Current time: 04-24-2014, 12:47 PM Hello There, Guest! (LoginRegister)

Post Reply 
Hacked FTP passwords?
06-06-2007, 01:31 PM
Post: #21
Hacked FTP passwords?
I can't leave well enough alone...

Quote:You SHOULD be changing your passwords on a regular basis anyway, regardless of whether or not there's a problem. You SHOULDN'T use the same PW for everything. These very simple facts existed long before Dreamhost.
Yes, you should, and I do. This doesn't mean Dreamhost should assume this is done by everyone. Combating your simplified analogy with another - if there were a rash of break-ins in your neighborhood that were recently discovered by the police, wouldn't you expect the police to get the word out to other folks in the neighborhood? Sure, you should always lock your door at night, but a little reminder doesn't hurt, right?

If I hadn't read DaringFireball this morning, I'd have no idea anything was going on. I'm sorry - that's just WRONG. I should have an Email from Dreamhost encouraging me to be vigilant and to change my hosting password. It's clear they don't fully understand this issue at this point so limiting their notification doesn't make any sense (and seems to have failed in at least 1 case).
Find all posts by this user
Quote this message in a reply
06-06-2007, 01:45 PM
Post: #22
Hacked FTP passwords?
Quote:I can't leave well enough alone...
Just add that to the list of other things you can't do, like change passwords on a regular basis without being told to do so.

Quote:This doesn't mean Dreamhost should assume this is done by everyone.
I can't say I'm surprised that you think it's DH's fault that some people are stupid.

Quote:Combating your simplified analogy with another - if there were a rash of break-ins in your neighborhood that were recently discovered by the police, wouldn't you expect the police to get the word out to other folks in the neighborhood?
Uh, no. I have never in my life received a call from the police when another house was robbed.

And I don't use that fact as a reason to be too stupid to leave my home unlocked, not use the alarm, etc...

Quote:It's clear they don't fully understand this issue
It's clear that you don't. IT IS COMMON SENSE.

And a few random blog posts doesn't change reality. They're already losing accuracy and leaving out important details... not surprised. One has already reworded it to 3,500 customers. 3,500 FTP users isn't the same as 3,500 customers, since a single account can have up to 775 FTP users. Also leaving out the part where only a small percentage of those were even touched.

Sounds like you're just more interested in reading blog drama than actually doing anything yourself to be more secure. Knock yourself out.

--------------------------------------------------------
Tongue Save up to $96 at Dreamhost with ALMOST97 promo code (I get $1).
Or save $97 with THEFULL97.
Visit this user's website Find all posts by this user
Quote this message in a reply
06-06-2007, 02:52 PM
Post: #23
Hacked FTP passwords?
It's not clear to me if these passwords were obtained through gaining access to password files or packet sniffing on DH's network (or something similar). If it wasn't packet sniffing those who restrict their interactions to ssh/sftp would also potentially be affected. Has that been talked about by the DH folks?

dprior wrote:

Quote:It's always humorous to me to see responses to people who criticize
Dreamhost. Me pointing out that DH should post a notice on the Status
blog because it's wise for ALL users to change their passwords was not a
direct attack on Dreamhost. I was not telling everyone to go get a new
host. I was simply pointing out what I believed to be in error in their
handling of this incident.

Yet all I get is "only stupid people do x." "You should be doing that on
a regular basis anyway", etc. I wasn't aware this was a fan forum...

Indeed. There is a group in whose eyes DH can do no wrong. _Any_ criticism of DH, whether justfied or not, is met with blame shifting or insults. I wonder if there's any outwardly observable characteristic of that group. Hmmmmm.

"It is difficult to get a man to understand something when his salary
depends on his not understanding it."
--Upton Sinclair
Find all posts by this user
Quote this message in a reply
06-06-2007, 03:01 PM
Post: #24
Hacked FTP passwords?
Well, it's a good point to change your passwords on a regular basis...one of my users had not changed passwords since 2003...ugh.

I have changed all, I just used the create a password for me and wrote them all down (I didn't have them all written down anywhere too, and some I was able to delete.)

