Hacker News new | comments | show | ask | jobs | submit login
Apple servers hacked by Anonymous (tuaw.com)
101 points by shawndumas 1982 days ago | hide | past | web | 24 comments | favorite

"The passwords appear encrypted so there is little threat that others can abuse this account information."

This is nonsense, of course. Several of the hashes are googleable.

Sometimes I feel like web app security is still where unix security was 30 years ago. Before /etc/shadow.

(edit: and before setuid programs realised they should do privileged operations early then drop privs asap.)

Also, pastebin link because it's not included in the article: http://pastebin.com/tkmZDG9m

There are already good password hash algorithms available, like bcrypt. In particular, the problem of googleable hashes were solved long ago with salt. It is just that not all websites use them. To make things worse, it is hard to determine which password hash algorithm a site uses without having access to the source code.

The solution to a fundamentally-flawed security architecture is not a better hash algorithm, sorry.

bcrypt is good at what it does, but that is such a limited domain that it is insignificant next to the decades of security research and experience that many popular modern web apps blindly ignore.

What does bcrypt have to do with the principle of least privilege, for example?

Link to the actual tweet/pastebin instead of the clueless tech reporter blogspam who thinks 'Anonymous' has an official twitter account and that MySQL 'PASSWORD()'(SHA1 x2) hashed passwords have little threat of being abused.

Clickable link to their posting: http://pastebin.com/tkmZDG9m

Twenty-seven logins on a server that holds surveys? Is that everything?

How disappointing... but good enough for some scary headlines I am afraid.

I never understood what the point of linking to such leaked data is. Surely, you're not helping the situation?

If it's out there, it's out there. People with bad intentions know how to find it anyway. Meanwhile, the rest of us would like to check if any of our data has been compromised. Hiding this stuff helps no one.

Well, not "no one" but I do see your point somewhat. When it's out, it's out and you can't make it private again but you can contain the exposure as much as possible to keep the information in a minimum number of unauthorized hands.


Trying to contain the exposure may actually make it worse.

Trying to contain is not the same as not helping to spread.

Right, I'm not suggesting it's a good idea to try and hide all signs of leaked details as I think that would be a futile effort, just arguing that re-sharing leaked information isn't harmless.

The linked site had the url in a image and I was curious what would be at the actual source so I manually typed it from the image. I knew others would be doing the same so I simply shared it. Simple as that. ;-)

In a perfect world good journalism would mean linking to ones sources anyways.

The data's already been leaked. The URL of the leak was included in the article, except for reasons best known to the author, the URL was only shown as a jpeg. This just makes it clickable.

I generally assume it is so people can check if their usernames are present in said lists.

Once the cat is out of the bag, obscurity is more harmful than beneficial.

Each one of these high profile hacks makes me think we're inching closer to a non-free Internet everyday. How much longer will big business tolerate this before they start calling in favors from their pets in congress? It's going to start with something like mandatory minimum sentences for certain types of computer crimes but who knows where it goes from there.

I hate to say it but I think generally this "trend" has already started a few years back when the "average joes" and non-techs started using the internet... all of a sudden you have to deal with cyber mobbing etc.

Of course when big business gets hurt, they have more influence but still.

I think I recognize the URL.

Isn't this a third-party server responsible for those "how was your shopping experience today" pop-ups?

abs.apple.com resolves to, which appears to be part of an IP range owned by Apple. It's possible that the server is running third-party software, but it does appear to be hosted by Apple.

Yes, it's the db related to their anonymous surveys apparently. [1]

[1] http://tech.fortune.cnn.com/2011/07/04/hackers-target-apple-...

edit: I don't believe it's third-party however. But the important takeaway here is that this isn't related to Apple's iTunes accounts; rather it's a survey.

um.... 27 usernames, some of which are system accounts. I'm guessing the rest are the usernames of people with access to the data in whatever project that db supported, which sources suggest was a survey of some sort.

Technically, yes, Apple was hacked. But realistically... no it wasn't.

The Boondock Saints of the Internet.

Juvenile and lacking talent?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact