Linked by Thom Holwerda on Fri 17th Jun 2011 18:49 UTC
Privacy, Security, Encryption Oh boy, what do we make of this? We haven't paid that much attention to the whole thing as of yet, but with a recent public statement on why they do what they do, I think it's about time to address this thing. Yes, Lulz Security, the hacking group (or whatever they are) that's been causing quite a bit of amok on the web lately.
Thread beginning with comment 477717
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: ...
by Thom_Holwerda on Sat 18th Jun 2011 17:10 UTC in reply to "..."
Thom_Holwerda
Member since:
2005-06-29

Hey LulzSec, I dare you to hack OSNews, I bet you can't.


Well, in all honesty - I did check with the team if our passwords (and yours) are all properly secured. I don't want to dive into specifics, but suffice it to say they are all properly encrypted ;) .

Edited 2011-06-18 17:12 UTC

Reply Parent Score: 1

RE[2]: ...
by Alfman on Sat 18th Jun 2011 19:42 in reply to "RE: ..."
Alfman Member since:
2011-01-28

Thom Holwerda,

"Well, in all honesty - I did check with the team if our passwords (and yours) are all properly secured. I don't want to dive into specifics,"

Ah, security by obscurity then. (just kidding Thom)

" but suffice it to say they are all properly encrypted ;) ."

Well, not exactly since it's over plain HTTP.

If hackers did get in, they could alter anything in the database. They could install keyloggers or modify the hashing function such that they are able to decrypt passwords easily.

Am I right in thinking it's extremely unlikely that you'd notice?

Even a single XSS vulnerability would give an attacker the opportunity to steal your credentials if you follow a malicious link.

If you were a high profile target, it'd probably be worth hiring someone else to do penetration testing, which most companies fail to do.

Many companies around here don't even want to pay to fix known vulnerabilities. Like sony, a theoretical attack vector isn't important until it has been actively exploited.

Reply Parent Score: 3

RE[2]: ...
by Alfman on Sat 18th Jun 2011 20:31 in reply to "RE: ..."
Alfman Member since:
2011-01-28

Thom Holwerda,

Another point to make is that by allowing third parties to execute code on your web pages, you've implicitly given them access to our credentials as well.


For example, your pages are running scripts from google adsense, google analytics and quantcast. Any one of these could target osnews users if they wanted to and capture credentials without even touching anything on the site.

I'm often a little surprised how little this bothers people.

Reply Parent Score: 3

RE[3]: ...
by Lennie on Sun 19th Jun 2011 10:02 in reply to "RE[2]: ..."
Lennie Member since:
2007-09-22

Ohh really ? I didn't see them. ;-)

Sorry OSnews crew, I would like to see them. :-(

Really I do, although they can be a bit distracting at times.

But scripts loading from other sites and document.write just don't cut it for me. They affect performance and security a tad to much for my liking.

I block every external file with a plugin right now, which is highly annoying with people adding more and more domains to their site and loading JQuery and it's plugins and more of the same from Google, Microsoft and Yahoo.

Still I do run those adds on my own site though. :-(

They are at the bottom of the page, where they have the least impact on performance.

The site makes less money than the hosting would cost but that is currently free for us, so is the site for the users.

I wish SPDY/HTTPS/SNI would be in widespread use that would really help to speed up websites and make them secure. And not need to use HTTP like Alfman mentioned above.

While I'm talking things which could be really improved, the Certificate Authority system (as used by HTTPS and friends) could really be improved by the use of DNSSEC.

So now this comment is long enough. :-)

Edited 2011-06-19 10:09 UTC

Reply Parent Score: 2

RE[2]: ...
by Soulbender on Sun 19th Jun 2011 19:06 in reply to "RE: ..."
Soulbender Member since:
2005-08-18

but suffice it to say they are all properly encrypted


I certainly hope you mean hashed, rather than encrypted.

Reply Parent Score: 2

RE[3]: ...
by Lennie on Sun 19th Jun 2011 23:30 in reply to "RE[2]: ..."
Lennie Member since:
2007-09-22

I've got a feeling Thom doesn't know the difference, so you are actually asking the wrong person.

Reply Parent Score: 2