I don't think dreamhost needed to announce what happened..and none of my accounts were suspect of being one of the ftp users compromised...but I happily changed them all.
Find all posts by this user
Quote this message in a reply
06-06-2007, 03:08 PM
Post: #25
Hacked FTP passwords?
Quote:Indeed. There is a group in whose eyes DH can do no wrong. _Any_ criticism of DH, whether justfied or not, is met with blame shifting or insults.
That's a good observation, but I've also noticed that anyone who *ever* speaks up in support of DH during some of the "drive-by" bashes that occur generally get lumped into that group, irrespective of prior history where they themselves *have* been critical of Dreamhost. Wink

I am very happy with DH, and often object when I think their motives and/or service is unreasonably or unfairly criticized, but I have also been critical myself when I think it is appropriate - though most seem to never remember any of *those* posts.
Quote:I wonder if there's any outwardly observable characteristic of that group. Hmmmmm.
Probably...while it might be the "third leg" or a "nipple on their back", those characteristics are a bit hard to see over the net. A more easily identifiable trait, that you *can* see on the forums, might be their level of participation - oddly enough many of them spend quite a lot of time trying to help others with their DH related problems (and *some* of their time "sniping" at others).

I understand that this probably looks strange to those who only come to the forums when there is an issue and things are "hot and heavy", and *everybody* seems to be frustrated and unhappy (after all, that's why there are *here*, right?), but to those that "hang out" here, those times are just transient moments that make up a *small* part of their activity in the forums.

--rlparker
Find all posts by this user
Quote this message in a reply
06-06-2007, 03:11 PM
Post: #26
Hacked FTP passwords?
Quote:I don't see any advantage or purpose for posting it there - they
already directly notified by email all those even potentially
affected.

Actually, even though a relatively small portion of the DreamHost-using community was directly impacted, there is (understandably) legitimate concern over the security of other peoples' accounts.

Also, in our experience, when there is a lack of information people tend to jump to fill in the blanks and jump to conclusions. That's something we'd like to avoid.

So, we will be posting to dreamhoststatus.com once we get a bit further into our own investigation.

I can't provide details just yet, but I can say that we have already made changes to the portions of our system that we believe were exploited. We've found a handful of other potential (thus far unexploited) holes that have also been fixed.

In any case, more information will be forthcoming.

- Jeff @ DreamHost
- DH Discussion Forum Admin
Visit this user's website Find all posts by this user
Quote this message in a reply
06-06-2007, 03:12 PM
Post: #27
Hacked FTP passwords?
Quote:Indeed. There is a group in whose eyes DH can do no wrong. _Any_ criticism of DH, whether justfied or not, is met with blame shifting or insults.
Indeed. There is a group in whose eyes DH can do no right. _Any_ praise of DH, whether justified or not, is met with whining or crying.

--------------------------------------------------------
Tongue Save up to $96 at Dreamhost with ALMOST97 promo code (I get $1).
Or save $97 with THEFULL97.
Visit this user's website Find all posts by this user
Quote this message in a reply
06-06-2007, 03:21 PM
Post: #28
Hacked FTP passwords?
Quote:Actually, even though a relatively small portion of the DreamHost-using community was directly impacted, there is (understandably) legitimate concern over the security of other peoples' accounts....So, we will be posting to dreamhoststatus.com once we get a bit further into our own investigation.
Given the now widespread publicity of the situation, and the justifiable concerns expressed, I think is *definitely* a good thing to do..I'm not so sure it was needed earlier, bit it sure is *now*! :O

It is always helpful when DH "speaks"; obviously, I'm rooting for you guys to get it all sorted! Smile

--rlparker
Find all posts by this user
Quote this message in a reply
06-06-2007, 03:31 PM
Post: #29
Hacked FTP passwords?
I haven't received any email so I don't think my sites have been hacked.

However, there is a problem with Dreamhost sending an email to my gmail account - I always assume that it reaches me 1-2 days later from when they posted it =/
Visit this user's website Find all posts by this user
Quote this message in a reply
06-06-2007, 03:32 PM
Post: #30
Hacked FTP passwords?
A data point: I had previously checked a site for modifications and found none (we like subversion - made that part easy). Shelling in and doing a 'last' confirmed that this site had been accessed by intruders via ftp.

This site is _never_ accessed via ftp. All file transfers, etc. are done with secure protocols (sftp/ssh) so don't assume that since you don't access your site with ftp you're safe.

The intruders must have gained access to the password files somehow. This raises the possibility that email or other passwords were compromised too.
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: