Changes between Version 1 and Version 2 of TracSecurityOverview


Ignore:
Timestamp:
2010-01-09T16:58:41Z (12 years ago)
Author:
zooko
Comment:

link to the twitter incident

Legend:

Unmodified
Added
Removed
Modified
  • TracSecurityOverview

    v1 v2  
    66== Recommendations ==
    77
    8   * Don't use a password which you use elsewhere.  (See: Twitter incident)  [FIXME: Find ref.]
     8  * Don't use a password which you use elsewhere.  (See: [http://testgrid.allmydata.org:3567/file/URI:CHK:nm72blax6oqt3fui3dnrhahszq:wcpjaneyqzf4bw752izfey44abql6ywync2vweejsmnohyiwkkia:3:10:275196/@@named=/the-anatomy-of-the-twitter-attack.html Twitter incident]) (the short story is that there were no technical security flaws, but users used the same creds on an "unimportant" service as well as a different critical service, so the attacker could escalate the attack across services.)
    99  * Don't expect the ticket database to be non-corrupt or reliable or persistent.
    1010    * Backup the ticket database and wiki pages regularly!  Use snapshots so corruption does not overwrite correct data.
     
    2626  * Search for existing Trac security references.
    2727  * Verify that plaintext passwords are stored.
    28   * Find Twitter incident ref (the short story is that there were no technical security flaws, but users used the same creds on an "unimportant" service as well as a different critical service, so the attacker could escalate the attack across services.)