you're not helping the situation?

~~~
schrototo
If it's out there, it's out there. People with bad intentions know how to find
it anyway. Meanwhile, the rest of us would like to check if any of our data
has been compromised. Hiding this stuff helps no one.

~~~
proexploit
Well, not "no one" but I do see your point somewhat. When it's out, it's out
and you can't make it private again but you can contain the exposure as much
as possible to keep the information in a minimum number of unauthorized hands.

~~~
tambourine_man
<http://en.wikipedia.org/wiki/Streisand_effect>

Trying to contain the exposure may actually make it worse.

~~~
Someone
Trying to contain is not the same as not helping to spread.

~~~
proexploit
Right, I'm not suggesting it's a good idea to try and hide all signs of leaked
details as I think that would be a futile effort, just arguing that re-sharing
leaked information isn't harmless.

------
jsz0
Each one of these high profile hacks makes me think we're inching closer to a
non-free Internet everyday. How much longer will big business tolerate this
before they start calling in favors from their pets in congress? It's going to
start with something like mandatory minimum sentences for certain types of
computer crimes but who knows where it goes from there.

~~~
kahawe
I hate to say it but I think generally this "trend" has already started a few
years back when the "average joes" and non-techs started using the internet...
all of a sudden you have to deal with cyber mobbing etc.

Of course when big business gets hurt, they have more influence but still.

------
mcritz
I think I recognize the URL.

Isn't this a third-party server responsible for those "how was your shopping
experience today" pop-ups?

~~~
nbpoole
abs.apple.com resolves to 17.112.144.82, which appears to be part of an IP
range owned by Apple. It's possible that the server is running third-party
software, but it does appear to be hosted by Apple.

------
tomelders
um.... 27 usernames, some of which are system accounts. I'm guessing the rest
are the usernames of people with access to the data in whatever project that
db supported, which sources suggest was a survey of some sort.

Technically, yes, Apple was hacked. But realistically... no it wasn't.

------
rokhayakebe
The Boondock Saints of the Internet.

~~~
schrototo
Juvenile and lacking talent?

